Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/16/2017
01:31 PM
Teri Radichel
Teri Radichel
News Analysis-Security Now
50%
50%

10 Clues That Network Traffic Is Bad

Threats often come in the form of bad network traffic. These 10 tips tell you whether bad traffic is worth worrying about.

The number of recent data breaches and the amount of stolen data is staggering. At times, finding ways to stop the latest cyber attacks may seem overwhelming. Even though the malware that infiltrates an organization can be very complicated and stealthy, many breaches share common characteristics that appear in traffic logs of carefully designed networks. Although advanced security products can help stop advanced criminals, network administrators can stop some of the recent high-visibility attacks with well-designed firewall configurations and traffic monitoring.

Here are ten tips to keep in mind that can help to identify malicious traffic on your network:

  1. Continuously inspect the top hosts generating the highest traffic volume. In most cases, after malware infects a host, it will try to make an outbound connection back to a server. An attacker uses this connection to send commands to the infected host. The infected host may download more malware, scan the network for other hosts to infect, or exfiltrate data. These behaviors sometimes lead to ongoing traffic patterns that indicate a breach. As the SANS Institute explains in their security bootcamp, administrators can regularly monitor top IP addresses that match one or more of the following patterns to make sure the traffic is legitimate:
  • The longest connections
  • The largest amount of data transfer
  • The most connections

 

  • Look for anomalies. In addition to checking hosts with these characteristics, network administrators should be aware of the usual traffic that flows through the network. If a host starts sending an abnormal amount of data, that could mean malware has infected the host and is performing unwanted actions. Monitor the connections, data transfer and total connections for individual hosts and inspect variations.

 

 

  • Block ports to generate logs that show unauthorized access attempts. You may have heard someone claim that firewalls are useless because an attacker can easily bypass firewall rules to get into a network. It is true that attackers can often trick standard firewalls to allow malicious data through an open port, but no traffic can pass through a blocked port under normal circumstances. Therefore, limit open ports. To maximize the number of blocked ports around critical hosts, break networks down into smaller networks (network segmentation). Make hosts accessing private networks and critical systems pass through a network with broader rules to networks with more restricted access. When malware scans for open ports, correctly configured traffic logs will include the invalid access attempts.

 

 

  • Watch for "deny" entries in network firewall logs. Configure network firewalls on the perimeter of networks to block unnecessary ports between internal and external networks, and between network segments. An external host trying to connect to a blocked port multiple times could be the result of misconfiguration or an attacker. In many cases, network administrators can create firewall rules to prevent these hosts from any further network connections on any port.

 

 

  • Check for traffic from desktops and laptops trying to connect to each other. Desktops and laptops on the network typically have no reason to connect to one another. Block access between individual hosts on the network by installing a host-based firewall. Create rules that only allow the specific access needed by each host. Malware on infected hosts will often try to scan the network to find other hosts nearby that it can infect. This activity will generate entries in host-based firewall logs that are configured to display denied access attempts. Investigating these entries may uncover configuration or security problems.

 

 

  • Watch for printers, network, or IoT devices making outbound traffic connections. Laptops and desktops need to initiate network requests to printers. Printers do not typically need to connect to the machines that print documents. The printer may make an outbound connection to receive a software update, but traffic from the Internet should not request to access a printer hosted on a private network. Block invalid traffic patterns and investigate denied and unusual access attempts generated by or to network devices.

 

 

  • Monitor traffic sent to or from unexpected locations. If a business operates exclusively in one country, traffic to other parts of the world could be a sign of malicious activity. Investigate traffic to foreign networks to ensure it is legitimate. Administrators can block traffic to unwanted locations using a geolocation database or tool that identifies the location of the source or destination IP address in the network request.

 

 

  • Watch for abnormal network packet sizes. Ping packets are small and have a normal size range. In the Target Breach, ICMP or ping packets moved data through the network. A network administrator watching the network closely would have noticed that these packets were unusually large for a simple ping request. Monitor for network packets and requests that deviate from standard sizes.

 

 

  • Disallow traffic to known bad IP addresses and networks. Many products and services offer ways to block traffic to known-bad locations. Use these lists to find malicious IP addresses or network ranges. Create networking rules that block any traffic to nefarious destinations and monitor logs for access to or from those networks.

 

 

  • Watch for improperly formed network requests. Network devices communicate via a standard network protocol. Each protocol has a defined format including traffic at different network layers such as TCP/IP and HTTP or SMTP. Valid network traffic will conform to these standards. Administrators can watch for malformed network packets and protocol usage using network security tools. An administrator may want to investigate a host or block it if it is generating improperly formed requests and packets.

 

Before moving to advanced security techniques, companies trying to improve the effectiveness of their cyber security programs should start with the basics. Create effective firewall rules and monitor network traffic logs for suspect behavior. These steps will block many attackers using well-known vulnerabilities and attack patterns to compromise organizations.

Although these ten suggestions don’t involve next-generation security appliances, machine learning, or artificial intelligence, they would have prevented or at least minimized the impact of some of the more recent cyberattacks such as WannaCry, NotPetya, and the Target breach. These tactics can also mitigate DDoS attacks for some companies and weaken the effectiveness of botnets. Before moving to advanced security techniques, consider improving the effectiveness of your cyber security program by tackling these basic, but powerful best practices.

Related posts:

— Teri Radichel is the Directory of Security Strategy and Research at WatchGuard Technologies.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Chan_u
100%
0%
Chan_u,
User Rank: Apprentice
8/9/2020 | 9:37:35 AM
its better always use of network traffic monitor
Hi

For control of network abuse we can easily monitor our network with NetsMonitor in https://NetsMonitor.com

Its very Light, Fast, Simple, Free & ...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13285
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issue reference number tooltip.
CVE-2020-16087
PUBLISHED: 2020-08-13
An issue was discovered in Zalo.exe in VNG Zalo Desktop 19.8.1.0. An attacker can run arbitrary commands on a remote Windows machine running the Zalo client by sending the user of the device a crafted file.
CVE-2020-17463
PUBLISHED: 2020-08-13
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVE-2019-16374
PUBLISHED: 2020-08-13
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
CVE-2020-13280
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.