Sometimes you cannot trust your own defenses, especially if you properly assume that your network has been compromised.
All IDS/IPS appliances have the same weakness: they rely on what is known and rarely on some basic behavior analysis. But when an attacker uses a new technique (which happens quite often) it will pass as a legitimate traffic. In such cases you need to rely on someone with an eye on the criminal networks, someone, who sees malicious traffic from the attackers end.
In such cases you should use services such as ShadowServer – https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
They monitor malicious networks from multiple locations and can alert you if they see traffic from your network leaving towards a botnet command & control server, for example.
Some security software vendors will charge you 5-digit prices per year for “appliances” which basically do the same thing – ShadowServer does it for free as a community service.
As per their website:
The reporting service monitors and alerts the following activity:
- Detected Botnet Command and Control servers
- Infected systems (drones)
- DDoS attacks (source and victim)
- Scans
- Clickfraud
- Compromised hosts
- Compromised websites
- Proxies
- Spam relays
- Open DNS Resolvers
- Malicious software droppers and other related information.
Setting up an arrangement with this non-profit organization is really simple. All you need to do is get your ASN from your network administrator and send them an email, as per the above link’s instruction (hopefully by the time you read this book the service is still available).
If you find this service useful, please consider donating. They’re not even asking for it – which is an even better incentive for you to be generous to such a good service.
Another useful service is Have I been Pwned:
As the name implies, this service monitors sites such as PasteBin for information containing your domain, e-mail addresses, etc. – and as soon as it detects a ‘leak’ you will get notified via e-mail. When signing up, you will need to confirm your domain ownership – so coordinate on that with your IT team.
Other external monitoring services:
http://www.google.com/safebrowsing/alerts/ (need your own AS)Safe Browsing Alerts for Network Administrators allows autonomous system (AS) administrators to register to receive Google Safe Browsing notifications. The goal is to provide network administrators with information of malicious content that is being hosted on their networks.
- Team CymruTC Console – https://www.team-cymru.org/Services/TCConsole – no cost, *in most cases* (more info: https://www.team-cymru.org/Services/TCConsole/tcconsole_trifold.pdf ) It is a good collaboration platform, if you collaborate it will be free for you.
- https://postmaster.live.com/snds/index.aspx – detect data coming from their network towards your network after verifying your AS. “By providing data such as mail traffic statistics seen by Windows Live Hotmail to IP block owners (ISPs, in a broad sense), organizations are empowered to prevent spam, viruses, and other malicious activity from originating from their IP space.”
- https://spyeyetracker.abuse.ch/index.php – mostly check your IP addresses / domains for c&ctraffic towards c&cservers. Interesting statistic: Average SpyEyebinary Antivirus detection: 27.94%
- https://www.team-cymru.org/Services/BINFeed/ -for banks and financial institutions, showing if malicious traffic or leaked data on the Dark Nets contains any data related to that specific bank (must be your bank, you cannot monitor 3rd party organizations).