Methods Available for Malware Identification

While by no means an exhaustive list, the following tools and technologies provide network administrators with the ability to identify the existence of malware on the network:

Packet captures: Collecting, storing, and analyzing the raw packets that are traversing the network is certainly one way of inspecting traffic for the presence of malware. Although packet captures provide the most granular look into the traffic that is on the network, one primary hurdle in the use of packet capture for malware identification is the fact that you are looking for the proverbial “needle in a haystack” due to the volume of data generated by packet captures.

Snort: Snort is an open source intrusion detection and prevention technology developed by the founder of Sourcefire (now a part of Cisco). The speed, power, and performance of Snort have made it the most popular intrusion detection/prevention system (IDS/IPS) technology in the world. The Snort engine consists of threat identification, detection, and prevention components that combine to reassemble traffic, prevent evasions, detect threats, and output information about advanced threats while minimizing false positives and missing legitimate threats (false negatives).

NetFlow: Packet capture is often referred to as micro-analytical in terms of the granularity of data being analyzed, but NetFlow data is considered more of a macro-analytical approach. The use of NetFlow data collection consists of the creation of buckets or flows of data that are based on a set of predefined parameters such as source IP address, source port, destination IP address, destination port, IP protocol, ingress interface, and type of service (ToS). Each time one of these parameters differs, a new flow is created. Flows are stored locally on the device for a configured time interval, after which time the flows are exported to external collectors. Although NetFlow data will not provide the same details sometimes needed for the identification of malware on the network, it can serve as an excellent tool in the toolbox to help trace back evidence of a compromise once some of the details of the malware become known to network security administrators.

IPS events: When using IPS devices on your network, it is possible to leverage the alarms triggered on the IPS device as an emergency flare that network traffic should be further analyzed for the presence of malware. Often, IPS devices have signatures for specific strains of malware, which, when triggered, can be an indication that malicious traffic exists on the network.

Advanced Malware Protection: Cisco Advanced Malware Protection (AMP) is designed for Cisco FirePOWER network security appliances. It provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. AMP helps to identify inconspicuous attacks by continuously analyzing and monitoring files after they’ve entered the network, utilizing retrospective security alerts to help administrators take action during and after an attack, and provides multi-source indications of compromise to aid in the correlation of discrete events for better detection.

NGIPS: The Cisco FirePOWER next-generation intrusion prevention system (NGIPS) solution provides multiple layers of advanced threat protection at high inspection throughput rates. The NGIPS threat protection solution is centrally managed through the Cisco FireSIGHT Management Center and can be expanded to include additional features such as AMP, application visibility and control, and URL filtering.