Correlating Network and Host Logs for Attack Attribution

Correlation of Network and Host Logs for Attack Attribution

Bridging the Gap Between Traffic Analysis and Endpoint Execution

Cybersecurity Forensics Series | 2025

The Visibility Silo Problem

Security Operations Centers often suffer from fragmented visibility. Network analysts see traffic flows and anomalies, while endpoint analysts see process execution and file modifications. Without correlating these data sources, an attacker moving laterally looks like normal traffic to one team and a benign process to another. Attribution requires connecting the 'what' (traffic) to the 'who' (process/user).

Critical Network Artifacts

NetFlow / IPFIX: Provides connection metadata (Source IP, Dest IP, Ports, Bytes) without payload.

Firewall Logs: Records Allow/Deny decisions, crucial for spotting scanning activity.

DNS Queries: Identifying C2 domains and data exfiltration via tunneling.

Proxy/Gateway Logs: Detailed HTTP methods, user-agents, and URL structures.

Critical Host Artifacts

Process Creation (Event ID 4688): Shows command line arguments and parent-child relationships.

Network Connections (Sysmon ID 3): Maps a process ID to a specific outgoing IP.

Authentication Logs (4624/4625): Tracks successful and failed login attempts by account.

PowerShell Script Blocks (4104): Captures de-obfuscated script content executed in memory.

Logs are the memory of the network. If you only look at the traffic, you see the motion. If you only look at the host, you see the actor. Only together do you see the story.

Incident Response Principles

The Pivot Points

To successfully correlate logs, we need common keys (Pivot Points) to join the datasets. The '5-Tuple' (Src IP, Dst IP, Src Port, Dst Port, Protocol) + Timestamp is the gold standard. Sysmon ID 3 significantly aids this by explicitly logging the process image (e.g., powershell.exe) responsible for initiating a connection to a specific IP, bridging the gap instantly.

Impact on Breach Lifecycle

Organizations utilizing high levels of log correlation and security AI identify and contain breaches significantly faster. The difference in Mean Time to Identify (MTTI) and Contain (MTTC) is drastic.

Scenario: C2 Beaconing

**The Network View:** Firewall logs show an internal host (10.1.5.9) making outbound HTTPS requests to a suspicious IP every 60 seconds (Beaconing behavior). **The Host View:** Correlation reveals that at those exact timestamps, `unknown_svc.exe` was spawned by `explorer.exe` and initiated the connection. **Attribution:** The attack is attributed to a compromised user account running a persistent backdoor, not just a browser visit.

Challenges in Correlation

Time Synchronization: Even small drifts in System Time vs. Network Time can break automated correlation logic.

Volume & Noise: Millions of firewall events vs. thousands of process events creates a 'needle in a haystack' dynamic.

Encryption (TLS 1.3): Network logs often cannot see the payload or URL, forcing reliance on SNI (Server Name Indication) or host logs.

NAT & Proxies: Network Address Translation masks the true source IP, requiring translation logs to map back to the host.

The Role of SIEM & SOAR

Conclusion: Context is King

Effective attack attribution is rarely achieved through a single lens. By correlating network motion with host execution, security teams can reconstruct the complete attack narrative. This leads to faster remediation, reduced dwell time, and legally defensible attribution.