Malicious Node Investigation

Overview:

Every day, illicit activities can take place within a network. Basic alerts can be utilized to determine the timeline of these events, however, companies can leverage their existing capture repository to “dig deeper” into a particular event. Tools such as PureInsight allow the user to visualize potentially malicious nodes (indicated by Talos Intelligence IP Reputation Index) and their peers to determine whether they have been compromised. 

A large enterprise company found out that there are several malicious IP nodes in their network during a routine network performance inspection. They have determined that over 100K IP peers have been affected by these malicious nodes. There was no way for them to readily create a report containing 100K IP peers and be able to visualize and drill down the data. 

The Problem:

• Potentially malicious IP addresses are always present in networks, there needs to be a way to make it obvious to the user where it is in the network 

• There needs to be a way to find a full record of exchange between the potentially malicious node and its peers within the internal network. In addition, existing tools do not allow them to export a list of 100K nodes that were affected. 

• There is no quick way to visualize and compile a list of affected peers, and port numbers and obtain a PCAP record to be able to fully decode using external tools such as Wireshark.

The Solution:

• PureInsight allows the user to easily discover potentially malicious IP nodes even if they are not actively looking for it 

• PureInsight allows the user to “drill down” the malicious IP and determine the list of peers and protocols/ports used. This is designed to handle thousands of peers (tested to 400k) and protocols/ports. 

• PureInsight allows multiple PCAP sources to create a single output, this allows PureInsight to display data from multiple network perspectives, such as internal network, edge devices, and public domain devices. 

Workflow:

1. Interactive Search

• Run Search. A grid graph appears when a search is being run.

• Interactive Search can be used to categorize captured traffic data based on IP addresses, port numbers, protocols, and regular expressions. You can visualize the network traffic as a Nodal Graph with details of each node displayed. 

2. Potentially Malicious Node is Highlighted in Red

• Potentially malicious nodes are highlighted as a red blur.

Open

3. Switch to Layout (List View) and Click on the Link of the Node

• Switching to the list view will display a hyperlink to talosintelligence.com on the potentially malicious IP address. 

4. View the Talos Intelligence Website for Further Node Information

• You can check the reputation of an IP address.

Open

5. Switch Layout (Nodal View)

• Double-clicking on a malicious node fills in the inline search with its IP address.

6. Double Click on Node to Isolate

• Double-clicked nodes show all neighboring nodes and links in green.

7. Find out Peers

• After the Search is completed, you can see peers.

8. Packet Viewer Check for Plaintext Content

• Click on Packet Viewer to see packet information. As shown above, HTTP-related data was found in packet information.

9. HTTP Reports

• Go to HTTP Reports and select the previous output file as the input file. HTTP Reports show many 404 response errors.

• HTTP Reports clearly list the number of timeouts and errors in the network.

10. Use Payload Expr. to search HTTP-relevant data

• Use Payload Expr. to search HTTP-relevant data. bad_bot_extract is seen many times in the packet information.

11. Use Payload Expr. to search relevant data

• Use Payload Expr. to search relevant data. You can see that all packets on the list contain bad_bot_extract.

12. Login to the affected unit and attempt to remediate

• Security engineers and network engineers can check server status based on these reports.