Plixer Scrutinizer Flow Analytics algorithms

Plixer FlowPro will send data to the specified IPFIX collector. Plixer Scrutinizer provides additional functionality to check for malicious behavior and bad actors, and to generate alarms when detected.

BotNet detection

This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, an NXDOMAIN response is returned. Plixer Scrutinizer is able to identify a class of malware that uses Domain Generation Algorithms (DGAs) by monitoring the number of NXDOMAINs detected and the actual DNS name looked up.

The default threshold is 100 unique DNS lookup failure (NXDOMAIN) messages in five minutes. Either the source or destination IP address can be excluded from triggering this alarm.

DNS command and control

This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by Plixer FlowPro. DNS TXT messages can be used to send information into and out of the protected network over DNS, even when the use of external DNS servers has been blocked. Malware uses this technique to control compromised assets within the network and to extract information back out. Additionally, some legitimate software also uses this method to communicate back to the developer site.

The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXT messages. Thresholds can be set based either on the number of DNS TXT messages or number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.

DNS data leak

This algorithm monitors for information encoded into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. As a result, the local DNS server will fail to find the DNS name in its cache and will pass the name out of the network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a “no existing domain” response or return a non-routable address.

Plixer FlowPro reviews all DNS queries and responses using proprietary logic to detect unwanted communications. Odd behaviors are sent to Plixer Scrutinizer where they are further processed by the DNS Data Leak algorithm. Thresholds can be set based on either the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.

DNS server detection

The algorithm detects new DNS servers being used on or by your network through analysis of the DNS packets being exchanged between the client and the server. Exclude DNS servers that are authorized for use on the network.

Domain reputation

Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP-based host reputation.

To provide maximum protection, the Plixer FlowPro must be able to update its domain reputation list periodically. For that purpose, during setup, please verify a network route exists from Plixer FlowPro to the sources in /home/plixer/flowpro/rules/suricata-update.yaml. The Domain Reputation algorithm will not detect any malware if the Plixer FlowPro is unable to connect to sources in /home/plixer/flowpro/rules/suricata-update.yaml. However, all other features will function normally.

Plixer FlowPro performs the actual monitoring, and when it detects a domain with poor reputation, it passes the information to Plixer Scrutinizer for additional processing. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to disabled so that all DNS lookups observed will result in a unique alarm.

JA3 fingerprinting

The JA3 fingerprinting functionality leverages the unique characteristics of the TLS handshake to identify the software generating encrypted traffic by comparing it against a list of known signatures. If a positive match is made, Plixer FlowPro will send the details of that connection to Plixer Scrutinizer. All signatures observed are logged via IPFIX.

Malware behavior detection

This algorithm demonstrates Plixer’s cyber threat correlation capability. Correlation of multiple network behaviors over a long time period provides detection systems with more information resuting in higher accuracy with fewer false positive alarms.

This specific alarm correlates IP address lookup (i.e. what is my IP address) activity, which is commonly performed by malware shortly after the initial compromise, with the detection of the BotNet alarm or a Domain Reputation alert.

Alarms are attributed to tactics and techniques of known malware patterns, this provides insight into the attack progression.

Adding Plixer FlowPro to the algorithms

The Plixer FlowPro appliance(s) must be linked to the algorithms the user wishes to use in the Plixer Scrutinizer Flow Analytics configuration settings:

  • Navigate to the Admin Tab > Settings > Flow Analytics Configuration

  • Click the numbers in the exporter column to associate the Plixer FlowPro exporter with that algorithm

  • Violations and alarms will be displayed in the Alarms tab

Important

To effectively detect security threats, configure Plixer FlowPro to monitor external interfaces. Contact Plixer Technical Support for assistance with configuration.