At Plixer we have a contractor “Shrek” that needs VPN access to our network.  Our security team realizes that he may not be taking all the steps necessary to ensure that his computer stays virus  and malware free.  Because of this, we apply a few different tactics to try and ensure VPN Malware Protection.

Threat Detection System

The newest strategy we implemented is our own malware behavior detection solution called FlowPro Defender.  This threat detection system monitors all of the traffic to and from the DNS and provides two main features:

  • Uncovers DGAs, Botnets and other forms of malware that rely on the DNS to carry out their dirty deeds. Monitoring done using numerous methods. Examples include:
    • Counts NXDomain
    • Monitors for DNS TXT messages
    • Compares requests to a constantly updated domain reputation list
    • Uses proprietary logic to scrutinize the format of the Fully Qualified Domain Name (FQDN) requested
  • Creates a cache of all FQDN lookups and sends the records off to the NetFlow and IPFIX collector

Here’s the bad news, our contactor’s computer became infected at his office and then he VPN’d into our network.  As soon as the computer entered our network, the malware became active and started sending strange requests to our DNS.  FlowPro Defender detected it immediately and sent a message off to Scrutinizer.

VPN Malware Protection

The good news is that after receiving notification, we immediately terminated his VPN connection.  We then investigated the event and learned that Shrek’s computer violated the 4 algorithms shown above.  Each time Shrek’s computer created suspicious traffic it triggered an event. As a result, his machines Threat Index (TI) went up.  Below you can see the TI value rose to 312:

Malware Behavior Detection

The TI is Plixer’s unique method of compiling events into a single metric for each host.  If the TI hits a definable threshold before the events age out, a second notification would have been triggered.

Thankfully, the firewall also picked up on the events and the flows were denied as shown below:

Context Security Awareness

Since Scrutinizer integrates with Cisco ISE and Microsoft Active Directory, the usernames responsible for authenticating devices onto the network are displayed.  A good security analytics system incorporates information from 3rd party solutions in order to provide the best contextual details surrounding an incident. Our integration with Cisco  ISE also allows us to automatically mitigate the event by blocking Shrek’s computer.

After reviewing the time stamps on the above trend, we contacted Shrek to verify that he authenticated between 12pm and 4:30pm.

Malware Behavior Detection

We also learned that during Shrek’s VPN session his workstation made the following DNS requests against our DNS server that further confirmed that his workstation was compromised:

  1. His machine performed an IP lookup to determine its Internet IP address
  2. A Domain Generating Algorithm (DGA) was launched which requested domains that do not exist
  3. One request was made to a domain that has a reputation of being malicious : miaggi[dot]com

The miaggi domain is associated with the Pykspa virus which is a worm that spreads via Skyple.

Malware Behavior Detection

If you liked what you read about FlowPro Defender so far, you should continue reading this blog on context security awareness to learn more about FlowPro’s value to forensic investigations of not only malware but, encrypted applications as well.

Give us a call  and we’ll get your started today with an evaluation.

 

 

Thomas

Thomas

Thomas Pore is the Director of IT and Field Engineering at Plixer. He developed and leads, the Malware Incident Response and Advanced NetFlow Training programs which are being offered in cities across the USA. He is also an adjunct professor at the local community college and teaches ethical hacking. Thomas travels the globe meeting with customers and trying improve the Scrutinizer network incident response system. He helps clients optimize threat detection strategies and aids in the configuration of custom incident response solutions. He has a Bachelor of Science in Computer Science from Dickinson College.

Related