How to Deal With Unusual Traffic Detected Notifications

How to Deal With Unusual Traffic Detected NotificationsIf you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted. You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

How to Monitor Internet Activity Using a SPAN Port

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Blog Post: How to deal with “Google has detected unusual traffic from your network” notifications

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Thanks to NetFort for the article.

Advertisements

NetFort 12.4 – Network Traffic and Security Monitoring

NetFort 12.4 – Network Traffic and Security Monitoring

New Version of NetFort LANGuardian Provides Customers with a Single Point of Reference for Network Traffic and Security Monitoring.

NetFort, a leading provider of network traffic and security monitoring (NTSM) solutions, today unveiled version 12.4 of the LANGuardian application. The new version ensures network teams today have the visibility required to collaborate and work with their security colleagues and manage the daily security issues prevalent in today’s world.

Version 12.4 includes a number of significant changes:

  • SMTP Email Decoder Enhancements
  • HTTPS Website Use Reporting
  • Updated BitTorrent Decoder
  • Snort 2.9
  • SYSLOG Forwarding Feature
  • SMTP Email Decoder Enhancements

SMTP Email Decoder Enhancements

The SMTP decoder is a great feature from a network security monitoring point of view. It is a powerful tool if you want to monitor email for phishing type network attacks. Malicious attachments have made a comeback as top attack vector. An interesting post on this here.The SMTP decoder has been upgraded to record the following information

  • Attachments to SMTP emails, including attachment name, MIME type and description. A sample report is shown below, some information is blurred as it came from a live network.
  • Embedded hyper Link detection in emails. This is a beta release for evaluation. Where an SMTP email contains a hyper link, but the link target doesn’t seem to match the description, LANGuardian will log the link target and the description.

NetFort 12.4 – Network Traffic and Security Monitoring

HTTPS Website Use Reporting

The Website monitoring module has been upgraded to now report on HTTPS domains. Domain information (such as https://facebook.com) and traffic volumes are recorded. As packet payloads are encrypted, Individual URIs cannot be reported.

NetFort 12.4 – Network Traffic and Security Monitoring

Updated BitTorrent Decoder

BitTorrent continues to be a popular protocol for downloading and uploading media from the Internet. LANGuardian has the ability to detect BitTorrent use and record metadata such as Infohash values and IP addresses. In 12.4 the BitTorrent decoder has been upgraded to record Peer Exchange messages (PEX). This increases the detection rate for BitTorrent activity and will record media titles, if included in the PEX message.

NetFort 12.4 – Network Traffic and Security Monitoring

Snort 2.9

Snort is a network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging. Snort performs protocol analysis, content searching and matching. LANGuardian 12.4 now includes Snort version 2.9.7. This allows LANGuardian to take advantage of new keywords supported in IDS signatures for Snort 2.9, distributed from the ET Open project

SYSLOG Forwarding Feature

Many customers choose LANGuardian as it can integrate with existing tools like SolarWinds, McAfee or WhatsUp. Version 12.4 extends this functionality with the addition of a new configuration page to manage the forwarding of events to external syslog collector (SIEM) systems.

NetFort 12.4 – Network Traffic and Security Monitoring

This means you end up with a centralized dashboard for all network activity or as one customer described it “single point of reference for network and user activity monitoring and first stop in troubleshooting any issues”

NetFort 12.4 – Network Traffic and Security Monitoring

Version 12.4 is available from our download page and it can be deployed on physical or virtual platforms.

NetFort 12.4 – Network Traffic and Security Monitoring - download free trial NetFort 12.4 – Network Traffic and Security Monitoring - Web Demo

Thanks to Netfort for the article.

 

How Hiring Employees Increases Your Chance of a Ransomware Attack

How Hiring Employees Increases Your Chance of a Ransomware AttackIt seems like a strange combination, employee hiring and Ransomware but there is a connection. Ransomware is one of the biggest network security issues in today’s world and businesses have paid out tens of millions in ransoms this year. Thankfully a lot more people are aware of the problems it can cause and how it can get into a network. This is making things more difficult for the virus writers but they are a resourceful bunch with a lot of time on their hands.
How Hiring Employees Increases Your Chance of a Ransomware AttackMost people avoid opening attachments in emails from strangers. However, there are ways to trick people into opening attachments with virus payloads.

