Skip to main content

Monitoring Your Networks and Systems Can Save you A Lot of Heartache

September 29, 2010

In my last blog posting, I shared with you some long-term strategies to help you change user behavior so that you can more quickly find malware infections and mitigate the loss of information associated with a breach. You can address the current infection of systems by monitoring for malware in three areas: external network monitoring, internal network monitoring and system monitoring. This type of monitoring lets you know where to look for infected systems, helps you determine if these systems have led to a compromise of confidential data, and allows you to evaluate whether or not further investigation is required.

External network monitoring is the monitoring of malicious traffic on the Internet. It includes collecting Internet traffic for inspection for malware and the tracking of criminal organization groups, and emphasizes things such as the responsible parties for malicious traffic, where this traffic originates, the motivation of the attackers, and what tools are used by criminal organizations for malicious intent. This information is important because it allows you to validate the presence of malicious traffic emanating from your domain as an initial indicator of infected machines controlled by criminal organizations, and tells you if you need to pursue further inspection.

Internal network monitoring refers to the monitoring of malicious traffic at the network perimeter, and helps you identify infected systems communicating over your network to malicious networks known as botnets, which are used for criminal activity. Most tools classified as malware or botnet monitoring look for the command and control channels of botnets gained from external research or analyzed from known malware. When these tools detect communication that matches a botnet, they log offending packets for further analysis and generate alerts to help you identify the traffic and systems in question. As a result, you are able to quickly ascertain that there is an immediate need for investigation, determine when the attack occurred, and gain an understanding of the number of hosts that are involved. Some network tools focus on collecting only the offending traffic while others can be augmented to collect all of the traffic on the network to provide a more advanced and intensive analysis. Combining the two provides for a very thorough and complete picture of malicious activity, as well as better insight to the type of regular activity that could have led to an infection.

Host system analysis refers to looking for the presence of malicious behaviors occurring on a system, and the existence of the malicious code on these systems. By analyzing the memory of a system, you can identify malware regardless of the techniques the attacker used to hide it. Traditional anti-virus and anti-malware techniques are mostly signature-based looking for execution of a file on a system, and require a heavy reliance on prior knowledge of an attack. Shifting the focus to memory analysis allows you to determine exactly what is happening on a system, including what rights the malicious code has, what systems it is attempting to make connections to, and what data is exposed to loss. With these tools, you can perform scans on a scheduled basis across multiple systems simultaneously or as needed based on the indicators of interest from the network malware monitoring and analysis.

Today there are some protection systems that are looking to enhance the traditional methods of using signatures through behavioral techniques designed to identify the malicious behavior of malware. This is similar to what I described for host system analysis, but with a focus on real-time detection and prevention before an infection occurs. These techniques are performed through virtualization, which allow for execution of code in a sandbox to see what the code does, and are performed on the network or on the host and provide what is effectively considered to be a better antivirus.

What are you doing to address the current infections in your systems?

Related Blogs

April 27, 2010

Perimeter Security – A Far Flung Fantasy | Optiv

Consider the potential thought process of the IT professional who is challenged with managing security for his or her organization’s computer infrastr...

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

January 25, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 1)

SSL inspection is the process of “proxying” a SSL session in order to decrypt the traffic and monitor/inspect it against various controls. Network tra...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

March 17, 2014

AutoIT Scripting in POS Malware

Over the past few years, using AutoIT scripting language to create and install malware has become more prevalent. This trend has made its way into the...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.