Plixer Scrutinizer Flow Analytics Algorithms¶
Plixer FlowPro will send data to the specified IPFIX Collector. Plixer Scrutinizer provides additional functionality to check for malicious behavior and bad actors, and to generate alarms when detected.
This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, a NXDOMAIN reponse is returned. Plixer Scrutinizer is able to identify a class of malware that uses Domain Generation Algorithms (DGAs) by monitoring the number of NXDOMAINs detected as and the actual DNS name looked up.
The default threshold is 100 unique DNS lookup failure (NXDOMAIN) messages in five minutes. Either the source or destination IP address can be excluded from triggering this alarm.
DNS Command and Control¶
This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by Plixer FlowPro. DNS TXT messages can be used to send information into and out of the protected network over DNS, even when the use of external DNS servers has been blocked. Malware uses this technique to control compromised assets within the network and to extract information back out. Additionally, some legitimate software also uses this method to communicate back to the developer site.
The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXT messages. Thresholds can be set based either on the number of DNS TXT messages or number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.
The domain generating the alarm message may be added to the trusted domains list in Plixer FlowPro to suppress alarms from authorized applications on the network. See the information regarding the trusted domains list below.
DNS Data Leak¶
This algorithm monitors for information encoded into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. As a result, the local DNS server will fail to find the DNS name in its cache and will pass the name out of the network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a “no existing domain” response or return a non-routable address.
Plixer FlowPro reviews all DNS queries and responses using proprietary logic to detect unwanted communications. Odd behaviors are sent to Plixer Scrutinizer where they are further processed by the DNS Data Leak algorithm. Thresholds can be set based on either the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.
DNS Server Detection¶
The algorithm detects new DNS servers being used on or by your network through analysis of the DNS packets being exchanged between the client and the server. Exclude DNS servers that are authorized for use on the network.
Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP-based host reputation. The domain list provided by Plixer is updated periodically and currently contains over 400,000 known bad domains.
To provide maximum protection, the Plixer FlowPro must be able to update its domain reputation list periodically. For that purpose, during setup, please verify a network route exists from Plixer FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if the Plixer FlowPro is unable to connect to nba.plixer.com - however, all other features will function normally.
The Plixer FlowPro performs the actual monitoring, and when it detects a domain with poor reputation, it passes the information to Plixer Scrutinizer for additional processing. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to disabled so that all DNS lookups observed will result in a unique alarm.
To suppress alarms from authorized applications in the network, the domain generating the alarm message can be added to the trusted domain list in Plixer FlowPro. See the User-defined Domain Lists section for details.
The JA3 fingerprinting functionality leverages the unique characteristics of the TLS handshake to identify the software generating encrypted traffic by comparing it against a list of known signatures. If a positive match is made, Plixer FlowPro Defender will send the details of that connection to Plixer Scrutinizer.
Malware Behavior Detection¶
This algorithm demonstrate Plixer’s cyber threat correlation capability. Correlation of multiple network behaviors over a long time period provides detection systems with more information resuting in higher accuracy with fewer false positive alarms.
This specific alarm correlates IP address lookup (i.e. what is my IP address) activity, which is commonly performed by malware shortly after the initial compromise, with the detection of the BotNet alarm or a Domain Reputation alert.
When either of the two events is detected, this algorithm triggers an alert as this behavior is a very strong indicator of a compromised asset.
Adding Plixer FlowPro to the Algorithms¶
The Plixer FlowPro appliance(s) must be linked to the algorithms the user wishes to use in the Plixer Scrutinizer Flow Analytics configuration settings:
- Navigate to the Admin Tab > Settings > Flow Analytics Configuration
- Click the numbers in the exporter column to associate the Plixer FlowPro exporter with that algorithm
- Violations and alarms will be displayed in the Alarms tab