A company tried to sell me their latest product a few years ago, saying it could help me detect and prevent malware from infecting my enterprise system. I politely refused and explained that my company has many engineers and it is impossible to be troubled by malware sweeping the Internet. I also told this vendor that we have deployed enterprise-level anti-virus products to deal with such problems.
But eventually I tried their trial version to set it to capture edge internet traffic that leaves the Switched Port Analyzer Port. What shocked me was that when I turned on the device and logged on, I realized how serious our problem was. I have seen more than 10 systems in the company detect malware, even though they have installed anti-virus software and updated the latest virus database. These virus infections are busy with command control callbacks to servers around the world, and may have existed for a while, but we don't know. Some of the traffic seems to be very benign link fraud, while other malware are sending encrypted data that we cannot decrypt at all. In any case, it is clear that we have problems and must take action. From then on, I began to access security analysis technology.
Malware affects all of us, no matter what protection measures our company has deployed. This is an invisible and complex threat. The anti-malware we rely on for a long time only creates a security illusion for us.
In this article, we will discuss how to detect and prevent different types of products required for today's malware, advanced persistent threats (APT), and zero-day vulnerabilities, it also explores how to integrate data into security analysis technology to provide a broader view of threats faced by enterprises.
First, it can be said that it is the most important. The technology that supports Malware-centric security analysis systems is a specialized advanced malware defense product, as described above. For me, FireEye is the vendor I chose because it specifically utilizes virtualization technology. In addition, Damballa, Bit9 and many other vendors provide similar compelling products.
FireEye's threat defense platform can analyze traffic in real time and restrict malware from further analysis in virtual machines. The product can also search for common malware signatures and detect malicious software based on system heuristic behaviors. This is particularly important in detecting APT and zero-day attacks, because there is no signature at all.
One disadvantage of FireEye is that it can only detect malware on systems connected to the device that overwrite the network. This is a huge defect. For this reason, many mobile devices may not be protected. This is exactly where proxy-based methods from companies like Trusteer or Bit9 come in handy. By installing a proxy on each endpoint, You can protect the device, regardless of the location of the device: In the office, home, or on the road.
If the proprietary malware protection system is not feasible, you may need to look at your intrusion protection system (IPS ). I have noticed that many IPS vendors build Malware detection rules into their products, some of which are very close to the features provided by proprietary advanced Malware detection vendors.
Configuration Management is also a key component of the security analysis program. The point here is that you need to check the key configurations and executable files on key systems (such as domain servers, application servers, Web servers, and database servers, attackers usually try to replace these files with new versions to protect their foothold in your environment. The open-source version of Tripwire is a free data integrity monitoring tool, which is a good tool and has been used by security professionals for a long time.
Our network scanning tool has played a significant role in the security analysis program, which may sound strange. The best way to prevent malware from infecting the environment is through effective hardening. If we can use a network scanner to search for unpatched and outdated systems on the network, we can fix them before attackers attack them. The good news is that there are a lot of network scanning vendors competing with each other, and there are also many acquisitions and mergers and acquisitions, the functional differences between products are not big. There are also some free tools that can perform network scans, including Nessus and OpenVAS, although they have some limitations compared with paid tools.
Another important part of threat detection security analysis is log management. Our idea is to store all system log information in a centralized security location for future use. When an attacker intrude into the system, he or she usually deletes the Intrusion Evidence by editing or deleting the system logs. Transferring these logs to the central repository makes it more difficult for attackers to tamper with the logs. In addition, through centralized logging, enterprises can easily search for and run reports on systems and applications.
In your logs, you should check these events: Before Successful Logon, you have failed multiple logon attempts. Users who log on from a certain IP address or location suddenly log on from another location; no DNS query is performed on the machine connected to the network IP address, or a connection with a large amount of outbound traffic. Any of these events may or may not constitute a problem, but the simultaneous occurrence of any two or more problems may mean an attack. In addition, there are many free SIEM tools if you cannot choose commercial log management or security information and event management products. Splunk can be used as your log search engine. You can use it for free every day to process up to MB of logs. I have never used other tools, but I know there is also a good free open-source log management tool, that is, LogStash.
For the security analysis program, the last tool I strongly recommend is the network analysis tool, which can capture and analyze traffic data from different networks. The traffic data includes the IP address, port, protocol, and traffic passing through the network. Basically, this is the data itself. Your network analysis tool will allow you to search for patterns in previously hidden traffic. For example, as early as last year, HD Moore published a blog article about vulnerabilities using unified plug-and-play (or UPnP) and Simple Service Discovery Protocol devices. Using my network analysis tool, I performed a mode query on the external source IP address-for one of my public IP addresses, I used the user data packet protocol on port 1900. Within 24 hours, 539 matching modes appear. This indicates that the attacker exists.
Because forwarding traffic data is only a feature of some routers and switches, you need to find a way to capture and view the data. You can use VPC analysis tools from companies such as SolarWinds, NetScout, or lanw.cn, or use the aforementioned log management tools. I chose 21 Ct's LYNXeon tool because it not only analyzes the traffic data pattern, but also includes other data types. Next let me introduce it in detail. Last year, I gave a speech at The Magic of Symbiotic Security Conference, in which I introduced The Security ecosystem that promotes integration-a breakthrough tool Island, let them work together for maximum efficiency. The ultimate goal of our security analysis is to make every component mentioned above work together to gain a clear view of the threats it faces. We collect alert data from malware and intrusion prevention systems, including information about malicious types, targets, and sources. We also collect information about systems with sudden changes to file signatures; we collect information about vulnerabilities in different systems in the environment. Then, we collect information generated by log files, such as failed logon attempts or account locking. We use the tools provided by our suppliers to access data for data collection. This can be an API call, Simple Network Management Protocol alert, or direct database query. Finally, all of this data is integrated into LYNXeon. Next, we use the pattern query language to find Potential Malicious patterns for all datasets.
The following are some report examples, which allow us to better understand the network security situation:
Internal system connected to http://www.malwaredomainlist.com Server
Connect to the internal systems of many other internal systems in a short time
Connect to the internal system of the external system where the malware or intrusion detection platform has triggered the alarm
Use an internal system of a DNS server that is not an enterprise infrastructure
In addition, one of the benefits of integrating traffic data with other data types in my company is that we can create a pattern based on a location event, and use these modes to find similar problems in other locations. These locations may not have the same Detection Mechanism deployed.
The above suggestions are my own experience and are not a comprehensive list of tools or tool categories, but they provide you with a foundation to start using threat detection security analysis. Building a security analysis program in your company may not happen overnight, but this can certainly be done and can help you improve your ability to detect malware. In this process, do not forget to maintain good data indicators, so that you can show executives the ROI