Zeek is a proven open-source network visibility and analytics tool that you can leverage to increase your agency’s Network Visibility and Analytics Capability maturity under CISA’s Zero Trust Maturity Model Version 2.

Zeek (https://zeek.org, formerly named Bro) is a network sensor deployable on physical, virtual, and container technologies. Recording network traffic is a fundamental capability allowing analysis independent of network and host capabilities and enabling passive capture of network traffic.

Zeek uses its recorded or real time feed to create protocol (and higher level) records that make up a transaction for analysis. The table Prioritized Zeek Logs is a subset of supported log types that can be considered for your Zero Trust Visibility and Analytics approach.

These prioritized logs are my suggested top five logs to consider—if your Zero Trust maturity has these covered, Zeek supports another 20 log types, as well as a dozen frameworks to expand and mature analytics stacks. The Zeek logs are presented below, ordered based on least effort to deploy, but should be prioritized to your organization’s needs.

Prioritized Zeek Logs

Zeek LogEffort*(1=LOW)DescriptionCommentsZero Trust Maturity Lift
dns.log1Domain Name System (DNS) transactionsZeek can use live DNS logging or recorded trafficInitial: Network Monitoring
Advanced: Automated processes for robust threat hunting activities.
Optimal: Enterprise-wide situational Awareness.
ntp.log2Network Time Protocol (NTP)

 

Depending on the environment’s NTP, may require a phased approach, especially extremely compartmentalized solutions.Initial: Monitoring and telemetry correlation.
ssh.log3Secure ShellLateral, inbound, and outbound capabilities.Initial: Network monitoring and micro-segmentation validation, validation of policy on user access rules
traceroute.log4TracerouteTraceroute is a common troubleshooting tool but is also used for discovery and mapping of networks.Initial: Basic network monitoring
Advanced: Indicator of threat when validated
conn.log5Connections LogsThis is a global connection analysis log that provides a broad breakdown of network traffic.Initial: Basic network monitoring

Optimal: With an investment in distributed Zeek sensors, you can establish a solid coverage of enterprise-wide visibility.

Common Zeek Use Cases

Zeek’s stack is adaptable to any capability requiring a network sensor. Three easily adapted use cases can provide immediate value:

  1. Troubleshooting Network Sensor
  2. Forensics Capture
  3. SIEM (Security Information and Event Manager) integrated network sensor

1. Troubleshooting Sensor

As a network troubleshooting sensor, Zeek can be adapted to quick deployments using the type of deployment you need. For example, a hardware-based sensor lends itself to distribution and core network areas of the network for multi-discipline, Tier III troubleshooting. Zeek also supports virtual machine and container deployments.

2. Forensics Capture

Zeek captures raw network data, allowing it to be a source of record for network-based captures. The analyst can place the Zeek sensor in a persistent location or the analyst can move the sensor in parallel with local port mirroring to capture for an active investigation.

3. SIEM Integrated Sensor (Threat Hunting and Incident Management)

Zeek’s logs integrate easily into most SIEMs (Security Information and Event Manager). For example, Zeek App for Hunting is a Splunk plugin that provides visual dashboards, fed by Zeek’s capabilities. The plugin also enriches the Splunk platform through its enhanced reporting capabilities.

Zeek can be leveraged for much more, increasing visibility while maturing your agency’s Zero Trust levels. Zeek integration provides opportunities across all network pillar maturity levels as shown in Zeek’s Network Pillar Maturity Level Integration Lift table.

Zeek’s Network Pillar Maturity Level Integration Lift

Maturity LevelZeek’s Integration CapabilitiesIntegration Targets
Traditional
  • Passive network monitoring
  • Network event correlations
  • Baseline Network Behavior
SIEM, Service Desk (auto service requests).
Initial
  • Network Segment Definitions
  • Network abstractions (layers 2, 3)
  • Communication Patterns
Agency, commercial, and open threat feeds.
Lateral movement and surface analysis.
Advanced
  • Segmentation through policy
Network devices, SIEM. (Would require additional integration for pure software defined networking)
Optimal
  • Enterprise-Wide Network compliancy and visibility
Distributed Zeek nodes can help report compliancy with items such as valid SSL/TLS certificates, hidden IT (Information Technology) assets (DNS, SMTP, proxies, etc.) Can leverage all maturity level capabilities to advance enterprise visibility.

