Many people take Internet connectivity for granted, but it’s made possible by network operators. These service providers interconnect with each other and often offer connections to individuals and businesses, forming the backbone of what we know as the 'Internet'.
There are established procedures and rules for how network operator's interconnect. Typically, they use an Internet routing protocol called Border Gateway Protocol (BGP) and uniquely identify themselves with an Autonomous System (AS). There are three types of Autonomous System: a Stub AS, which connects to a single other AS; a Multi-homed AS, which connects to two or more Autonomous Systems; and a Transit AS, which interconnects two or more Autonomous Systems, enabling data to flow between external networks. Each AS is registered with an Internet registry and is assigned an Autonomous System Number (ASN). The diagram below is a simplified illustration of the Autonomous System concept (not an actual true representation of real Internet interconnectivity). Each circle represents a network operator. Examples of types of Autonomous Systems are also shown. The diagram also highlights that some large businesses and data center companies (e.g., Microsoft, Amazon, Google, Facebook) have their own Autonomous Systems.
What is the relation of ASN to Cybersecurity and Threat Hunting?
Network operators provide Internet connectivity to businesses and individuals for a fee, with relatively open access. While most users engage in legitimate, though sometimes unproductive :-), Internet activities, a significant number exploit this access for malicious purposes. In the context of this article, we're focusing on cybersecurity threats, specifically malicious hacking activities.
It's inevitable that some individuals will use their Internet access for malicious activities. When such activities are detected on a system connected by a network operator, one possible response is for the operator to cut off Internet access to that system. However, this decision is up to the network operator and involves complexities that are outside the scope of this article. Most network operators are committed to keeping their 'neighborhood' (i.e., ASN) clean and allocate resources to prevent abuse from the connections they provide. Unfortunately, a significant number of operators fail to maintain a clean ASN due to various reasons, including lack of competence, financial motives, or geographic challenges.
What can be done about these bad ASNs?
Fortunately, there are organizations that track the sources of malicious activity and the ASNs from which they originate. For instance, Spamhaus maintains Spamhaus Block Lists (SBLs) https://www.spamhaus.org/blocklists/do-not-route-or-peer/ to identify and block these sources. As you can see, they refer to these as the 'Worst of the Worst'.
Blocking traffic based on country code as a solid security control. However, adding an extra layer of protection by blocking traffic from known bad ASNs can further secure your network, even from malicious IPs within allowed countries.
While blocking an entire network operator may also block legitimate systems from that provider, it's worth considering that if these operators permit malicious activity, the legitimate traffic they carry is likely to be of little relevance to your organization. This image from the Domaintools Spring 2024 report, 'Patterns of Malicious Infrastructure' highlights this concept. https://www.domaintools.com/wp-content/uploads/DomainTools-2024-Report.pdf Interestingly, they also noted in the report that AS 198953 Proton66 did not have a single legitimate IP.
Where is ASN telemetry?
ASN values are usually determined through IP address enrichments within a session. Network Detection and Response (NDR) systems like Zeek, as well as many cloud-based services, commonly include this enrichment, so the ASN value appears in the logs they generate. Some firewalls also provide ASN enrichment, though not all do. For systems that don’t include ASN values in their network transaction logs sent to a SIEM, some SIEMs offer an ASN enrichment function during data ingestion.
The diagram below illustrates a cloud-based Azure login session, where the session log is exported to Elastic Security SIEM. The ASN number for the login session is captured in the Elastic ECS field azure.signinlogs.properties.autonomous.system.number.
Below are the elastic ECS field values for session AS number. https://www.elastic.co/docs/current/en/integrations/zeek
source.as.number : Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet
destination.as.number : Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
Identifying IPs to ASNs and ASNs to IPs
It's relatively easy to identify which ASN owns an IP address, and there are free resources available online for this purpose. One such resource is Hacker Target: https://hackertarget.com/as-ip-lookup/
Another valuable resource for IP-to-ASN mapping is Team Cymru: https://asn.cymru.com/. An interesting feature of Team Cymru is the ability to perform these queries through DNS TXT record lookups. I first discovered this capability while conducting network threat hunting and noticed an unusual number of DNS TXT record queries from a non-email server.
Many standard Cyber Threat Intelligence (CTI) products also provide ASN information during IP address lookups. Below is an example of an IP lookup using VirusTotal, where the IP-to-ASN mapping is included in the results.
The ASN is also an IP Address object attribute that is available via the Virus Total API.
Typically, you’ll research an IP address found in your logs to learn more about its ASN and owner. However, if you're conducting independent research on ASNs, you can also work in reverse by identifying the IP addresses owned by a specific ASN. The site https://ipinfo.io/ provides a user-friendly interface for running these queries.
Elastic ASN Threat Hunting and Alert Rules
The Spamhaus bad ASN list can be imported into Elastic as an indicator list. Use this regex to filter out unnecessary fields from the Spamhaus block list before importing into Elastic
"(?<domain>[^"]+)","cc":"(?<cc>[^"]+)","asname":"(?<asname>[^"]+)""
In this example, an Elastic alert rule is configured to query a Corelight index containing Zeek logs. The rule compares the destination.as.number field, enriched by Corelight NDR, against the ASN numbers imported into Elastic from the Spamhaus bad ASN list.
References
Comments