From a defender’s perspective, suspicious bridging is observed when network devices begin allowing traffic that contradicts existing segmentation or access policies. Observable behaviors include sudden modifications to ACLs or firewall rules, unusual cross-boundary traffic flows (e.g., east-west communications across separated VLANs), or simultaneous ingress/egress anomalies. Multi-event correlation is key: configuration changes on a router/firewall followed by unexpected traffic patterns, especially from unusual sources, is a strong indicator of compromise.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | Unexpected flows between segmented networks or prohibited ports |
| Network Traffic Content (DC0085) | networkdevice:syslog | ACL/Firewall rule modification or new route injection |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between configuration changes and abnormal traffic; tuned to match expected administrative change cycles. |
| ApprovedChangeList | Known authorized ACL/firewall changes; suppresses noise from legitimate maintenance. |
| GeoLocation | Geographic origin of new traffic patterns; helps distinguish benign remote offices from suspicious foreign access. |
| TrafficVolumeThreshold | Volume of cross-segment traffic; tuned to detect large-scale lateral flows without flagging small test connections. |