Identifying Compromised Hosts With Netflow
Identifying a compromised host in your environment is a common task for administrators in most network environments. What is suspicious about host systems currently communicating with a compromised another system that you are not yet aware of? It’s not just a question of detecting the communication but of how long it has been going on before you detect it.
A customer, company or governmental agency contacts you, to inform you that your network has been communicating with a compromised or suspect system and provides you with the IP address (e.g. x.x.43.22) of the suspected system.
How would you begin to mitigate that?
What other IPs have been compromised internally?
So many questions come to mind, but where to begin?
Following to your incident response policies you probably begin by investigating the communications with the system outside your network.
As a network security administrator tasked with the problem, we can search for that external IP or system name using the dashboard to filter traffic to and from the system. This will give you a view all your hosts that are communicating with the external system.
This view will should show you all the hosts on your network that have be communicating with the external host. These hosts are the hosts that are suspects for compromise.
Now that we have identified the suspected hosts see what other hosts in your network that these suspect hosts have communicated with, these hosts may also be compromised or in danger of being compromised.
Armed with this visibility of potential suspected hosts and their activity you should proceed to take counter measures, as defined by your incident response policies.
Your network security policy may vary, but a prudent first step is typically to take the host, or hosts, in question offline. In cases like this, it to remove them from operational activity and not to shut them done, but to isolate them from the other systems in you environment so that they don’t compromise additional systems. Once the host or hosts are isolated you should start performing your forensic examination and observing the “hack” to identify the activities.
I'm a paragraph. Click here to add your o