Identifying improper behavior among the devices connected to their network is a critical tool for any organization concerned about Advanced Persistent Threats (APTs).
In light of the rapidly changing landscape of such targeted malware attacks, Fortinet lists the Top Five Types of Behavior that might indicate that a device has been infected.
- Bad Connection Attempts– Typical malware behavior often includes attempts to connect to hosts that don’t exist on the Internet. While some bad connections may be due to user error or bad links, a series of bad connections could be a sign of malware infection.
- Choice of Application- A host that installs a P2P file sharing application can be considered riskier than a host that installs a game. Some organizations may consider both actions problematic. The ability to add weights to each action allows each risk to be scored accordingly.
- Geographic Location- Visits to hosts in certain countries can be categorized as risky behavior, especially if there is a significant amount of traffic involved. Identifying such behavior can be combined with a white list approach that identifies legitimate sites in such countries to help identify infected clients.
- Session Information- When a device starts to listen on a port to receive a connection from the outside but does not initiate a connection, an APT infection could be the cause.
- Destination Category- Visiting certain types of websites, such as gambling and adult sites as well as those known to contain malicious code, can also be a predictor of APT infection.
“Identifying risky user and application behavior represents the next step in protection against Advanced Persistent Threats. Signature-based protection is no longer enough. It’s important to build a complete, evolving and up-to-date picture of the behaviour of network clients,” explained Dato’ Seri George Chang, Fortinet’s regional vice president for Southeast Asia and Hong Kong. “Client reputation and scoring is an essential component in ordering and understanding the enormous amount of security information available within organisations, and applying it to a dynamic, targeted security response.” he concluded.