Let's talk content - malware detection
Let's face it, signature based detection is not a fail safe route in which anyone can detect all the malicious software on "our" networks anymore. From a former pen-tester and malware reversers perspective I can testify to the ease in which people can evade signature based detection on both the network and host (for a basic example of this topic please see this article http://www.packetstormsecurity.org/papers/virus/Taking_Back_Netcat.pdf). The truth is we have to look at a new way to do this, let's think outside the box for a minute here, let's post some ideas on ways which you are detecting malware on your network without signatures being fired by your malware protection products and why you chose to use that method.
Below is an example of one way I might do this to get things started...
Detecting Beaconing of "phone-home" functionality
We know that it is no longer common for malware to be written with the purpose of monetary gain or stealing resources these days. However, for this malicious goal to be achieved, the malware has to be controlled is someway by the author or is most cases distributer of the malware variant. Let's look at a basic pattern which could help us detect this on our network.
Attacker Address in (INTERNAL_NETWORK)
Target Address NOT in (INTERNAL_NETWORK)
Target Port in (EPHEMERAL_PORTS_LIST)
Target Port NOT in (TRUSTED _PORTS_LIST)
This obviously will not detect all malware as some will tunnel over valid root ports and that can be addresses later, however, I find this (after tuning of normal activity and assuming you have egress filtering in place on your firewalls) to be effective as a VERY basic way to pick up some anomalous network activity that might need to be looked into (it can also detect things like Skype and Torrent if they are unauthorized for your network). This won't work for everyone, but give it a shot, throw it in a data monitor (aggregate on attacker address) and see what you come up with.
Looking for some good discussion on this for everyone's benefit hopefully you guys have some ideas that you can share which most of us haven't tried yet that will help to improve our detection. Best idea will get the "correct" answer and the 10 points for the question thread...
If this wasn't directly counterproductive to increasing may people's consulting revenues I would totally love to talk about it, heh.
But I can at least throw you a couple of generic bones:
1. I know you sort of mentioned this, but I'll reinforce it. In your example, you would miss a lot of malware that talks over http, and https (i.e. zeus and other pretty high end stuff).
2. Related to the above. You can catch a lot of the non-elite malware as it attempts to communicate after hours...
3. Math, math, math...
ALRIGHT! You'll get no more answers out of me!!
Have you had a chance to try out the number based risk assment? The one were you set the risk of the site by traffic. So the less it talks the higher the risk it is?
Sheesh, this is the best response in 3 weeks? An introduction to security monitoring 101 quip that amounts to "I'm 1337, everyone else sux."
Way to embrace a spirit of cooperation. I highly doubt you know anything that wasn't public knowledge years ago anyway justink.
I think you may have misinterperated the idea I was trying to get across.
That was not the point at all. Cooperation is great, and I am all for it. I was just pointing out that in the end most of the people in these forums make a living selling that type of information so it shouldn't suprise anyone that there wouldn't be a line to respond to this thread. Case in point; there isn't.
I understand how you may have gotten the wrong idea, and I apologise if I was unclear. However, this is a professional social site and I would caution against personal attacks. If you have so much expertise to share on the subject please do so.
unfortunately, the whole pay to play phenom has infected the security community in general. i happen to like when my finacial cards work, i like when ill people receive the proper treatment, i like when people's phones work when an emergency occurs, i like when the heat/lights are on and the internetz "works". thus, i feel as though any information that might improve the security posture of any organization is inherently a good thing for everyone. these days, there's a smorgasboard or products/projects both free and paid that are focused on either identifying and/or mitigating the threat of malware; spend your money/time wisely and hunting will be a bit easier. i gathered from the content of your post that you are interested in identifying malware at a network level so, i've limited the focused here.
first off, know your enemy. perform threat characterization and apply your defenses accordingly. there's a big difference between focused custom malware (ninja) and most common malware (pirate). the focused stuff, you're on your own as, defense measures will need to be tailored to your environment and the specific threat you are attempting to insulate your organization from. however most common malware has "tells", how good of a read are you?
additionally, there's been a LOT of discussion on the forums recently and at the last protect event around adding open source intelligence into siem implementations. look into this and implement. you'll find a great deal of noisy malware that may be slipping past your other defence measures. we've been doing this for sometime and are often able to be more proactive in identifying malware that has somehow gotten by more traditional measures.
lastly, as you have some experience reversing, you know that more often than not, patterns are generated. learn how to identify these patterns and watch for them. here's some really simple early warning indicators to keep an eye on ...
1) check your firewall logs for one host speaking to many hosts in short periods of time on commonly abused ports like 135, 139, 445 and 1025. as well, keep an eye on the latest vulns and the services which they attack, maybe maintain a list of recently abused ports? fixed port stuff is really low hanging fruit, why not take it a step further and just identify one internal host talking to many other internal hosts in a short period of time with either a common source port or a common destination port?
2) lots of malware likes to "phone home" which, often leverages dns. if you see dns queries generated from internal nodes using anything other than your internal dns server (you are using split dns right?), this might be a good lead. as well, if you see many queries from your external dns server to the same external node in a short period of time; check this out. is your cache window really that small?
none of this is foolproof, you'll get false positives but, it's up to you as the engineer to learn more about your environment and tune as necessary. hope this helps get you started down the right path!
to quote sun tzu, "to secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself."
Thanks gmino for putting this discussion on track, and bumping it so I can reply to it
Besides the topic I think it would be a good idea to create a base line where you can start from: the idea is to create the "ideal" network that suits your organizational needs.
After that is done, you can import that model into ArcSight - meaning using categories, asset modeling, known patterns and etc'...
Now, after you have a rough network scheme of the organization including Nmap/Nessus (and the like) running and identifying new vurnerabilities you can build a few generic rules that will give you a reponse to the most common malware that exists, rules/reports/dashboards like:
- The use of uncommon ports in the organization
- Workstations that try to download dll,exe files from the internet
- Usage of the openSource community (DShield,Malwaredetection and the like)
- Users that try to copy a massive amount dll's to shared storage.
- You can create a comparison report on most active ports on servers, and compare it each week.
- *dashboard* - Top 20 users with failed logons last week.
- Top x machines with firewall drops
- If you have a closed network (no internet) you can look for dns requests that refer to servers outside the organizations (there is a need to filter Java,Adobe etc')
And ofcourse dont forget the scanning rules, Internal>External | Internal > Internal - both host and port scans.
Currently thats all that comes to mind if I think of something else I'll post it.
I guess it is, there's alot of other areas of research though. Forums like this place, hacker forums, whitepapers et al. I got a snippet froma whitepaper about 6 months ago with brilliant simple logic in it. I xlated that intoa rule and thats now one of our top malware detectors.
research research research.