AuditRubric
de-cm-5 high Detect / Continuous Monitoring

Unauthorized network connections are detected

Attackers rarely announce themselves. They establish footholds through unexpected outbound connections to command-and-control infrastructure, lateral movement to systems they should not be talking to, or inbound probes against services that should not be exposed. Detecting unauthorized network connections gives you the earliest possible warning of an active intrusion, before data is exfiltrated or systems are encrypted.

Estimated effort: 4h
network-monitoringidsipsunauthorized-access
Complete first: de-cm-1

Implementation steps

  1. 1

    Deploy network intrusion detection coverage

    Deploy an IDS or IPS at your network perimeter and for east-west traffic inside your environment. In cloud environments, enable native threat detection services that analyze VPC flow logs and DNS queries.

    aws-guarddutysnortsuricatapalo-altocrowdstrike
  2. 2

    Enable VPC flow logs or equivalent network flow collection

    Turn on flow logging for all cloud VPCs and on-prem network segments. Flow logs capture every connection attempt and are essential for both real-time detection and post-incident investigation.

    aws-guarddutyazure-network-watchergoogle-cloud-vpc
  3. 3

    Create alerts for unauthorized connection patterns

    Define alerts for: connections to known malicious IPs or domains, traffic on non-standard ports, outbound connections from servers that should not initiate connections, and internal traffic to systems outside normal communication patterns.

    datadogsplunkelasticaws-guardduty
  4. 4

    Review and tune network baselines regularly

    Review network traffic patterns monthly to update your baseline and reduce false positives. Document approved communication paths so deviations are easier to spot.

    darktracevectrasplunk

Evidence required

IDS or IPS deployment confirmation

Screenshot or configuration export showing intrusion detection is active on your network.

  • · AWS GuardDuty enabled with findings dashboard
  • · Snort or Suricata deployment configuration
  • · Palo Alto or similar NGFW threat prevention policy

Network flow log configuration

Confirmation that flow logs are enabled and being retained for your cloud or on-prem environment.

  • · AWS VPC Flow Logs configuration screenshot
  • · Azure Network Watcher flow log settings
  • · SIEM showing ingested flow log data

Network alert rules

Export or screenshot of active alert rules detecting unauthorized connection patterns.

  • · SIEM detection rules for anomalous outbound traffic
  • · GuardDuty findings configuration
  • · Firewall threat alert policy

Related controls

de-cm-7 high

Monitoring for unauthorized personnel, connections, devices, and software is performed

Continuous Monitoring
de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-2 medium

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring
de-cm-3 high

Personnel activity and technology usage are monitored to detect potentially adverse events

Continuous Monitoring