ClickCease Insufficient Internal Network Monitoring in Cybersecurity

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Insufficient Internal Network Monitoring in Cybersecurity

Joao Correia

January 15, 2024 - Technical Evangelist

This article is part of a series where we look at a recent NSA/CISA Joint Cybersecurity Advisory on the top cybersecurity issues identified during red/blue team exercises operated by these organizations. In this article, you will find a more in-depth look at the specific issue, with real-world scenarios where it is applicable, as well as mitigation strategies that can be adopted to limit or overcome it. This expands on the information provided by the NSA/CISA report.

Effective internal network monitoring is crucial for detecting and mitigating cyber threats. Insufficient monitoring can leave organizations vulnerable to undetected adversarial compromises. This chapter explores the implications of inadequate network monitoring and provides strategies for enhancing monitoring capabilities.


The Problem with Insufficient Monitoring


Limitations in Host and Network Sensor Configurations


Many organizations fail to optimally configure host and network sensors for traffic collection and end-host logging. This inadequacy can lead to undetected adversarial compromise and limits the capability to collect traffic data necessary for establishing a security baseline and detecting anomalies​​.


Challenges with Host-Based Monitoring Only


Relying solely on host-based monitoring can be insufficient, as this approach informs about adverse activities on individual hosts but not about activities traversing between hosts. For example, an organization with host-based monitoring could identify infected hosts but not the source of the infection, hindering efforts to prevent future lateral movements and infections​​.

Additionally, a lack of proper monitoring correlation between hosts makes it difficult to understand patterns – either pre or post exploitation – which leads to inefficiencies and potential oversights when attempting to rectify the situation.


Failure in Detecting Lateral Movement and Command and Control Activities


Organizations with insufficient network monitoring might fail to detect lateral movement and command and control activities within their networks. Even mature cybersecurity postures can be compromised if network monitoring is not comprehensive, as demonstrated by assessment teams gaining deep access without triggering security responses​​.

Mitigation Strategies

Establish a Baseline of Applications and Services


Regularly audit the access and use of applications and services, especially for administrative activities. This practice helps in understanding normal network behavior, thus making it easier to spot anomalies​​.


Implement Comprehensive Network Monitoring


Combine host-based monitoring with network monitoring to gain a full view of the cybersecurity landscape. This combination allows for the detection of malicious activities both on individual hosts and as they move across the network.


Regular Audits of Network Traffic


Conduct routine audits of network traffic and patterns to identify unusual activities or unauthorized access attempts. This proactive approach aids in early detection and response to potential threats.


Use of Advanced Analytical Tools


Employ advanced analytical tools and algorithms to analyze network traffic for patterns indicative of cyber threats. Machine learning techniques can be particularly effective in detecting sophisticated attacks that might evade traditional monitoring methods.


Train Staff on Network Monitoring Practices


Ensure that IT staff are well trained in network monitoring practices and aware of the latest cyber threats. Regular training sessions can help in keeping the team updated on new technologies and attack vectors.


Create Incident Response Plans


Develop and regularly update incident response plans that include procedures for responding to anomalies detected through network monitoring. These plans should involve both technical responses and communication strategies.


Enforce Adequate Segregation of Hosts


If there is no reason for two hosts to communicate, then moving each to separate network segments should be considered. While not a monitoring policy per se, this at least attempts to reduce visibility and exposure for threat actors.


Change Block Rules to Block-and-Log


Identify and investigate blocked attempts to communicate between separate systems. Simply blocking the connection can keep probing attempts undetected for long periods of time.




By understanding the gaps in current monitoring practices and implementing these mitigation strategies, organizations can significantly enhance their ability to detect and respond to cyber threats.

Insufficient Internal Network Monitoring in Cybersecurity
Article Name
Insufficient Internal Network Monitoring in Cybersecurity
Lets explore the implications of inadequate network monitoring and provides strategies for enhancing monitoring capabilities.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter