NetWitness NextGen can actually detect compromised endpoints on your network by detecting connection attempts to known Command and Control servers- connection attempts that are being blocked by your firewall or smart proxy. Also, if known C&C hosts get blackholed, those bots out there will still try to communicate, and we can see these. Here's how you do it.
- Step 1: Deploy Zero Payload Rule. Create a rule on the decoders to identify packets that have zero payload. The rule should be called "Zero Payload" with the contents of the rule simply being "payload=0" Deselect the option to stop rule processing and set the rule to alert into the Alert field. Packets such as this are typically SYN connections.
- Step 2: Create an Informer Chart. Create a chart in Informer that looks for instances of this rule firing to all destination IP addresses that are listed in our 3rd party Threat Feed lists. The rule for this chart should look for
ip.dst WHERE alert='zero payload' && org.dst exists && org.dst != '$goodorgs' && threat.source exists && threat.source!='netwitness'
and turn that rule into a chart. Track the top 15 items.
- Step 3: Create your white list of known good destination organizations. As you begin investigating the results of this chart and rule you will invariably find known IP destinations that are trusted. Like Google, a host in a common CDN, etc. Add these destination organizations to this whitelist referenced in the rule of Step 2.
When deployed in the field, I typically see several connection attempts to known bad destinations. And since it is a chart, you will begin to see the timed pattern of the traffic as well. What this usually represents is a compromised source IP address that is attempting to connect to a blocked or blackholed destination, or you have orphaned malware that is trying to call home. Those sources should be pulled from the network for re-imaging or similar internal IR process.
The below dashboard in Informer shows all botnet activity in an organization. Click the image to see the full size. The stacked charts on the left show the Zero payload activity going to three distinct meta elements: the destination IP, the destination organization and the destination country. Taken together, an analyst can instantly understand all of the meta surrounding the zero payload packets attempting to go outside of the organization.
Notice the distinct orange beaconing pattern to 41.168.5.140? According to a simple Google Search, this activity is associated with a malicious PDF trojan. The link takes you to Wepawet's analysis of the malware. We didn't see the initial infection, but it is clear the source IP is compromised and needs remediation.
The right hand stack of charts shows our botnet parsers detecting payload of qakbot activity to a known bad destination. With both stacks of charts on the dashboard, an analyst has instant, realtime access to his enterprise's botnet activity, regardless of the payload.