Counter Competitive Intelligence Services

Internal Network Monitoring:

Detect anomalous traffic

We will track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model. Our correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication. The correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match the infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.

How is being done?

We provide the tools for automatic monitoring of your computer network traffic to reveal anomalous connections leaking your data.

Your system should have a modern Intel Pentium-class, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC for network monitoring.

• One option does not require any installation of software on your computers. Will use a live CD operating on Ubuntu Linux.
• The other option is to install all Win32 executable and all the necessary supporting packages on a Windows XP workstation. This option may allow also for remote monitoring.

Detection coverage

E1: Inbound malware port focused scans

E2: In and Outbound Exploit Detection

        Client-side infection attempts (Web)
        Direct Microsoft Exploit Coverage, including
           - RPC exploits
           - Netbios attacks
           - OP/Shell code attack via overflow
        Special Port Exploits
        High Application Port Exploits
        Inbound  Only: Browser specific attacks  
        Outbound Only: Bad outbound email from non-SMTP
        Outbound Only:  
           - Moderate malware-focused outbound scan detection
           - Prolific non-malware-focused outbound scan detection

E3: Forced Download / Illegal Software Install Detection:

        Malware/Trojan-initiated download request
        Classic network stream binary spotting
        Malware FTP Comms
        Web-based spyware Infection Download / Install

E4: C&C Detection

        Web based spyware phone home / periodic checkin 
        Web based malware install success reports
        Inbound spyware command detection (flow established)
        Web-based ADWARE phone home
        BotNet C&C  login/dialog /command recognition
        Trojan horse periodic checkin (primarily via web ports)
        Application port checkin/install success reports
        DNS-based call-backs 
        SMTP callbacks (from non-SMTP hosts)
        Statefull IRC botnet C&C detection

E5/E6: Insider Attack / Malware Preparation Activity

        Spambot MX record search via DNS
        DNS malware associated query

E7 Peer to Peer Rules

        BotNet P2P protocol activity

E8: Malware Infection Declaration Rules:

        Known botnet C&C IP address  (specific address)
        Russian Business Network (RBN) address
        Prolific malware-focused outbound scan detection