One such way which I observed recently is where companies advertise for new job positions. A common approach is to advertise jobs on websites and make a bit of noise about it on social media. Contact details are usually published and people submit their applications.

What we now have is strangers sending their CV’s as attachments and this introduces a new attack vector as it is not seen as unusual activity. Malicious attachments really have made a comeback as top attack vector.

Ransomware bandits know that sending email to a generic human resources email address may not be successful as HR teams will be used to dealing with attachments. They will employ social engineering tactics and send their ‘CV’ to other email addresses within the company. The helpful recipient will probably forward it on and may even open it. As soon as they do they will find their files are encrypted.

These social engineering attacks are getting more and more advanced. Not that long ago you could spot the suspicious emails easily as they contained lots of spelling mistakes or started off with something like “Dear Firstname”. This is no longer the case, one off emails are written for specific attacks and they can look legitimate at first glance. You should also be on the guard for unsolicited messages in LinkedIn and other social networks.

How Hiring Employees Increases Your Chance of a Ransomware Attack

Tips For Preventing Ransomware Attacks

The lessons here of course are to continue to educate employees on the dangers of opening emails from strangers. Perform spot checks by creating a new Gmail address and send emails to see if employees open them or forward them on to others.
How Hiring Employees Increases Your Chance of a Ransomware AttackAs well as sending in bogus CV’s you will see tactics such as sending bogus purchase orders, software licenses, delivery notices and banking statements. In most cases the email will be tailored to match the recipients role or to coincide with specific company events.

I am beginning to wonder in the age of cloud applications, do we really need to be sending attachments in emails? They have been the source of countless virus outbreaks over the years. For example, the ILOVEYOU virus from a few years ago affected over 45 million computers.

Employee training and security awareness is the number one way you will prevent Ransomware attacks. In parallel to this you should make sure you have some sort of network monitoring tool in place that can track who is accessing file shares and give you warnings when something suspicious is happening. Also consider:

  • Block attachments on emails or restrict them to specific accounts.
  • Use contact forms on your website instead of publishing email addresses.
  • If you use Google Apps check out the attachment filtering feature. It lets you block specific attachment types or quarantine them for review later.

The image below shows a sample SMTP email report from NetFort LANGuardian which shows suspicious looking attachments that were detected moving around on a network. This information was captured using Wire Data Analytics. Two things look strange from this. Firstly the same email was sent to two people and secondly the compressed attachment (zip) is a tactic used to try and get past email filters.

How Hiring Employees Increases Your Chance of a Ransomware Attack

New variants of Ransomware are appearing on a daily basis. Do not rely on host based antivirus as they struggle to keep up. Training and constant monitoring are the most vital activities and don’ forget about your backups.

Dealing With A Ransomware Attack

I would recommend that you create an incident response document before you get hit by Ransomware. Just something basic like backup information, support contact details, what tools to use for forensics etc… Also include notes on shutdown steps for key servers and applications.

If you do get hit, don’t just pay the ransom. As soon as you have it paid you will be dealing with another outbreak. Watch out for infected files on cloud storage services such as DropBox, files encrypted or infected with malware could be synchronized with a cloud service within seconds. It is a good example of why should really know what applications your users are running on your network. We have a few other blog posts which you may find useful in the event of a Ransomware outbreak.

The following video also shows how you can use file activity logs to track down the source of Ransomware on a network

How Hiring Employees Increases Your Chance of a Ransomware Attack

I cannot stress how important training is for the prevention of network security attacks. If you make noise about something within your company like job postings, financial updates or corporate events, be prepared for advanced social engineering attacks.

Do you have any experiences with Ransomware attacks? Comments welcome.

Thanks to NetFort for the article.

