Услуги за външен мрежов мониторинг

Понякога не можете да се доверите на собствените си защити, особено ако правилно допускате, че мрежата ви е компрометирана.

Всички IDS/IPS устройства имат една и съща слабост: те разчитат на това, което е известно, и рядко на основен анализ на поведението. But when an attacker uses a new technique (which happens quite often) it will pass as a legitimate traffic. In such cases you need to rely on someone with an eye on the criminal networks, someone, who sees malicious traffic from the attackers end.

In such cases you should use services such as ShadowServer - https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

Те наблюдават злонамерени мрежи от множество места и могат да ви предупредят, ако видят трафик от вашата мрежа leaving towards a botnet command & control server, for example.

Some security software vendors will charge you 5-digit prices per year for “appliances” which basically do the same thing – ShadowServer does it for free as a community service.

As per their website:

Услугата за отчитане наблюдава и предупреждава за следната активност:

• Открити сървъри за командване и контрол на ботнети
• Заразени системи (дронове)
• DDoS attacks (source and victim)
• Scans
• Clickfraud
• Компрометирани хостове
• Компрометирани уебсайтове
• Proxies
• Spam relays
• Open DNS Resolvers
• Разпространители на зловреден софтуер и друга свързана информация.

Setting up an arrangement with this non-profit organization is really simple. All you need to do is get your ASN from your network administrator and send them an email, as per the above link’s instruction (hopefully by the time you read this book the service is still available).

If you find this service useful, please consider donating. They’re not even asking for it – which is an even better incentive for you to be generous to such a good service.

Друга полезна услуга е Have I been Pwned:

https://haveibeenpwned.com/

As the name implies, this service monitors sites such as PasteBin for information containing your domain, e-mail addresses, etc. – and as soon as it detects a ‘leak’ you will get notified via e-mail. When signing up, you will need to confirm your domain ownership – so coordinate on that with your IT team.

Други услуги за външен мониторинг:

http://www.google.com/safebrowsing/alerts/ (need your own AS)Safe Browsing Alerts for Network Administrators allows autonomous system (AS) administrators to register to receive Google Safe Browsing notifications. The goal is to provide network administrators with information of malicious content that is being hosted on their networks.

• Team CymruTC Console - https://www.team-cymru.org/Services/TCConsole - no cost, *in most cases* (more info: https://www.team-cymru.org/Services/TCConsole/tcconsole_trifold.pdf ) It is a good collaboration platform, if you collaborate it will be free for you.
• https://postmaster.live.com/snds/index.aspx - detect data coming from their network towards your network after verifying your AS. “By providing data such as mail traffic statistics seen by Windows Live Hotmail to IP block owners (ISPs, in a broad sense), organizations are empowered to prevent spam, viruses, and other malicious activity from originating from their IP space.”
• https://spyeyetracker.abuse.ch/index.php - mostly check your IP addresses / domains for c&ctraffic towards c&cservers. Interesting statistic: Average SpyEyebinary Antivirus detection: 27.94%
• https://www.team-cymru.org/Services/BINFeed/ -for banks and financial institutions, showing if malicious traffic or leaked data on the Dark Nets contains any data related to that specific bank (must be your bank, you cannot monitor 3^rd party organizations).