External Network Monitoring Services

Sometimes you cannot trust your own defenses, especially if you properly assume that your network has been compromised.

All IDS/IPS appliances have the same weakness: they rely on what is known and rarely on some basic behavior analysis. But when an attacker uses a new technique (which happens quite often) it will pass as a legitimate traffic. In such cases you need to rely on someone with an eye on the criminal networks, someone, who sees malicious traffic from the attackers end.

In such cases you should use services such as ShadowServerhttps://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

They monitor malicious networks from multiple locations and can alert you if they see traffic from your network leaving towards a botnet command & control server, for example.

Some security software vendors will charge you 5-digit prices per year for “appliances” which basically do the same thing – ShadowServer does it for free as a community service.

As per their website:

The reporting service monitors and alerts the following activity:

  • Detected Botnet Command and Control servers
  • Infected systems (drones)
  • DDoS attacks (source and victim)
  • Scans
  • Clickfraud
  • Compromised hosts
  • Compromised websites
  • Proxies
  • Spam relays
  • Open DNS Resolvers
  • Malicious software droppers and other related information.

Setting up an arrangement with this non-profit organization is really simple. All you need to do is get your ASN from your network administrator and send them an email, as per the above link’s instruction (hopefully by the time you read this book the service is still available).

If you find this service useful, please consider donating. They’re not even asking for it – which is an even better incentive for you to be generous to such a good service.

Another useful service is Have I been Pwned:

https://haveibeenpwned.com/

As the name implies, this service monitors sites such as PasteBin for information containing your domain, e-mail addresses, etc. – and as soon as it detects a ‘leak’ you will get notified via e-mail. When signing up, you will need to confirm your domain ownership – so coordinate on that with your IT team.

Other external monitoring services:

http://www.google.com/safebrowsing/alerts/ (need your own AS)Safe Browsing Alerts for Network Administrators allows autonomous system (AS) administrators to register to receive Google Safe Browsing notifications. The goal is to provide network administrators with information of malicious content that is being hosted on their networks.