Fatal attack or false alarm? What your web traffic reveals about intruders

Tatyana Shishkova , Malware Analyst , Kaspersky

Alexey Vishnyakov , Senior Malware Analyst , Kaspersky

Protection of the corporate network is vital for any company. Infection of a workstation cannot always be promptly detected by File Anti-Virus (which can also be turned off). Blocking malicious domains and the IP addresses of servers belonging to criminals is also not always effective, as the addresses are constantly changing. But most malicious programs (spyware, backdoors, miners, etc.) communicate with servers using specific web requests, and the infected computer can be detected by scanning traffic on the corporate network. This approach will not prevent an attack, but an alert about a possible infection will be displayed and the malicious object can be eliminated with minimal damage.

Different network intrusion detection systems (NIDS) can be used to monitor network traffic. During the past year we discovered many cases of attempted infection among our corporate customers (financial organizations, governmental entities, oil companies, etc.) using the open-source NIDS’s Snort and Suricata.

In our presentation, we will talk about the methodology for detecting malicious network traffic. We will share our experience of discovering infected machines in corporate networks by intercepting web traffic, speak about important parts of traffic that you should pay attention to in order to detect malicious activity and avoid false alarms, and show step-by-step how to write effective IDS rules for various protocols for a given traffic dump.

We will show how to implement these, starting with the simplest methods of detecting malicious traffic by known indicators of compromise, before moving on to general patterns and the detection of malicious network activity if the network behavior of a malicious object has been changed. We will look at the network activity of miners and bots, and the use of TOR and dynamic DNS services in the context of the corporate network – it is unlikely that accessing the TOR network from a workstation or mining cryptocurrency is common practice in a corporate network. Everything will be supported by examples of real traffic, including false alarms.

Tatyana Shishkova

Graduated from Lomonosov Moscow State University, studied at Eberhard Karls University of Tübingen. Malware analyst at Kaspersky Lab, has been working in the company since 2013. Specializes in network intrusion detection. Spoke at PHDays (Moscow, Russia) and OverDrive (Girona, Spain) conferences.

Alexey Vishnyakov

Graduated from the National Research Nuclear University MEPhI in 2015. A senior malware analyst in the Shift AV Group at Kaspersky Lab. One of his activities is an express analysis of malicious objects and detection of network traffic. Spoke at PHDays conference (Moscow, Russia).