rules-botnet

Is there anyone who wrote a complex rules about botnet attack? if it happened may i know or see that rule?

Parents
  • Verified Answer

    This question seems a bit broad.

    To narrow it down, what type of attack are you expecting?  Distributed Intrusion Attempts? DDOS? Water cooler attacks with Exploit Kits?   or are you referring to having a bot zombie/agent within your enterprise... in which case you would be looking for CnC, Bot-tasks such as participation in DDOS, traffic hosting or referrals (DNS,WEB), and new services (DNS hosted by workstations, servers- web, irc...) or cpu related activites: bitcoin mining, hash breaking...?

    The first, is going to depend on your perimeter and attack surface, the second will depend more on your host based security layers.

    Mike

Reply
  • Verified Answer

    This question seems a bit broad.

    To narrow it down, what type of attack are you expecting?  Distributed Intrusion Attempts? DDOS? Water cooler attacks with Exploit Kits?   or are you referring to having a bot zombie/agent within your enterprise... in which case you would be looking for CnC, Bot-tasks such as participation in DDOS, traffic hosting or referrals (DNS,WEB), and new services (DNS hosted by workstations, servers- web, irc...) or cpu related activites: bitcoin mining, hash breaking...?

    The first, is going to depend on your perimeter and attack surface, the second will depend more on your host based security layers.

    Mike

Children
  • Hi Mike, I need your assistance regarding Use Case Creation. Could you please provide rules for the following.(I tried to be specific)

    1. Patch non compliance
    2. Unauthorized security configuration
    3. Unauthorized access of storage account
    4. Unauthorized access of storage account keys
    5. Virus, malware, malicious code detection(Correlation)
    6. Vulnerability detection
    7. Unauthorized devices in the network
    8. Unauthorized applications in the network
    9. Loss / tampering with logs especially security logs
    10. Spoofing
    11. DOS and DDOS attacks
    12. Unauthorized access to certificate private keys
    13. Suspicious privilege account activity
    14. Unauthorized firewall rule changes
    15. Unauthorized changes to express route connectivity
    16. Suspicious logins to VM
    17. Botnet detection at firewall