Network Aware, Business Secure

Michael Patterson

Subscribe to Michael Patterson: eMailAlertsEmail Alerts
Get Michael Patterson via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: PC Security Journal, Security Journal, Telecom Innovation

Blog Feed Post

How to Detect Flame: Host Reputation

The Flame threat is basically a virtual, digitized spy tool that does what a human spy would do: recording phone calls, snapping photos, and siphoning information.  Often times this traffic pattern to the internet is initiated by the infected host and ultimately slides right by even next generation firewalls.  How can it be detected?

First, we should outline how this infection is spread.

“The emails are often tailored for specific victims and contain malicious attachments that are almost always “weaponized” .PDF files with known exploits that drop malware executables onto targeted systems. In addition, the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits—one in 2009 and another in 2011.” Trend Micro

Jimmy Ray Purser does a great job explaining pdf exploits in a youtube video.

Once the threat is underway, most sophisticated malware employs stronger encryption, but the trade-off for the attacker is that its traffic can trigger a red flag at the network layer. Flame’s creators either used easily cracked encryption to camouflage the attack, or it could be a function of the size of the overall code… says Lance James, Director of Intelligence at Vigilant

Detecting Flame Malware

“They didn’t want you to detect that they were hiding anything. They wanted to look like common data,”

It is starting to become clear that the question of “how to detect flame” or similar malware such as detecting Advanced Persistent Threats isn’t addressed with a new firewall, antivirus or an intrusion detection system (IDS).  This is because it is a type of malware that usually can’t be identified with digital signatures.  In this case, one of the best detection methods is through the use of IP Host Reputation systems and NetFlow collection.  Comparing the source and destination IP address in a flow to a host reputation database is another layer of security that can help detect Flame and other similar types of threats.

Network Monitoring Solutions should include host reputation in their regular threat detection routines. Make sure you ask for it in your next threat detection solution.


For a free 30 day trial of Scrutinizer, Download Now

Sign up for Advanced NetFlow Training coming to a city near you!

Read the original blog entry...

More Stories By Michael Patterson

Michael Patterson, is the founder & CEO of Plixer and the product manager for Scrutinizer NetFlow and sFlow Analyzer. Prior to starting Somix and Plixer, Mike worked in a technical support role at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix and Plixer.