Zeek Installation

Before installation, the Zeek Sensor’s hardware, virtual machine, or container will need to be placed in line with a network tap as shown in the Figure Network Tap.  The network tap can be a hardware tap, or you can use your network switch’s capability to port mirror the traffic to the Zeek Sensor.

Figure Network Tap

Zeek is not delivered with Linux distributions, but it can be installed from packages or from source code. This example provides an installation example on Ubuntu 22.04:

# Update package list
sudo apt-get update
# Prerequisites
sudo apt-get install -y software-properties-common wget
# Add Zeek repository to your OS
sudosh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_$(lsb_release -rs)/ /' > /etc/apt/sources.list.d/security:zeek.list"
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_$(lsb_release -rs)/Release.key -O Release.key
sudo apt-key add - <Release.key
# Update your package list again
sudo apt-get update
# Install Zeek
sudo apt-get install zeek

If your server is not configured for email, the installation will walk you through the Postfix mail server configuration on Ubuntu.

Zeek Usage – startup

The analyst can start Zeek in two modes: interface (shown below) or Packet Capture (PCAP) file. Use the parameter –r  to read a PCAP file. In our example here, we will use the interface mode to have it read real time traffic. As root execute the following to start Zeek on the enp0s1 interface:

/opt/zeek/bin/zeek -i enp0s1 interface

Zeek DNS Example

As a DNS analysis example, let us consider an advanced persistent threat malware without a known signature which has been downloaded. It does not seem to have spread beyond the three users that downloaded as it appears to try to connect to domains and IP addresses we prohibit; however, spot checking is labor intensive, so we want to identify indicators of comprise at the edge of the network where a Zeek sensor is located.

The following command gives us a list of queries that should be prohibited by domain name. In this example we are using “block” to trace and understand the example closer.

awk '{cmd="date -d @"$1" +\"%Y-%m-%d %H:%M:%S\""; cmd | getline d; close(cmd); print d, $3, $10}' /opt/zeek/logs/dns.log | grep "block"
2024-03-01 15:02:36 192.168.65.3 gogle.block
2024-03-01 15:02:36 192.168.65.16 gogle.block
2024-03-01 15:03:51 192.168.2.1 yhoo.block
2024-03-01 15:03:53 192.168.3.1 yhoo.block

The awk ‘cmd=’ command makes the logic more difficult to read, but it is simply converting the time to human readable format. The important part of the command is looking for “block” in the dns.log output, and that fields 1, 3, and 10 ($1, $3, $10 in awk specification) are the fields containing the date, time, source IP address, and the domain queried.

The conclusion from the generated list would indicate that a control for blocking domains is not working correctly and/or some hosts have an exception to the domain blocking policies. Incident response would continue from there.

Additional Capabilities

Your agency’s architecture, maturity, and use cases may need additional capabilities. Here are several worth considering:

  • Geolocation: Mapping of IP addresses to geographic locations. This capability uses additional libraries; however, the current containers from the Zeek repo have the capability built in.
  • Kafka Log Writer: Built in capability to stream to Kafka based services.
  • Zeek Scripting: Advanced tailored solutions to support playbook developments for common responses within the Security Operations Center.

Summary

In seeking innovative ways to mature the agency Zero Trust posture, T-Rex cyber engineers take a complete cyber approach, applying Zero Trust principals. This article has focused on improving network visibility within the Network pillar. Building out diagnostics, threat hunting, and incident management are fundamental to pillar maturity.

Cybersecurity and Infrastructure Security Agency (CISA) supports 10+ tools and plugins for Zeek. The source code for the tools and plugins is located on it is open-source repository at: https://github.com/cisagov/

T-Rex’s cybersecurity engineers and architects work with Federal agencies to speed their Zero Trust endeavors through T-Rex’s Zero Trust Architecture Accelerator 2.0 and innovative tooling as shown here. Contact us at cybersecurity@trexsolutionsllc.com to discuss how we can assist in your Zero Trust program.

Zero Trust Articles

Looking for additional articles on Zero Trust? Check out our ZT articles: