by Dave Breslin
July 10, 2012
In response to Ron’s discussion post entitled “Leveraging LCE 4.0's Full-Text Searches for Refined Alerting, Reporting and Analysis” this SecurityCenter dashboard has been designed to divide botnet outbound activity by specific botnet names found in LCE threatlist events.
- July 10th 2012, SecurityCenter 4.4, version 1
- Required Tools: LCE 4
- Download Botnet_Activity.zip
In the SecurityCenter GUI snippets below we can see how text filtering using LCE threatlist events works to focus on specific botnet activity:
The three sections of the dashboard reporting the outbound initiated connection activity for Cutwail, OS X Flashback and Festi botnet flagged public IP locations can be changed to monitor for other botnets by changing the Syslog Text filter as seen in the first GUI snippet above.
By leveraging the width and depth of Tenable's USM platform on discovering potential bots there are many other actions we might take using discovery and vulnerability data collected in SecurityCenter by Tenable's Passive Vulnerability Scanner, PVS, and Nessus. Some examples include:
1. Check installed antivirus software is operating correctly.
2. Check for malicious processes.
3. Use PVS and Nessus results to further divide out the potential bots into their respective platforms. Using PVS's discovery capabilities we can group by mobile device platforms if desired: