Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Analyzing outgoing network traffic InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Analyzing outgoing network traffic

Published: 2012-08-23
Last Updated: 2012-08-23 07:25:41 UTC
by Bojan Zdrnja (Version: 1)
11 comment(s)

We all know that network traffic contains real treasure when trying to identify malicious activities. Various organizations recognized this and even mandate that IDS or IPS systems are implemented.

However, such systems typically have similar problems as anti-virus products – they depend either on pre-made signatures or some kind of heuristics which can be (sometimes easily) evaded.

At the same time, in the AV world we can see that more vendors rely on things such as cloud scanning and reputation systems.

One of the things I often recommend to people is that they check outgoing network sessions created by their networks – not only established connections but also various attempts. For example, you should regularly monitor your firewall logs to see what traffic has been dropped – but put more effort into analyzing what egress connections were blocked since that can help you identify potentially infected (or hacked) machines on your network.

The best example of when such analysis really pays off is RSA Security – through egress log analysis they found out that the hacker that compromised their network used FTP to transfer files to an external machine. This should make you ask yourself – do you monitor egress connections to detect big(ger) transfers to external hosts, especially those in weird locations?

Another thing that I found really useful is to correlate those connection attempts to known bad reputation sources; this is where we get to the beginning of this diary. Such correlation can really add value to your firewall/router data – knowing that an internal IP address tried to connect to an external IP address, and that this connection attempt was blocked is good, but knowing that the external IP address is actually a ZeuS C&C really adds value!

Some of the reputation sources that are free, and that I found to be working really well are the following (in no particular order):

Do you use other reputation sources? Anything you wish to add to this list? Let us know!

--
Bojan
INFIGO IS

11 comment(s)
Diary Archives