Once the sole domain of network operations teams, the Autonomous System Number has become a valuable data point for the digital forensic and incident response team as well.
Autonomous System Numbers, or AS Numbers, designate the owner blocks of IP addresses. For example, an ISP like Comcast Communications owns thousands of net blocks consisting of millions of IP addresses – most of which are not contiguous. However, these are all allocated to a single AS – Number 7922. By using the ASN rather than the individual IP addresses, we can characterize traffic as “Comcast traffic” quite easily. This becomes even more useful when looking at service providers such as Dropbox.com, which has several AS Numbers (currently AS62190, AS54372, and AS19679 are active) or Telegram Messenger (AS62041, AS62014, and AS59930).
Having access to AS assignment per IP address is a great benefit to DFIR professionals because it can help provide insight to other, traditionally IP-based evidence. These evidence sources include traffic abstractions such as NetFlow, opaque encrypted communications, artifacts from logs, or endpoint collectors such as Carbon Black.
While some technologies such as NetFlow may provide the inherent ability to acquire AS Numbers at the time of collection, some deployments may not capture that data. Other sources such as logs being sent to an aggregation platform or SIEM generally do not include any AS Numbers for their IP addresses. In these cases, post-processing can add the AS Number for each IP address in a searchable index. For example, configuring a log aggregator to perform an AS lookup in the MaxMind ASN database for each IP address could give the IR team the critical ability to classify communications according to the nature of the endpoint(s) involved.
Identifying the AS Number of Observed IP Addresses
While characterizing legitimate traffic is often very helpful, this approach becomes even more valuable when examining suspect connections. As an example, some datacenters are widely known as “friendly” to illicit activities involving ransomware/scareware, malware distribution sites, and other similar functions.
Baselining Your Environment with AS Numbers
Tracking AS Numbers your organization typically communicates with can also help to establish baselines against which new observations can be compared. This allows proactive hunt teams to identify AS Numbers that are newly observed in your environment or those that sway outside an acceptable variance in terms of bytes transferred, time-of-day behaviors, etc.
Have you embraced a philosophy of continuous monitoring? Learn the three essential categories of evidence you should be collecting.
While there is no single source of evidence or metadata that can definitively characterize network traffic as benign or suspicious, the most successful IR teams will incorporate data such as AS Numbers into their processes, improving their overall performance.