General malware detection

General malware detection#

Because all malicious activity leaves footprints in network traffic, the visibility provided by traffic data can be an invaluable asset against modern malware.

By ingesting large volumes of network information through Scrutinizer, Plixer One Enterprise can provide general malware detections and extract additional value from the same flow data.

Overview#

The ML Engine uses classification - a machine learning technique that relies on models that have been trained on labeled data - to predict whether a host’s behavior is indicative of common classes of malware, including command and control, banking trojans, exploit kits, etc. Each prediction is returned in the form of a percentage, which represents the degree to which the observed traffic patterns match those it has learned to be associated with malware. If that percentage exceeds a preset detection threshold, a high-severity event is generated under the corresponding alarm policy in the Scrutinizer alarm monitor.

Enabling malware classification#

To optimize resource utilization, malware detection is configured at the ML inclusion level, enabling or disabling classification for all hosts associated with the inclusion. The Malware Detections setting can be accessed from the Manage ML Inclusions page, where it can be toggled on or off in the inclusion configuration tray.

Investigating malware detections#

Once a detection is reported as an alarm, the appropriate response can be determined using a combination of Scrutinizer workflows, including:

Note

General ML-driven malware detections are reported under the ML Engine malware alert alarm policy. A separate Malware Command and Conquer Activity Detected policy is used for detections via Flow Analytics.

Hint

After running an initial report, it can be refined directly from the output view to enable further investigation.

Workflows#

The following workflow(s) are examples of Plixer One Enterprise’s malware detections being used as starting points for investigating suspicious network activity:

Alerting on malware activity

Get alerted to any host demonstrating malware activity and send notification to security team.

Workflow

Becoming aware of suspicious activity

Scrutinizer and the Plixer ML Engine can be used together to help assess possible malware activity on your network.

The ML algorithms used for malware classification trigger alerts within Scrutinizer’s alarm policies for traffic/activity that deviates from dynamic ML-modeled baselines.

Note

This workflow relies on the Plixer ML Engine to report classification-based detections. Additional host analysis and risk assessment functions are enabled through Endpoint Analytics.

Tip

Scrutinizer and FlowPro also use STIX/TAXII and other threat intelligence feeds to identify activity associated with common classes of malware and ransomware.

Responding to potential malware

Review the Admin > Alarm Monitor > Alarm Policies page and search for the ML Engine malware alert policy. Using a custom notification profile, this policy can be configured to trigger an email to one or more addresses. This can be used to alert security team members whenever there are malware detections that should be reviewed.

Hint

Other automated notification actions can also be defined under the same notification profile.

From the Alarm Monitor view within the UI, you could dive into the alarm policy and investigate the host with details on top applications and conversations.

Scrutinizer reporting can generate host-to-host reports to show the full extent of the host’s communications with other IPs on the network. Any outbound traffic with remote hosts should be investigated by navigating to the Reports tab/section of the web interface and running destination reports.

Additionally, Endpoint Analytics may be able to provide MAC details for the host and report its own risk assessment based on internal algorithms, MS Defender, and Tenable.

Contents