These occur when we receive emails from people who often claim to be someone else asking us to click on an attachment or a URL. If the user clicks on the intended file or link, the infection could occur.
This occurs when we visit a web site and a script is run that, unbeknownst to the user, infects their machine with malware that will soon phone home to a server on the Internet for instructions on what to do next.
Most network intrusion detection efforts do not prevent these types of infections because the end user has already authenticated onto the network and often times the outbound SSL connection made by the malware passes right through even the best firewalls on the market. How can we stop this?
Network Threat Protection
One of the best ways to detect infections by one of these advanced attacks is to monitor outbound connections by using NetFlow. If your company has already made an investment in a NetFlow collector, a NetFlow replicator can be deployed which intercepts the flows before the collector and forwards the flows onto multiple destinations leaving the original source IP address intact. Both the current NetFlow solution and the new network threat protection system that also uses NetFlow will both believe they are receiving the flows directly from the original flow exporter.
With the existing network monitoring solution taken care of, the network security software, which is also receiving the same flows, can get to work analyzing the outbound connections. What behaviors is it looking for?
Within minutes, a network threat detection system that analyzes NetFlow or IPFIX can get to work performing multiple threat detection routines. Host reputation, for example, can be enabled whereby the network threat detection system routinely downloads a list of known compromised Internet hosts and verifies that internal systems are not communicating with them. A host with a poor reputation could be participating in C&C; routines. Additionally, TCP flags and flow ratios are checked and communication behaviors are constantly compared to baselines. Any behaviors outside of a calculated standard deviation could trigger an event.
Advanced NetFlow Training
To learn more about how NetFlow, IPFIX, J-Flow, NetStream, CascadeFlow and, even to some extent, sFlow can be used to improve the network threat protection efforts on your network, attend one of the Plixer advanced NetFlow training classes in a city near you.