I’d like to take the time to go through the steps on how a rogue DHCP server works. The more you know about man-in-the-middle attacks, the better you will be at uncovering the infections. Scott wrote a blog a few weeks ago that went into some more detail about detecting a rogue DHCP server and symptoms that you may be infected. I want to hit on how that activity works.
I’m no network administrator, but I know that monitoring network abuse and policy observance is imperative to keeping a network safe. After writing my last blog on incident response system guidelines, I received a few emails about going more in depth using custom data correlation and thresholds. It can be difficult finding the information you want before you even know you want it. Would you like to know that the phone is about to ring because of a possible infection or that the network is about to become slow? Now, no one can tell the future but having a little more insight using NetFlow and IPFIX data will help predict a possible issue.
Working in support, customers often ask me how to start using NetFlow and IPFIX in their network monitoring tool, to get a more proactive approach to detecting threats. This is why I have decided to go over a few incident response system guidelines that will save you time and money when your network is hit by the next string of malware or advanced persistent threat (APT). Jalisa pointed out yesterday that the average security breach cost can be up to $3.5 million. Let’s go over a few ways to utilize NetFlow and IPFIX to lessen the impact.
Becoming a NetFlow private eye is easy if you’re using the right Incident Response System (IRS). Our team is lucky to be able to experience and work through the scenarios that keep most security professionals up at night. After reading Jake’s blog a few weeks ago, we decided to infect our lab with a virus that would try to move around the network and pull info from the servers and send them out to a command and control (C&C) server out on the Internet. I’ll share with you what we did. Although this was done in a lab, the point will still be clear: advanced persistent threats (APT)/malware will go undetected for long periods of time if you don’t have the right system in place to help with incident response. Read more
Emulex has announced a new data capture appliance: the EndaceFlow 3040. This NetFlow generator appliance boasts an impressive array of features and supports all major versions of NetFlow: v5, v9, and IPFIX. This is great news for administrators looking to incorporate a NetFlow Generator into their environment as having this sort of monitoring power provides security teams with greater, more detailed insight and the ability to serve up faster incident response times. Combining the Endace Neflow Generator with our Incident Response System provides a reliable solution when investigating suspicious traffic patterns.