Signs of Peer-To-Peer

  • An internal host is communicating with a set of external IP addresses with a pattern and low data rate common to peer-to-peer command and control
  • The threat score is driven by the length of time over which communication with peers occurs
  • The certainty score is driven by the number of reachable and unreachable peers

Why Attackers Use Peer-To-Peer

  • The internal host is infected with malware which is using peer-to-peer communication for its command and control; some botnets utilize this form of command and control as it is more resilient to attempts at disrupting or sink holing it
  • Legitimate peer-to-peer software is running idle in the background without any data (e.g. Bittorrent) or voice (e.g. Skype) transfer activity and as such exhibits patterns similar to command and control traffic

Business Impact of Peer-To-Peer

  • An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
  • The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
  • Software which infected the host can create nuisances and affect user productivity

How to Investigate Peer-To-Peer

  1. If the detection is generated as a result of a purposely installed peer-to-peer application, make sure the software complies with IT security policy
  2. If the detection cannot be attributed to such an application, the host is likely infected with a malware and should be fixed through the use of AV software or reimaged

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections