DETECTING COMPROMISED SYSTEMS
Introduction
The external threat is one of the most high-profile risks that organisations face.
Representing more than 80 percent of attacks today, external attackers look
to take advantage of network and user weaknesses via malware, phishing, and
advanced persistent threats (APT).
Command and control (C2) malware (e.g., ransomware and Trojans) as well as
malware designed to exfiltrate data are two of the three most common threats1.
These processes find their way into your organisation via email phishing scams
or compromised websites that are laden with malicious code and are designed
to infect your endpoints.
Servers and end-user devices are nearly equally desired targets , making just
about any endpoint a target. With a majority (60 percent) of organisations
focusing their endpoint security strategy on securing data rather than devices2,
malware and other malicious processes somehow inevitably gain a foothold
within your organisation.
1
After ransomware or advanced persistent threat (APT) malware embeds and
activates itself on an endpoint, the malware first attempts to connect externally
to a C2 server to obtain instructions. Catching this attempt as early as possible
is optimal, but even finding it within the exfiltration phase of an attack provides
value to the organisation.
Key indicators of a compromise can be found by analysing the network traffic
from outbound connections—specifically, traffic coming from an endpoint on
your internal network and connecting through your firewall to something on the
internet. Focusing on this threat traffic will give your organisation visibility into
early indicators of a potential threat.
Detection made easy
The process of investigating
network traffic for possible signs of
compromise requires special tools,
and most IT pros haven’t armed
themselves with a network analysis
and forensics tool.
Fortunately, LogRhythm’s Network
Monitor Freemium, a free solution,
provides the Layer 2–7 visibility that
you need to recognise suspicious
network traffic. This solution can
aid in detection of and investigation
into unwanted and unauthorised
applications and their resulting traffic.
Look in this paper for insights from
LogRhythm and examples of how to
best use Network Monitor Freemium
to detect threat traffic.
You can obtain LogRhythm Network
Monitor Freemium at the link below:
logrhythm.com/freemium
The goal is to detect a compromised endpoint. Endpoint security solutions
certainly assist with this aim, but whether you have such technology deployed
or not, the analysis of anomalous network traffic is critical to detecting ongoing
compromised systems.
So, what are the best ways to identify a compromise from network
traffic alone?
In this paper, we review eight sets of network-related traffic, from the potentially
suspicious to the downright malicious and discuss how you can use each to
detect a compromised system.
Starting with the right tools
To use traffic analysis to detect compromised systems on your network,
you need a network analysis tool and a network tap or switch that supports
port mirroring. Because the focus is largely on outbound traffic, analysis
can take place within your demilitarised zone (DMZ) or just inside your
firewall, as appropriate.
1
Verizon, Data Breach Investigations Report (2016)
2
Ponemon, State of the Endpoint Report (2016)
WWW.LOGRHYTHM.COM
PAGE 3
DETECTING COMPROMISED SYSTEMS
The top eight indicators of compromise in network threat traffic
To effectively detect a compromised system, there are eight types of network traffic that you should monitor. We’ll
cover those here.
1. Reputation of destination IPs and domains
The easiest way to detect inappropriate traffic is by
looking at where the traffic is going. Any domains or
IP addresses that are on blacklists or that have low
reputations are prime candidates.
Outbound traffic data, along with destination IP addresses
or domains, can be forwarded to your security information
and event management (SIEM) solution, automating the
process of validating the reputation of each destination
IP address or domain. (Most SIEM solutions can integrate
with outside services such as a blacklist or reputation
list providers.)
Another way to spot potential threat traffic is to look at
anomalous destination domains or IP addresses. Those
that are new, as well as lower-volume outliers, can indicate
suspicious outbound traffic.
LogRhythm Insights: Outlier traffic
Having visibility into where traffic is going—at both a topand second-level domain perspective—helps you better
understand what is and isn’t “normal” for your network. But
finding outliers (which, by definition, aren’t normal) is an
even tougher prospect.
You can configure LogRhythm Network Monitor Freemium’s
dashboards to show low-bandwidth traffic by top-level
domain (shown in this figure as the innermost ring), as well as
second-level domains and subdomains (shown as the middle
and outer rings, respectively). Metadata, including bandwidth
consumption, time of use, and dozens of other pieces of
information (on a per-packet or per-flow basis), all provide
needed context around the specific nature of suspicious
outlier traffic.
2. Unrecognised protocols
Every port that is used in network communications
generally identifies which application is responsible for the
traffic. Because many instances of malware communicate
by using a proprietary application or service, the traffic
can be sent over a completely unknown port. This analysis
is quite simple, requiring observation only of traffic that
originates from endpoints outside the normally allowed
ports. (You can determined the allowed ports by referencing
your firewall rules.)
You might wonder why you should bother analysing traffic
outside of what the firewall allows. The effort might seem
a bit counterintuitive, as that traffic isn’t allowed anyway.
But remember: A compromised machine at least attempts
to communicate in its programmed manner. So looking
for communication attempts from endpoints can help to
identify compromised systems, even when those attempts
are unsuccessful.
Another instance of anomalous use of protocols can be
Secure Sockets Layer (SSL) traffic that bypasses your SSL
proxy. Malware isn’t the slightest bit interested in your
endpoints’ SSL proxy settings, so it often performs its
intended communications without the help of an otherwise
established proxy server. SSL traffic that originates from an
endpoint and establishes a session with an external host—all
without the use of your designated SSL proxy—should be
considered suspicious.
WWW.LOGRHYTHM.COM
PAGE 4
Please complete the form to gain access to this content
