Malware Detection and determining the cause of an incident is a requirement in todays connected world. The post U.K. Parliament’s computers tried to access porn 247,000 times in 2015 is a great example. From first glance you get the impression that people at the Parliament have way too much time on their hands. When you dig a bit deeper we start to see that this the problem isn’t an HR issues but network security issue. The good news is that with the adoption of NetFlow collection and Flow Pro Defender Scrutinizer can monitor for malware.
We are faced with two issue here. First we need to monitor for malware traffic on your network. Second we need to have the ability to identify the IP or user behind that traffic. Adding NetFlow technology to your network monitoring suite will allow you to retain, report on, and monitor on every conversation that moves across you system. I know what your asking, isn’t that a lot of traffic and lots of storage? Honestly, that is a common question that people ask. Remember, NetFlow add less than a 2% increase to your total traffic and because it’s all UDP data storage requirements are far less than you think.
One thing to note, when looking for this type of visibility you need to make sure that your tool is able to support all version of flow. This is important because certain devices have added functions that you will want to take advantage of. Others might only send something like sampled flow or not send flow at all. You need to make sure your NetFlow tool can provide a solution for all of your devices. You also need to ask if the solution that you are looking at allows you to see fully qualified domain names and associate an IP with a username. Overall, you need to have confidence in the data because if or when a report saying your government is looking at porn all day comes out, you have the tools and resources to quickly give the right answers.
“Officials suggested that malware might be a possible cause for some of the activity.” – NBC NEWS
Malware Detection
My buddy Tom Pore, who also happens to be one of Plixers security gurus, wrote an interesting article about malware safety. He goes into great detail of how Flow Pro Defender was used for DNS for Malware Detection. In the case of the UK Parliament, the ability to uncover DGAs, Botnets and other forms of malware that rely on the DNS to carry out their less than honorable activity would have been helpful.
Flow Pro Defender does this by integrating with you DNS and utilizing methods like NXDomain counts, DNS TXT messages, compares requests to a constantly updated domain reputation list, uses proprietary logic to scrutinize the format of the Fully Qualified Domain Name (FQDN) requested, creates a cache of all FQDN lookups, and sends the records off to the NetFlow and IPFIX collector.
Now that we have the IP address related to the Malware traffic we can use something simple like Scrutinzer Exporters search function to quickly search for any lateral movement by that IP on your network. remember, we are saving this data for as long as your need it and you are able to quickly search historically. In this situation not only would you be able to identify patient zero but all of the other infected IP’s along the way.
Identify the user
With only an IP Address, tracking down who or what that address belongs to can be a cumbersome and tedious process. We all know that DHCP and NAT are changing IP addresses on a fairly regular basis. How can we find out the history of an IP Address without having to jump through multiple hoops? Since Scrutinizer integrates with Cisco ISE and Microsoft Active Directory, the usernames responsible for authenticating devices onto the network are displayed. This provide the best contextual details surrounding an incident. So not only have we been able to identify patient zero but we are also able to identify the username associated with that IP.
This would come in handy two ways. First, if this was a user incident HR would have to correct information to reprimand the end-user. Honestly, I don’t think that this is as common of an issue as one might think but it does happen more than we would like to admit. something that is more common is an infected machine. As I mentioned above, Flow Pro Defender utilizes DNS integration which gives you a head start on detecting this type of traffic. With this information we have been able to detect the incident, determine who patient zero is, and find out who else has been infected.
The world of technology is ever-changing and you need to make sure that the monitoring technology you invest in today is flexible enough to bend with what you adopt tomorrow. That is why we focus on supporting all flow technology because in itself, the industry standardization of flow technology (NetFlow, IPFIX, etc.), lends itself to this flexibility. In the end it is all about having multiple layers of security and complete visibility into your network traffic. If you would like to learn more about how Scrutinizer can help you stay vigilant and be a valuable asset in your Cyber Incident Response System, give us a call and we will be more than happy to help you.
