Many types of malware can be uncovered simply by cross referencing the internet hosts your internal users are connecting to with an IP address reputation or domain reputation database. This post discusses the easiest way to do this.
IP address reputation is just one method that helps answer the question of how to investigate malware. Investigation is important because IT Security teams today have to assume that the network is ALWAYS carrying infections. Securities job is to try to uncover the malware when it makes a move to steal information or infect others.
The way most professionals employ address reputation is by comparing the destination IP address found in flows exported by NetFlow or IPFIX to an IP address reputation database. If a match is found, the Source IP address in the flow is often assumed to be infected with some type of malware. Since the flow has a time stamp, we can then execute a tool like WinPrefetchView on the infected machine to identify what application was installed just prior to the communication with a host on the IP address reputation list.
Malware Found on an IP Address Reputation List
You might be wondering what types of malware can be found on a IP address reputation list. The most frequently uncovered is CnC or Command and Control. When certain types of malware is installed, it reaches out to a CnC to obtain instructions on the next course of action. Since most firewalls will not allow an Internet host to initiate a connection to an internal IP address, the CnC must wait for the source to connect which establishes an active connection right through the firewall. The CnC can then push down updates, instructions and a time on when to check back in.
How Hosts end up on a Reputation List
Hosts are put on a reputation list for participating in activities like scanning IP address ranges on the Internet. Other times sand boxes are used to purposely infect hosts and then the traffic from the host is monitored to see what addresses the machine reaches out to.
Domain Reputation List
Domain reputation is more accurate and is growing in popularity however, only a few NetFlow and IPFIX exporters on the market such as the FlowPro Defender are capable of exporting the targeted domain of a connection. In the same fashion, the destination domain is extracted from the packets or flows and compared to a domain reputation list. If a host is found reaching out to a domain on the list, the end system is investigated. Domain reputation is more accurate than IP address reputation because thousands of domains can be hosted on a single IP address. It doesn’t seem right to black list an IP address because of domain that it is hosting.