Risky Business – Five Ways to Spot and Score Bad IP Clients

Printer-friendly versionPDF version

Fortinet highlights the importance of real-time client reputation and scoring as part of an intelligent network security strategy

Dubai, United Arab Emirates., February 24, 2013 - (PressReleasePoint) -
\
Dubai, UAE – 24 February 2013 – Identifying improper behaviour among the devices connected to their network is a critical tool for any organisation concerned about Advanced Persistent Threats (APTs). In light of the rapidly changing landscape of such targeted malware attacks, Fortinet^® lists the top five types of behaviour that might indicate that a device has been infected.
 
            1) Bad Connection Attempts
Typical malware behaviour often includes attempts to connect to hosts that don’t exist on the Internet. While some bad connections may be due to user error or bad links, a series of bad connections could be a sign of malware infection.
 
2) Choice of Application
A host that installs a P2P file sharing application can be considered riskier than a host that installs a game. Some organisations may consider both actions problematic. The ability to add weights to each action allows each risk to be scored accordingly.
 
3) Geographic Location
Visits to hosts in certain countries can be categorised as risky behaviour, especially if there is a significant amount of traffic involved. Identifying such behaviour can be combined with a white list approach that identifies legitimate sites in such countries to help identify infected clients.
 
 
4) Session Information
When a device starts to listen on a port to receive a connection from the outside but does not initiate a connection, an APT infection could be the cause.
 
5) Destination Category
Visiting certain types of websites, such as gambling and adult sites as well as those known to contain malicious code can also be a predictor of APT infection.
 
Bashar Bashaireh, Regional Director, Fortinet Middle East, said: “Identifying risky user and application behavior represents the next step in protection against Advanced Persistent Threats. We see that organisations in the Middle East are beginning to recognise the importance of building a complete, evolving and up-to-date picture of the behaviour of network clients. As signature-based protection is no longer enough, we recommend implementing client reputation and scoring to help order and understand the enormous amount of security information available within organisations, and applying it to a dynamic, targeted security response.”
 
These and other related findings are further explored in Fortinet’s new white paper: “Detecting What’s Flying Under the Radar: The Importance of Client Reputation in Defending Against Advanced Threats”. Fortinet’s unique patent-pending client reputation capability is one of the hallmark features of its latest operating system, FortiOS 5.
 
To download the white paper, visit http://www.fortinet.com/resource_center/whitepapers/importance_client_reputation.html