Reactive Security Measures

As much as I would like to be proactive as possible when it comes to network security, all too many times, I am in reactive mode. For example, I just received a nicely done email from a Facebook pal to go look at a YouTube video. Hey man, I am always up for a good laugh especially in the middle a mind numbingly boring conf call discussing Power Point font types or something like that. However the link looked a different, so I sandboxed and sure enough, it was a redirector to a site in Poland. As the conf call got dimmer and dimmer in my focus I shifted into reversing mode!! Sure enough, setup.exe was a variant of Koobface. Few twist and turns, but it was good ole Koobface. Bots are really tough to keep track off. Their Achilles heel has always been their bi-directional communication with a Command and Control server somewhere. I am a big believer in mining and correlating your current data to find answers on your network. With that in mind, I have been running the program Bot Hunter for a while now http://www.bothunter.net Bot Hunter is a free program for tracking bots on your network but it is NOT open source although it uses the Snort 2 correlation engine. They are using the information harvesting method to keep their databases current by rolling up reports from your (and many other) engines to the SRI servers in California. So it needs a couple of ports open to communicate back and forth to be current. On my network, I implemented a port knocking methodology and it worked just fine. I'm weird about opening ports on my firewall also... Anyway, Bot Hunter works by monitoring the evidence trail of a bot communicating with a C&C server. It is designed to be a reactive solution installed behind your firewall on a monitoring port/passive TAP. It sits there monitoring your internal devices for the multi faceted bi-directional communication between the compromised host and the bot herder. Unlike the useless slew of messages that many IPS systems produce, Bot Hunter has a nice analytical process to correlate bot communications with a high degree of accuracy so your false pos count is low considering what it is monitoring. To test this, run Bot Hunter and Snort next to each other and look at the results. Very different. I run this product on a FreeBSD server and of course had some Java issues, but who doesn't these days, I switched over to the Sun JRE from my old fav; GiJ and we're back on track. I admit, I was a little disappointed that I could not use NetFlow info to gather this type of information at first, (I am not a fan of TAPs and monitor ports) but after messin' around with the product I could see why that would not have been as accurate as the analytical correlation process they currently have. This is a nice product to have on your network. It could still use a few more features like email alerts, but again reactive is sometimes passive... however, it has been very good at catching compromised machines on my networks. So I am wondering...what are y'all using on your networks for reactive security these days? Is proactive security a marketing term? Sure seems like it more and more to me. Excuse me, my time to speak up on this call, "Yes, I agree Sans-Serif is the font to use..." Jimmy Ray Purser Trivia File Transfer Protocol Not once or twice but four separate times in October 1987 and February 1988, Brits watched in amazement as small pink frogs rained down from the sky in different areas of Great Britain. This freaked out scientists because not only did have no idea why but some actually came from the Sahara desert!! If that doesn't make you turn tail and head back into the pub, I am not sure what does!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT