This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What do you do when an attempt to communicate with a botnet is detected?

I'm curious about what the best course of action is. One of the XG Firewalls we manage detected an attempt to communicate with a botnet. The policy is set to Log and Drop and the alert itself says "no further action is needed", but why not? I don't think we just want to log and drop this, do we?

Don't we also want to find out what's going on with the device that triggered this?

What are other people doing when they get these alerts?

I can run an additional virus scan with Malwarebytes. I can run a manual scan with Sophos Endpoint protection. I can check to see what programs are installed...

Does anyone have any other recommendations? Ideally I can come up with a procedure to follow whenever we get one of these alerts.



This thread was automatically locked due to age.
Parents Reply Children
  • I will look into this Threat Hunting course and see if I can learn the general methods. Unfortunately, we don't use the Endpoint protection for the customer this most recently happened with so I'll see what data I can gather without it. We use BitDefender at the endpoint for this particular customer, which I don't believe will be any help in this scenario.

  • Please post such a event log from ATP.

    Is it DNS traffic?

    May only been caused by DNS servers root zone updates.

  • Ah, I can't see the alert anymore in the log viewer Disappointed

    It was one of the computers trying to hit a subdomain of http://rawlexi.com

  • I have also seen this domain hitting our ATP some times in the past.

    btw: great logging feature on a firewall, that you cannot see this log after about a week, right?
    -> Central Cloud Logging is not suitable for everyone. Logging on XG is really not good.

  • couldn't agree more. they are "adding" value with sophos central, by extracting value from the firewall.

    call me old fashioned, but when I have a firewall for a job, I want to use the firewall for the job, not start hooking it to other places for what I consider, standard operations.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • The point of Central is XDR. The first step of the new world of extended logging. See: https://community.sophos.com/intercept-x-endpoint/b/blog/posts/sophos-xdr-and-edr-4-0-now-available

    Thats the future. 

    __________________________________________________________________________________________________________________

  • the future for who? I only need what I need, and I'm a happy customer. SG - tail + grepping logs, thanks. Problem solved in half the time, ssh across in 10 seconds. If I need a historical look I'll search them through the GUI, all the info will be there.

    I don't need cloud, delay with two factor. I want to be half deep into the problem and logs within 60 seconds, not still loading up central because it's slow.

    Our future desires are different, businesses want control and integration into their global platform, the customer wants results and speed. It's misaligned, in my opinion.

    That said, I still choose to use XG at home over all other platforms. It helps it's free, but overall it's also pretty decent. But logging off grid could be improved.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • I am talking about the future of Threat Hunting. That is the main goal of a security product to begin with. You want to address complex attack scenarios and want to fight back. Looking at a firewall log only is only a small field of actual "what happen here?". 

    Looking at the current state of attacks (See MITRE), you can easily spot the issue, only on relaying on a firewall. The firewall can only give you a small view of the actual attack, while getting more intel of your entire network is the key to fight back. 

    I am not saying, the current state of logging is the best, it still get more detail to it (Logviewer improvements etc.). What i am saying is, reporting is not logging. Central is a reporting platform. Its about getting intel of what is going on. 

    Just some thoughts for the future. 

    __________________________________________________________________________________________________________________

  • fair enough, valid points and appreciate from what I've read from you in this forum in the past you know your onions. (know what you're talking about).

    Cheers

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • The logs should be there at the firewall and be available through log viewer. In fact it is a bit opposite to what you said Lucar Toni: the ATP reports (something that I would expect as a Central Cloud Feature) are available on the XG but not the logs.

    : please go to Reports > Network & Threats

    and select ATP and the correct time frame.

    I can still find the event from 2021 04 22 on our XG there. In our case it was the DNS server resolving a request to this FQDN which was blocked by XG ATP.