Battle of the Week - Botnet Communications
A local County’s network that houses emergency communications and other important telecoms.
Once a botnet enters a network, it will spread from computer to computer. When it roots itself into a network, the devices try to occasionally reach out to its command and control servers in order to execute code remotely.
After close analysis of our client’s SIEM and various firewalls, we recognized a botnet communication from an internal IP to an external IP. We evaluated the firewall for traffic to IPs known for hosting botnets because most traffic from source IPs to foreign countries is malicious when the source IP is a government entity.
We notified our client, and they promptly worked to prevent any internal to external communication from taking place.
Regularly scan machines for malicious software that may have been spread via a worm or from direct manipulation via an open port.