Outbound IRC connections - All infected workstation will communicate to listen the commands from Command & Control Servers, most of the outbound IRC traffic is from compromised workstations.
Required data to create above report
Service 6660/6669/6665/6667 outbound traffic.
Peer File Transfer – Data transfer between peer to peer will creates a lot of noise in the network could reduce the network performance. Downloads or uploads are not from trusted domains could bring the malicious files into network
Required data to create above report
Understand the traffic pattern and create a rule [Netwitness Live will provide the rule for the torrent pattern]
Proxy logs which should have a category of site should be “peer file transfer”
Proxy logs with domain names.
Top Online Storage accessing - is the public storage could leak the confidential business data which could be a big a threat to organization.
Required data to create above report
Data should be connecting to various storage sites like – [any free/paid online storage sites]
This report can be prepared on Log data and packet data [packet data Netwitness live default rule, Log data from proxy would be useful].
Dyn DNS [DDNS] – Dynamic Domain Name System Malware distributors are constantly registering and rotating Dyn DNS-hosted sub-domains that are subsequently used to spread computer Trojans.
Required data to create above report
Collect the DDNS ranges/IP’s manually and make a list and detect [NW live has rule to detect DDNS]
Phishing /spear phishing – Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers". Which could lead to APT attack?
Required data to create above report
All email with embedded suspicious links/urls /domains/Ip’s detected by informer rule.
TOR Nodes – TOR/Onion routers are used to mask the original IP address of attacker’s machines which is very hard to find the details of attackers IP address.
Required data to create above report
Collect the TOR/Onion router’s Address/ ranges of IPs make a list in informer and match with destination/ source Address for detection.
Malicious User Agents - User agent is a header field contains information about the user agent originating the request, usually compromised workstation try to communicate with external IP’s to listen the commands from CC servers. in this case malwares usually uses the user agent with poorly implemented protocols.
Required data to create above report
Understand the different verities of malicious user agents and make it a list and use the informer for detection.
Top bandwidth users - Unauthorized uploads/downloads could lead to data loss/malware downloads
Required data to create above report
Usual packet data with size of packet is enough to generate the report
VNC connections inside network - VNC connection inside the network wouldn’t be safe, VNC inside network could get control for attackers.
