Threat Detection
As you expand the number of devices the security risk of these being hacked becomes higher — If you protect the asset in the field you really protect the enterprise connectivity
Customers want to get a device, connect it to the internet and talk to our servers…BUT they forget to think of Security as a whole and what it means to put the device out there! A device could be in the field for 15-20 years…so how do you ensure your device is secure NOW and how do you maintain that security overtime.
Monitor the device/s
Check vulnerabilities & attacks happening.
Display Security widgets in the platform UI so that you can set up alerts and be notified as soon as these are triggered.
The widgets design will share with you important info.
The events are divided in 2 categories: Threats and Non Threats.
The pie chart widgets will give you an overview of the events that have taken place in the 30 days. We have put a list with the alerts that will be displayed to you and their meaning: Description of Alerts
The “Top 10 Subscribers Threatened (Last 30 days) will show you those Subscribers from whom we have received the most number of alerts that fall under the “Threat category” in the last 30 days.
The “Threat/Non Threat Security Events” table widget will show you all the alerts that have been triggered both Threats and non threats. Use the Advanced filters (Funnel icon) to quickly narrow down your search. You can also customize the columns you want to display in the table.
The table shows the date of the event alongside with the subscriber details, Status of the event etc.
Get in touch with us directly if you are interested in this service and we will take it from there!
Enable Security Widgets in the platform UI
Threat / Non Threat Security Events table
Have we flagged an alert, but you are unsure what it means? We can help with that!
Threat Detection - Alerts
A framework created by Microsoft to extend the functionality of the Component Object Model (COM) and Object Linking Embedding (OLE) and apply it to content downloaded from networks. ActiveX are mostly popular for creating add-ons for web browsers, particularly Internet Explorer. ActiveX provides native code execution. Vulnerability in ActiveX is Buffer overflow and file overwriting are some vulnerabilities that are usually exploited.
Anomaly based detection is the identification of data points, items, observations or events when these are showing any unusual behavior in the network traffic from the Expected normal traffic routine.
Possible when there is lateral movement or file creation request. Or EX: if the attacker is able to fetch the data by executing the sql command at that moment we get response request 200 which means attacker is successful
Short for “robot”, is a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over an affected computer. Once infected, these machines may also be referred to as zombies.
URLS: Malicious websites which are feed with Malware and virus.
One which may contain IP Address or Domain name which seems to be acting as a Malware or Virus.
Those IP’s of Machine Infected by Malware like Trojan.
Each time the IP list is changed, modified, or updated we keep track of its size (both number of entries and number of unique IPs matched). Using this information, we can detect what the list maintainers do, get an idea of the list trend and its maintainers habits.
An exploit in which an attacker takes advantage of vulnerabilities in the domain name system (DNS). DNS is a protocol that translates a user-friendly domain name into the computer-friendly IP address.
A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. The attacker sends several requests to the target server, overloading it with traffic. These service requests are illegitimate and have fabricated return addresses, which mislead the server when it tries to authenticate the requester.
Contains set of Malicious IP and URLS
Exploit is one which checks for vulnerability in particular machine and Expolits that Vulnerability
An exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine, which serves as a proxy for the request.
HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application.
An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.
An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user.
Attack: NetBIOS attack is a hacking type that exploits a bug in Windows. They do not require you to have any hidden backdoor program running on your computer. This makes NetBIOS the worst attack. NetBIOS is meant to be used on local area networks, so machines on that network can share information. The bug in NetBIOS is that it can also be used across the Internet, this gives the hacker a chance to access your machine remotely. The Port used here is 139.
Peer-to-Peer attacks exploit the fabric of peering technology to perform attacks. These attacks distinguish themselves from other types of attacks because of the following:
a. Attacker does not have to communicate with the clients for subversion.
b. The automated nature of Peer-to-Peer technology can allow for BOT like amplification of an attack with the permission of the victim.
Scripting this attack can test thousands of e-mail address combinations. The SMTP command EXPN might allow attackers to verify what mailing lists exist on a server. You can simply telnet to your e-mail server on port 25 and try EXPN on your system.
Another way to somewhat automate the process is to use the EmailVerify program in. By Using a Port number 25
SNMP reflection, like other reflection attacks, involves eliciting a flood of responses to a single spoofed IP address. During an SNMP reflection attack, the perpetrator sends out a large number of SNMP queries with a forged IP address (the victim’s) to numerous connected devices that, in turn, reply to that forged address. The attack volume grows as more and more devices continue to reply, until the target network is brought down under the collective volume of these SNMP responses.
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.
Every communication from remote device to networking device that we are configuring is sent in plain text. Of course, that is big security issue and in situations where we use telnet we are making our command vulnerable to frame sniffing.
Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by hackers trying to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system.
TFTP uses client and server software to make connections between two devices. From a TFTP client, individual files can be copied (uploaded) to or downloaded from the server. The server hosts the files and the client requests or sends files. TFTP can also be used to remotely start a computer and back up network or router configuration files.
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers.
Every communication from remote device to networking device that we are configuring is sent in plain text. Of course, that is big security issue and in situations where we use telnet we are making our command vulnerable to frame sniffing.
RPC (Remote Procedure Call) protocol. This protocol allows remote procedure calls through data transferred in the XML format. These calls enable different platforms to communicate with websites. But it also enabled malicious hackers to send arbitrary XML data that forced websites to execute certain code or ex-filtrate data.
Suspicious scan over network like Mysql port 1433