• An internal host is connecting to an external server and the pattern looks reversed from normal client to server traffic; the client appears to be receiving instructions from the server and a human on the outside appears to be controlling the exchange

Possible Root Causes

  • A host includes malware with remote access capability (e.g. Meterpreter, Poison Ivy) that connects to its C&C server and receives commands from a human operator
  • A user has intentionally installed and is using remote desktop access software and is accessing the host from the outside (e.g. GotoMyPC, RDP)
  • This behavior can also be exhibited through very active use of certain types of chat software that exposes similar human-driven behavior

Business Impact

  • Presence of malware with human-driven C&C is a property of targeted attacks
  • Business risk associated with outside human control of an internal host is very high
  • Provisioning of this style of remote access to internal hosts poses substantial risks as compromise of the service provides direct access into your network

Steps to Verify

  • Look at the detection details and the PCAP to determine whether this may be traffic from chat software
  • Check if a user has knowingly installed remote access software and decide whether the resulting risk is acceptable
  • Scan the computer for known malware and potentially reimage it, noting that some remote access toolkits leave no trace on disk and reside entirely in memory