This invention relates to methods and apparatus for evaluating security and/or protecting systems on large computer networks, such as the Internet.
Administrators of large private networks, such as corporate or governmental networks, need to take steps to secure them from various types of attacks. Command-and-Control (C2) servers on the internet are important to identify because, if an organization has infected computers, they may try to communicate to external command and control machines operated by threat actors. If organizations can identity Internet Protocol (IP) addresses and domains associated with C2 servers, they can block that traffic at their firewall and mitigate the risk of infection.
In one general aspect, the invention features a network security system that includes a network traffic analysis tool operative to extract information about traffic with suspected attack support infrastructure addresses. An automated traffic pattern recognition tool is responsive to information extracted by the network traffic analysis tool and to enrichment data, and is operative to detect patterns in the extracted traffic information. An identification tool is responsive to the pattern recognition tool to identify victims associated with the suspected attack support infrastructure addresses based on patterns detected in the extracted traffic information. And the system includes storage that is responsive to the identification tool for storing the recorded suspected attack support infrastructure addresses and identified victims on an ongoing basis.
In preferred embodiments, the traffic analysis tool can include a flow information extraction tool. The automated pattern recognition tool can be responsive to a plurality of third-party enrichment data sources. The system can further include an enrichment tool to enrich the stored addresses and victim identifications. The storage can be part of a larger database of threat data. The network security system can be operative to automatically identify at least hundreds of malware victims per day. The attack support infrastructure addresses can include malware controller addresses.
In another general aspect, the invention features a network security method that includes extracting information about traffic with suspected attack support infrastructure addresses, detecting patterns in the extracted traffic information, identifying victims associated with the suspected attack support infrastructure addresses based on patterns detected in the extracted traffic information, and storing the recorded suspected attack support infrastructure addresses and identified victims on an ongoing basis.
In a further general aspect, the invention features a network security system that includes means for extracting information about traffic with suspected attack support infrastructure addresses, means for detecting patterns in the extracted traffic information, means for identifying victims associated with the suspected attack support infrastructure addresses based on patterns detected in the extracted traffic information, and means for storing the recorded suspected attack support infrastructure addresses and identified victims on an ongoing basis.
Systems according to the invention can help network administrators to detect, understand, and remedy risks posed by malware that communicates with command-and-control servers or other types of attack infrastructure.
Referring to
In one embodiment, the security monitoring system includes features of the Recorded Future Temporal Analytics Engine, which is described in more detail in U.S. Pat. No. 8,468,153 entitled INFORMATION SERVICE FOR FACTS EXTRACTED FROM DIFFERING SOURCES ON A WIDE AREA NETWORK and in U.S. Publication No. 20180063170 entitled NETWORK SECURITY SCORING. Related technology is also discussed in the paper entitled “Proactive Threat Identification Neutralizes Remote Access Trojan Efficiency,” by Levi Gundert (2016) and in the application entitled MALWARE ANALYSIS PIPELINE, docket number A0007-024001, filed on the same date as this application. The documents referenced in this paragraph are all herein incorporated by reference.
As shown in
Referring also to
The victim monitoring subsystem 20 can then use its network scanning interface to scan some or all of the network 4 to identify one or more new malware controllers and/or attack servers 8b . . . 8m and store their addresses, based on the signatures (steps 108, 110, 112). The scanning interface preferably uses one or more third-party, large-scale scanning tools, such as Unicorn Scan, Zmap, or MASSCAN. These tools can be configured to scan large parts of a network, such as all of the IP addresses in a defined address range, all of the IP addresses in a geographical area, or all of the IP addresses in the IPv4 and/or IPv6 address spaces, while excluding government and military IP addresses as appropriate. The victim monitoring subsystem 20 can then perform a second, more detailed scan directed at the candidate controllers or attack servers that yielded positive scan results, to confirm their status as controllers or attack servers (steps 114, 116).
The victim monitoring subsystem 20 then uses its network traffic analysis interface 28 to find the confirmed IP addresses in network traffic. This can be performed, for example, by using the confirmed IP addresses as input to a flow information extraction tool, such as NetFlow. This process can involve searching for the confirmed IP addresses in a database of Internet traffic received from distributed monitoring locations on the network, such as routers, to automatically find traffic patterns that identify victims of the malware or attack tools corresponding to the confirmed IP addresses (steps 118, 120, 122). Enrichment data from third parties or other security subsystems 22a . . . 22b can be used to enhance this process.
Records for victims identified by the network traffic analysis interface 28 can then be stored in the storage 30 (step 126). These stored records can be associated with enrichment data upon storage and/or over time thereafter. Enrichment data can include information a wide variety of sources, such as from third-party organizations, who is data, telemetry data, data obtained from honeypots or forensics, and third party geolocation data. Data about organizational relationships between entities can also be used, as provided for in US Patent Publication No. 2021-0042409 entitled AUTOMATED ORGANIZATIONAL SECURITY SCORING SYSTEM, published Dec. 24, 2020.
The resulting enhanced data set can be used in a variety of ways to manage risk. The system described above has been implemented in connection with digital logic, storage, and other elements embodied in special-purpose software running on a general-purpose computer platform, but it could also be implemented in whole or in part using virtualized platforms and/or special-purpose hardware. And while the system can be broken into the series of modules and steps shown in the various figures for illustration purposes, one of ordinary skill in the art would recognize that it is also possible to combine them and/or split them differently to achieve a different breakdown.
The embodiments presented above can benefit from temporal and linguistic processing and risk scoring approaches outlined in US Patent Publication No. 2020-0401961 entitled CROSS-NETWORK SECURITY EVALUATION, published Feb. 11, 2021 and US Patent Publication No. 2021-0042409 entitled AUTOMATED ORGANIZATIONAL SECURITY SCORING SYSTEM, published Dec. 24, 2020 and the documents they refer to. The documents referenced directly and indirectly in this paragraph are all herein incorporated by reference. Also herein Incorporated by reference is version 5 of the NetFlow standard.
The present invention has now been described in connection with a number of specific embodiments thereof. However, numerous modifications which are contemplated as falling within the scope of the present invention should now be apparent to those skilled in the art. Therefore, it is intended that the scope of the present invention be limited only by the scope of the claims appended hereto. In addition, the order of presentation of the claims should not be construed to limit the scope of any particular term in the claims.