topic Re: Dealing with Threat Alerts? in General Topics

Dealing with Threat Alerts?

OMatlock — Mon, 23 Oct 2017 13:50:49 GMT

Hi Folks,

We have Critical Threat Alerts emailed to us and usually its every couple of days we get a few alerts, mostly Apache Struts Jakarta. But over the last 4-5 days there has been a significant increase in threat alerts. 60-100 emails per day, same IP address in groups of ~10. We are using default vulnerability protection profile and default action (reset-both).

Since the increase in alerts, our management gets concerned asking if there is a problem. I talked to support and assured me that firewall is doing its job, its just an increase in attack attempts, and is common.

I've considered creating a new security rule at the top to keep a running list of source IP address with a deny action, but that sounds like a lot of manual administration.

I'm curious if anyone in the community has comments about receiving alerts or how they handle an increase in attacks?

Is it common, just deal with it? Do folks filter out certain threat emails or stop critical threat email alerts all together?

Re: Dealing with Threat Alerts?

OtakarKlier — Mon, 23 Oct 2017 20:27:01 GMT

Hello,

What we did was set the policies to block for the max time of 3600 seconds. That way the attacker takes a lot longer to figure out they are denied.

The other thing you could try is to set the policy to reset client. Since the attack is coming from the external "server", only your servers connection gets reset and theirs has to time out. Basically forcing their connection to stay open and bleeing their resources and not yours.

I would also love to hear others thoughts on this.

Regards,

Re: Dealing with Threat Alerts?

BPry — Mon, 23 Oct 2017 21:00:02 GMT

@OMatlock,

You really should have an automated response setup that can read these events and block the source IPs at a set threshold. While @OtakarKlier's solution is a good first step, it isn't really recommend to just live with the IPs attacking your network. Setup an automated response that puts these indicated addresses into a deny rule and just block them all together. MineMeld can help with this, otherwise their are plenty of other possible solutions.

Re: Dealing with Threat Alerts?

OMatlock — Tue, 24 Oct 2017 18:39:03 GMT

Thank you guys for the feedback.

@Otakar.Klier

We are currently using default vulnerability profile.

When you say block action, do you mean Block IP like this? Does that reduce the alert emails?

Re: Dealing with Threat Alerts?

BPry — Tue, 24 Oct 2017 19:26:29 GMT

@OMatlock,

The setting you have displayed would block the IP that triggered that critical threat alert for 3600 seconds. That will stop you from recieving another alert for that time period, but if you have IPs continually launching attacks against your network you would still recieive alerts when that window has passed.

Re: Dealing with Threat Alerts?

OMatlock — Tue, 24 Oct 2017 19:37:42 GMT

BPry

Thank you again (I am still learning). The alerts and traffic log indicates that the attacks occur within a couple of minutes and then a different IP (group) comes. Would blocking the IP for this duration (1 hour) at least give some relief, assuming the attacks stay like they currently are (within minutes and then stops)?

I agree, ideally need to come up with an automatically updated IP deny rule.

Re: Dealing with Threat Alerts?

BPry — Tue, 24 Oct 2017 20:24:02 GMT

It would certaintly help. Keep in mind that IP Spoofing is a thing though, and what you are describing is typical of someone employing a botnet.

Re: Dealing with Threat Alerts?

OMatlock — Tue, 24 Oct 2017 20:32:23 GMT

BPry

Thank you so much for your responses, as I continue to learn new everyday. 🙂

Just to confirm. For this example, since these two IP threats came in consecutively and then stops, I should only receive two alerts (1 for each IP) instead of a whole bunch of them by employing this new Block IP setting? (For at least the hour)

That's the idea right? Making more sense to me.

Re: Dealing with Threat Alerts?

BPry — Wed, 25 Oct 2017 13:24:38 GMT

@OMatlock,

Correct.

Re: Dealing with Threat Alerts?

Tician — Wed, 01 Nov 2017 10:24:37 GMT

Hi,

I'm not sure is this quite correct if you live this host type to server? If you filter your traffic logs for attacker address, you will see that it is client side of connection. So any attacker which initiate connection to your exposed resource (ex. web server...), is considered as client and stateful firewall marked it as client side of session.

When replicate that on this policy setting it should be client host type, isn't it?

Re: Dealing with Threat Alerts?

BPry — Wed, 01 Nov 2017 12:43:44 GMT

@Tician

Out of curiosity why would you want to close the client side by a reset? If you force the potential attacker to leave its connection open, but you close the servers connection, then you save resources on your end but cause the attacker to increase their resources.

Re: Dealing with Threat Alerts?

Tician — Wed, 01 Nov 2017 13:06:23 GMT

@BPry

yes you're completely right, it is good to reset server connections in this case, so what should be scenario where you suggest to use reset client connections instead?