• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   The Easy-to-Miss Basics of Network Defense

The Easy-to-Miss Basics of Network Defense

  • Posted on:September 14, 2014 at 6:37 pm
  • Posted in:Targeted Attacks
  • Author:
    Bryant Tan (Threats Analyst)
0

Last month we released a paper on backdoor techniques which highlighted the importance of setting up your network properly to detect and block C&C communication. In this post, I will share some rules that IT administrators can proactively implement in order to set up “basic defense” for their network. I say basic here because these rules are not meant to cover all types of suspicious activity within the network — just some that I think are more likely to be missed.

Detect services that use non-standard ports

Popular protocols have default ports which are commonly use by applications or services. A service that runs a protocol but does not use a default port can be considered suspicious — this is a technique often used by attackers since default ports are usually monitored by security products. Similarly, it is also important to detect unknown protocols using standard service ports like 80(HTTP), 25(SMTP), 21(FTP), 443(HTTPS). Since IT admins cannot block the traffic due to services using the said ports, it is likely that attackers will use these for attacks. Since environments may vary from one to the other, it will be the IT administrator’s job to identify the protocols to be allowed, as well as to closely monitor traffic passing to these ports and make sure that it is what it’s expected to be.

Apart from this, it is also an important practice to close all unused ports in the environment. As we’ve learned in our past research on the techniques used by backdoors in targeted attacks, the port used is often dependent which ones are allowed in the network. Limiting the open ports to those used in the network will prevent attackers from taking advantage of them. Attackers can also take advantage of Network Time Protocol or NTP used for synchronizing time in the network and can be abused to launch distributed denial of service (DDoS) attacks.

Detect files with names that have suspicious attributes

One of the most basic tricks for enticing users to open malicious files is manipulating the file name to make the target think that the file they’re opening is harmless. Although it is impossible to determine the nature of a file based on the file name alone, there are several suspicious file attributes that IT administrators can take note of:

  1. Files with too many spaces in the file name
  2. Files with two or more file extensions (especially if the actual file extension is an executable)
  3. Files with mismatched file type and extension (example: PE files that have extensions like “pif”, “bat”, or “cmd”)

Detect TOR node certificate and IP ranges

We’ve seen a lot of attacks adapt the ability to use TOR to anonymize their activity in order to make them untraceable or to make it difficult to catch the network traffic since it is fully encrypted. Finding this kind of activity in a network (unless TOR usage is expected) is a strong indicator of malicious activity and should be checked.

The easiest way to detect TOR traffic is through blacklisting TOR IP ranges. There are references available such as the lists in Proxy.org

Detect Suspicious HTTP Requests

Seeing critical data like account credentials in plain text in network packets is suspicious because such data are almost always encrypted by default. Seeing such is usually a sign of a malware or the attackers themselves trying to exfiltrate account details they’ve stolen from systems in the network. Examples of malware that we’ve seen do this are information stealers like SPYW_SATIFFE, TSPY_HCOREPWSTL, PWS.VB, and HKTL_PASSVIEW.

Like I mentioned earlier, these rules are not all-encompassing. There are a lot of other rules that IT administrators can implement their network to proactively protect it from threats. The key here, though, is being able to identify possible anomalies in the network, which can only be done if the network’s “normal” is defined as well.

Here are our other posts that aim to help IT administrators secure their network:

  • Network Vulnerabilities IT Admins Can Use to Protect Their Network
  • 7 Places to Check for Signs of a Targeted Attack in Your Network
  • Common Misconceptions IT Admins Have on Targeted Attacks

Also, to learn more on targeted attacks as well as other best practices, check our Threat Intelligence Resources for Targeted Attacks.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: APTnetwork securityportsprotocolstargeted attacks

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.