Monitoring Your Networks and Systems Can Save you A Lot of Heartache
September 29, 2010
In my last blog posting, I shared with you some long-term strategies to help you change user behavior so that you can more quickly find malware infections and mitigate the loss of information associated with a breach. You can address the current infection of systems by monitoring for malware in three areas: external network monitoring, internal network monitoring and system monitoring. This type of monitoring lets you know where to look for infected systems, helps you determine if these systems have led to a compromise of confidential data, and allows you to evaluate whether or not further investigation is required.
External network monitoring is the monitoring of malicious traffic on the Internet. It includes collecting Internet traffic for inspection for malware and the tracking of criminal organization groups, and emphasizes things such as the responsible parties for malicious traffic, where this traffic originates, the motivation of the attackers, and what tools are used by criminal organizations for malicious intent. This information is important because it allows you to validate the presence of malicious traffic emanating from your domain as an initial indicator of infected machines controlled by criminal organizations, and tells you if you need to pursue further inspection.
Internal network monitoring refers to the monitoring of malicious traffic at the network perimeter, and helps you identify infected systems communicating over your network to malicious networks known as botnets, which are used for criminal activity. Most tools classified as malware or botnet monitoring look for the command and control channels of botnets gained from external research or analyzed from known malware. When these tools detect communication that matches a botnet, they log offending packets for further analysis and generate alerts to help you identify the traffic and systems in question. As a result, you are able to quickly ascertain that there is an immediate need for investigation, determine when the attack occurred, and gain an understanding of the number of hosts that are involved. Some network tools focus on collecting only the offending traffic while others can be augmented to collect all of the traffic on the network to provide a more advanced and intensive analysis. Combining the two provides for a very thorough and complete picture of malicious activity, as well as better insight to the type of regular activity that could have led to an infection.
Host system analysis refers to looking for the presence of malicious behaviors occurring on a system, and the existence of the malicious code on these systems. By analyzing the memory of a system, you can identify malware regardless of the techniques the attacker used to hide it. Traditional anti-virus and anti-malware techniques are mostly signature-based looking for execution of a file on a system, and require a heavy reliance on prior knowledge of an attack. Shifting the focus to memory analysis allows you to determine exactly what is happening on a system, including what rights the malicious code has, what systems it is attempting to make connections to, and what data is exposed to loss. With these tools, you can perform scans on a scheduled basis across multiple systems simultaneously or as needed based on the indicators of interest from the network malware monitoring and analysis.
Today there are some protection systems that are looking to enhance the traditional methods of using signatures through behavioral techniques designed to identify the malicious behavior of malware. This is similar to what I described for host system analysis, but with a focus on real-time detection and prevention before an infection occurs. These techniques are performed through virtualization, which allow for execution of code in a sandbox to see what the code does, and are performed on the network or on the host and provide what is effectively considered to be a better antivirus.
What are you doing to address the current infections in your systems?