 

A Deeper Look Into Network Device Policy Checking

A Deeper Look Into Network Device Policy CheckingIn our last blog post “Why you need NCCM as part of your Network Management Platform” I introduced the many reasons that growing networks should investigate and implement an NCCM solution. One of the reasons is that an NCCM system can help with automation in a key area which is related to network security as well as compliance and availability – Policy Checking.

So, in this post, I will be taking a deeper dive into Network Device Policy Checking which will (hopefully) shed some light onto what I believe is an underutilized component of NCCM.

The main goal of Policy Checking in general is to make sure that all network devices are adhering to pre-determined standards with regard to their configuration. These standards are typically put in place to address different but interrelated concerns. Broadly speaking these concerns are broken down into the following:

  1. Device Authentication, Authorization and Accounting (AAA, ACL)
  2. Specialized Regulatory Compliance Rules (PCI, FCAPS, SOX, HIPAA …)
  3. Device Traffic Rules (QoS policies etc.)

Device Authentication, Authorization and Accounting (AAA)

AAA policies focus on access to devices – primarily by engineering staff- for the purposes of configuration, updating and so forth as well as how this access is authenticated, and tracked. Access to infrastructure devices are policed and controlled with the use of AAA TACACS+, RADIUS servers, and ACLs (Access Control Lists) so as to increase security access into device operating systems.

It is highly recommended to create security policies so that the configurations of security access can be policed for consistency and reported on if changed or vital elements of the configuration are missing.

Many organizations, including the very security conscious NSA, even publish guidelines for AAA policies they believe should be implemented.

They offer these guidelines for specific vendors such as Cisco and others which can be downloaded from their website http://www.nsa.gov these guidelines are useful to anyone that is interested in securing their network infrastructure, but become hard requirements if you need to interact in anyway with US government or military networks.

Some basic rules include:

  1. Establishing a dedicated management network
  2. Encrypt all traffic between the manager and the device
  3. Establishing multiple levels or roles for administrators
  4. Logging the devices activities

These rules, as well as many others, offer a first step toward maintain a secure infrastructure.

Specialized Regulatory Compliance Rules:

Many of these rules are similar to and overlap with the AAA rules mentioned above. However, these policies often have very specialized additional components designed for special restrictions due to regulatory laws, or certification requirements.

Some of the most common policies are designed to meet the requirements of devices that carry traffic with sensitive data like credit card numbers, or personal data like Social Security numbers or hospital patient records.

For example, according to PCI, public WAN link connections are considered untrusted public networks. A VPN is required to securely tunnel traffic between a store and the enterprise network. The Health Insurance Portability and Accountability Act (HIPAA) also provides guidelines around network segmentation (commonly implemented with VLAN’s) where traffic carrying sensitive patient data should be separated from “normal” traffic like Web and email.

If your company or organization has to adhere to these regulatory requirements, then it is imperative that such configuration policies are put in place and checked on a consistent basis to ensure compliance.

Device Traffic Rules:

These rule policies are generally concerned with the design of traffic flow and QoS policies. In large organizations and service providers (Telco’s, MSP’s, ISP’s) it is common to differentiate traffic based on pre-defined service types related to prioritization or other distinction.

Ensuring service design rules are being applied and policed is usually a manual process and therefore is susceptible to inaccuracies. Creating design policy rules provides greater control around the service offerings, i.e. QOS settings for Enhanced service offerings, or a complete End-2-End service type, and ensures compliancy with the service delivery SLAs (Service Level Agreements).

Summary:

Each of these rules and potentially others should be defined and policed on a continuous basis. Trying to accomplish this manually is very time consuming, inefficient, and fraught with potential errors (which can become really big problems).

The best way to keep up with these policy requirements is with an automated, electronic policy checking engine. These systems should be able to run on a schedule and detect whether the devices under its control are in or out of compliance. When a system is found to be out of compliance, then it should certainly have the ability to report this to a manager, and potentially even have the ability to auto-remediate the situation. Remediation may involve removing any known bad configurations or rolling back the configuration to a previously known “good” state.

A Deeper Look Into Network Device Policy Checking

Thanks to NMSaaS for the article.