One of Cisco’s research units, Cisco Cognitive Intelligence, which appeared after the purchase of the Czech company Cognitive Security many years ago, revealed that many malicious browser plug-ins have unique characteristics that can be detected and monitored as part of the analysis of network traffic. The only difference that is present compared to the previous three cases examined earlier (leak detection, malicious code, and the DNSpionage campaign) is to detect the activity of plugins that introduce adverts in which adversaries earn money or who merge your data, you need to do a lot of research yourself (we spent about a year analyzing several thousand plugins to identify patterns of behavior and describe them), or trust the manufacturer of the NTA class solution, which contains such opportunity.
Here’s what this feature looks like in the Cisco Stealthwatch solution. We see that from two addresses of the internal network with the addresses 10.201.3.45 and 10.201.3.108, activity associated with click fraud, the introduction of ads into pages (Ad injection), and malicious advertising is recorded.
Obviously, we want to investigate this activity:
We see that the node in the corporate network interacts with the domain located on the legal Amazon (therefore, it will not work to block by IP address; if you are not Roskomnadzor, of course). However, application of various machine learning algorithms to traffic shows that this activity is malicious.
An even deeper dive allows us to understand even more details about the threat.
For example, case # CADP01 is associated with the malicious code AdPeak, which injects additional advertising into the visited web pages and for showing them the attackers earn money.
Case # CDPY01 is associated with a potentially unwanted application that injects ads into a browser session and can lead to subsequent infection of the computer.
Since the detection of malicious browser activity may be a sign of an infection that has already happened, we need to conduct an investigation that will show who the compromised node interacts with on our network, what kind of node it is, what its role is, what user works for it, etc.
For example, the mentioned node 10.201.3.45 belongs to the Development group (development or software development). We also see all the data streams associated with this node and the main security events.
Interestingly, the node we are interested in most often interacts with local DNS servers, which leads to thoughts of a possible attack on DNS or through DNS (recall DNSpionage or Sea Turtle described in a previous post).
What do we see in the list of security events? Flow Denied. What it is? The answer to this question depends on the context, since the connections of the internal nodes with the internal ones are very different from the connection of the internal nodes with the external ones, and can mean very different things. For example, if the internal node has many forbidden connections (flows) with the internal resource through the same port, then this is probably the wrong configuration for any application. A lot of forbidden flows with different ports or internal nodes, says, most likely, about intelligence, one of the first stages in any attack. Blocked flows from inside to external Internet sites can characterize the operation of malicious code, remote access utilities (RATs), information leakage, and many other “interesting” events that your security policy defines as prohibited. And since they are detected by your network traffic analysis system, it means that something is wrong with you.
This case is interesting in that it slightly changes the look at the capabilities of systems of the NTA class, which rely on the analysis of Netflow (or other flow protocols) in their work. It can be seen that such systems can not only operate at the network level, but also allow us to rise much higher and detect attacks at the application level, which are far from always visible to the firewall or even the means of protection of terminal devices.