Freely subscribe to our NEWSLETTER

Organizations are at constant risk of infiltration by known bad actors on the Internet or the Dark Web. Certain malware programs can compromise software on a computer, turning that device into a zombie participant in a botnet. This zombie machine, running quietly in the background, provides cyber attackers full access to everything on the computer – and the ability to spread spam, viruses and spyware across the enterprise network or participate in distributed denial of service attacks on other unsuspecting organizations.

It is also very common to find that security defenses are not uniform across an enterprise network. While there are many egress points that do not let traffic out to known malware Command and Control (C2) servers or third-generation onion router (TOR) exit nodes, it is also true that Firewalls/Next-Generation Firewalls/Intrusion Prevention Systems/Data Loss Prevention solutions are not effective at limiting, or blocking entirely, outbound sessions over risky protocols.

Lumeta’s Cyber Threat Probe is designed to help organizations stem zombie infections and keep other threats and bad actors in check. With the Probe, threat intelligence is made actionable by utilizing existing capabilities of IPsonar 6.1 to correlate a comprehensive index of an enterprise’s IP address space against known threats. As soon as new threat intelligence becomes available, IPsonar will report against the new threats and send out notifications. The Cyber Threat Probe includes the ability for user-defined views to highlight findings and ease remediation.

IT professionals can use the Cyber Threat Probe for the following use cases:

Zombie Hunting (Identification of Botnet/C2 Infrastructure Internally) – Determine whether or not any trusted enterprise assets are malware infected infrastructure (participating in command and control botnet) or part of blacklists/Dropnets/Shadowserver/attacker lists.

The Cyber Threat Probe correlates IPsonar’s full index of the enterprise IP address space against known bad IP addresses to find enterprise assets that are blacklisted (listed in threat intelligence as malware/botnet machines). It raises a flag regarding any potentially compromised machines.

Identification of Internal TOR Relays/Bridges – Determine if any trusted/enterprise assets are, or were, acting as TOR relays/ bridges potentially for nefarious purposes.

The Cyber Threat Probe correlates IPsonar’s full index of the enterprise IP address space against TOR relay IP addresses to find enterprise assets that are listed as an active (or historical) TOR relay. It flags devices that are behaving as relays/bridges.

Validation of No Access to Known Malware C2 Servers – Determine whether or not active security controls prevent malware callback and data exfiltration to known botnet/C2 networks and servers.

The Cyber Threat Probe ingests threat intelligence feeds and uses that information as the target list for IPsonar to assess whether it can reach known C2 botnets. If those machines can be reached, a red flag is raised.

Validation of No Access to Known TOR Exit Nodes – Determine whether or not active security controls prevent call back to TOR exit nodes.

The Cyber Threat Probe ingests threat intelligence feeds and uses that information as the target list for IPsonar to reach known TOR exit nodes. If those nodes can be reached, a red flag is raised.

Availability

The Cyber Threat Probe is generally available (GA) today, at no additional cost to clients with an IPsonar 6.1 subscription or maintenance agreement. (Clients must have or upgrade to IPsonar 6.1. The Cyber Threat Probe can be downloaded from Lumeta’s client support site.)