An Interesting Article about why malware detection and prevention is so relevant, and how it is only becoming more so.
Malware sophistication worries IT leaders.
… As it should. Are you a worried IT leader? Click here to find out more about how you can successfully defeat Malware in your network.
Welcome to the MetaFlows Blog’s First Feature of the Month!
This month, we thought we would start things off right by spotlighting our proprietary, groundbreaking Soft IPS technology.
The long and short of it: Soft IPS enables you to block threatening traffic passively, or not in line. The benefits to being able to effectively stop threats without being in line are many. For starters, your security is more secure- it isn’t a threat in itself and your network can continue uninterrupted. No firewall modifications are needed after every major event and threats can be blocked in real time!
But HOW?! If you are more technically inclined, please read on to see how, through reverse engineering the Great Wall of China, we are able to make accomplish such things!
MetaFlows’ Soft IPS technology blocks unwanted traffic in passive mode. MetaFlows’ Soft IPS does this by injecting spoofed TCP packets into the network to disrupt unwanted communications. This idea (also employed by the Great Firewall of China) is coupled with a new algorithm that will safely predict what traffic to block based on observed communication patterns
Uses powerful active response technology to block unwanted traffic (Bots, spyware, P2P, etc..) and actively learns which hosts on a network need to be isolated.
Want to learn more? Jump In!
August 30 2013. We released two new features.
1. Assets. From the Historical menu you can open the Assets page, which lists all assets on your network by host. You can search all assets by string or regex queries, filter records with no data for specific columns (check the checkbox in the column’s header), and export all asset data in CSV, XML, and JSON formats (Adobe Flash 10 or higher required).
2. Time Zones. We have added a new option in the Account->Preferences menu to set your preferred timezone by location, rather than using UTC by default. Note that the events will still be stored as Unix timestamps (UTC), but all time strings on NSM will use your selected time zone.
June 14 2013. We have added a new option to automatically download and restart software components that need an update. The autoupdate has been designed to minimize loss of security event data while it is being applied. If you want this feature (we highly recommend it), edit your sensor configuration(s) and click on Autoupdate, Save, and reload your sensor.
Last week, Mandiant published a report identifying a working group executing sophisticated, long-term attacks against targets in the United States. If you want to see if your network is the target of such attacks, follow the instructions below to update your sensor(s).
APT-1 uses at least 3,000 known FQDNs (Fully Qualified Domain Names) to deliver its payloads (see the Mandiant report for more details on how APT-1’s backdoor software works). Packet Stash quickly followed up on the Mandiant data release with a ruleset containing the FQDNs used in these attacks, and then released this ruleset under the GNU General Public License. These rules are a good first step for identifying known APT-1 attack vectors.
To merge the Packet Stash APT-1 FQDN Rules into your ruleset, do the following steps
APT-1 also uses a known range of IP addresses comprising at least 40 Class B networks (see Table 8 on page 40 of the Mandiant report for the list). One other step MetaFlows customers can take to identify potential APT-1 attack vectors is to leverage our existing Classification tools to identify flows to or from the addresses in these networks. To do this, do the following steps:
We have discovered several APT-1 hosts acting on our global network of honeypots with this classification, so it is feasible that our customers could be experiencing attacks involving these addresses as well. If you have any comments, questions, or suggestions, please contact us at support@metaflows.com.
We can now reassemble interesting files being transmitted on your network (both inbound and outbound) on ports 25,80,110 and port 143. These are the ports through which most Malware is propagated with Browser-Based Attacks, Phishing, or Email Spam.
By default, all dangerous file transmissions (exe, dll, MS Office, pdf, zip, etc.) are logged and correlated whether or not they are malicious. This allows you to see what content your users are downloading or uploading (these informational messages can be disabled if this is too much information for you). See the screenshot below where several file transfers are logged.
Importantly, the files that contain malicious code as reported by Virus Total are ranked 100 and flagged as high-priority events for your analysis. Usually, any of these events need to be taken very seriously and appropriate remediation should be taken quickly. See the screenshot below where Snort events and File-inbound events are correlated to show you an ongoing infection.
We’ve updated BotHunter to the latest version from the SRI Malware Threat Center. This new version has an updated rule set to help catch the latest threats as well as improved detection of false positives that are often associated with Peer-to-Peer and file-sharing traffic.
Current customers will receive this update automatically when their sensor is restarted/reloaded, and it will be bundled into the installation package for all new deployments.
You can now deploy MetaFlows sensors on Amazon EC2 though the new AWS Marketplace. It is extremely easy to setup and you will be billed hourly as part of your EC2 instance subscription. You can use your existing MetaFlows account (or one will be automatically created for you), and monitor EC2 instances together with your existing physical sensors through a Browser. This is true innovation!
This is a killer app. The more we watched this one sort through the data that it was monitoring – over a million events and flows at a major university – and dig down and analyze it, the more we wanted one. This is a very serious service/application that we have to admit also is very cool. This is an intrusion detection system (IDS)/intrusion prevention system (IPS) on steroids. It uses just about every security paradigm that we can think of. It is tied into a network of honeypots all over the world. It allows both IDS and IPS, and it has a level of detail and drilldown that enables solid forensic analysis of events.
