Signs of Automated Replication
- An internal host is sending very similar payloads to several internal targets
- This may be the result of an infected host sending one or more exploits to other hosts in an attempt to infect them
- The certainty score is driven by the number of targeted hosts and the detection of an upstream propagator
- The threat score is driven by the number of targeted hosts and number of different exploits, particularly exploits on different ports
Why Attackers Use Automated Replication
- An infected host which is part of a botnet is trying to expand the botnet’s footprint by infecting additional hosts
- An infected host which is taking part in a targeted attack is trying to spread laterally in an effort to get closer to data it wants to exfiltrate
- An agent on the host is utilizing unusual techniques to discover an available service
Business Impact of Automated Replication
- Internal spreading of botnet-related malware often is repeated by the next infected host, thus mimicking a computer worm and rapidly infecting all possible hosts
- A wide scale spread of botnet-related malware will incur significant remediation costs
- Lateral spread which is part of a targeted attack makes the attack more resilient and gets it closer to your crown jewels
How to Investigate Automated Replication
- Look at the protocol and port listed in the detection to determine what network service is being exploited
- Determine if there’s any reason for this host to be communicating these services on the listed targets
- Try to ascertain what software on this host would emit the traffic being seen
- Examine the packet capture file to see if this appears to be a network discovery attempt
