Five Ways to Spot and Score Bad IP Clients

Fortinet highlights the importance of real-time client reputation and scoring as part of an intelligent network security

tool for any organisation concerned about Advanced Persistent Threats (APTs). In light of the
rapidly changing landscape of such targeted malware attacks, Fortinet lists the top five types of
behaviour that might indicate that a device has been infected.
a) Bad Connection Attempts
Typical malware behavior often includes attempts to connect to hosts that dont exist on
the Internet. While some bad connections may be due to user error or bad links, a series
of bad connections could be a sign of malware infection.
b) Choice of Application
A host that installs a P2P file sharing application can be considered riskier than a host
that installs a game. Some consider both actions problematic. The ability to add weights
to each action allows each risk to be scored accordingly.
c) Geographic Location
Visits to hosts in certain countries can be categorised as risky behaviour, especially
if there is a significant amount of traffic involved. Identifying such behaviour can be
combined with a white list approach that identifies legitimate sites in such countries to
help identify infected clients.
d) Session Information
When a device starts to listen on a port to receive a connection from the outside but does
not initiate a connection, an APT infection could be the cause.
e) Destination Category
Visiting certain types of websites, such as gambling and adult sites as well as those
known to contain malicious code can also be a predictor of APT infection.
Identifying risky user and application behavior represents the next step in protection against
Advanced Persistent Threats. Signature-based protection is no longer enough. Its important to
build a complete, evolving and up-to-date picture of the behaviour of network clients, said
Vishak Raman, Senior Regional Director, Fortinet, India & SAARC. Client reputation and
scoring is an essential component in ordering and understanding the enormous amount of
security information available within organisations, and applying it to a dynamic, targeted
security response.

Identifying improper behaviour among the devices connected to their network is a critical tool for any organisation concerned about Advanced Persistent Threats (APTs). In light of the rapidly changing landscape of such targeted malware attacks, Fortinet lists the top five types of behaviour that might indicate that a device has been infected.

a) Bad Connection Attempts

Typical malware behavior often includes attempts to connect to hosts that dont exist on the Internet. While some bad connections may be due to user error or bad links, a series of bad connections could be a sign of malware infection.

b) Choice of Application

A host that installs a P2P file sharing application can be considered riskier than a host that installs a game. Some consider both actions problematic. The ability to add weights to each action allows each risk to be scored accordingly.

c) Geographic Location

Visits to hosts in certain countries can be categorised as risky behaviour, especially if there is a significant amount of traffic involved. Identifying such behaviour can be combined with a white list approach that identifies legitimate sites in such countries to help identify infected clients.

d) Session Information

When a device starts to listen on a port to receive a connection from the outside but does not initiate a connection, an APT infection could be the cause.

e) Destination Category

Visiting certain types of websites, such as gambling and adult sites as well as those known to contain malicious code can also be a predictor of APT infection.

Identifying risky user and application behavior represents the next step in protection against Advanced Persistent Threats. Signature-based protection is no longer enough. Its important to build a complete, evolving and up-to-date picture of the behaviour of network clients, said Vishak Raman, Senior Regional Director, Fortinet, India & SAARC. Client reputation and scoring is an essential component in ordering and understanding the enormous amount of security information available within organisations, and applying it to a dynamic, targeted security response.

Adidas Adilette Slides


Add new comment