Friday, October 28, 2011

Outbound Denies

Many organizations don't allow a default route out of the enterprise.  In other words, they force systems on the internal network to go through some sort of a proxy in order to reach the Internet.  In general, this is a good thing, as it provides both auditing and egress control/filtering.

Monitoring this type of traffic creates two types of extremely interesting data from a network traffic analysis perspective, both involving denied outbound traffic:

1) Traffic that is proxy aware, but attempting to connect out to controlled/filtered/denied sites.
2) Traffic that is not proxy aware, and is thus dropped (no default route out allowed).

Both #1 and #2 can be caused by misconfigurations, and #1 can be caused by attempted drive-by re-directs that fail/are blocked (and thus do not result in successful compromise).  In both those cases, the denied traffic is not caused by malicious code being successfully installed and executed.  In other cases, however, #1 and #2 may indeed be caused by malicious code or some other type of rogue process.

It's another jumping off point that can be used to provide valuable insight into what may be occurring on the network.  With the speed at which attackers maneuver, every little bit helps.

No comments:

Post a Comment