Guardicore has published a new resource for security teams to use when defending data centers against botnet campaigns.
Image: Guardicore

Guardicore’s Botnet Encyclopedia is a new, free tool for security teams tracking suspicious activity in data centers. Users can search for information using a free text search and several indicators of compromise (IOCs) including IP addresses, domains, file names, and names of services, and scheduled tasks.

Ophir Harpaz does threat research at Guardicore and specializes in malware that targets data centers. She created the encyclopedia and has been collecting data for it for two years.

“We are identifying threats within the data and clarifying them to tell the whole story about an attack,” she said. “The encyclopedia includes all kinds of attributes that we find indicative of a campaign.”

FritzFrog is a new bot that Harpaz discovered recently as she worked on the encyclopedia.

“The malware is written in Golang and it doesn’t seem to have a centralized infrastructure,” she said. “We’re in the midst of the research process on this one.”

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Each of the 11 entries is tagged with a characteristic of the event, including port 22 scan, SSH, 11 shell command, download and execute, and others. The Botnet Encyclopedia provides context around advanced threats including:

  • Campaign information including name, variants, time frame of identification within the Guardicore Global Sensors Network (GGSN), and links to external about resources
  • IOCs associated with the campaign including IP addresses from which attacks originate, IPs and domains holding outgoing attack connections, and files dropped or created as part of the attack
  • Full attack flow as it was captured by the GGSN with analysis from Guardicore Labs

The data in the encyclopedia comes from Guardicore sensors distributed on servers around the world.

“We expose these sensors to the internet in different production data centers so they look very attractive to attackers,” Guardicore’s vice president of research, Ofri Ziv, said. “Then we gather an enormous amount of data on the IOCs and TTPs (tactics, techniques, and procedures) those attackers are using.”

Guardicore’s Centra platform uses the data to understand network traffic and improve cloud security for customers and shares the analysis with the cybersecurity community.

“This allows you to find the right mitigations and creates joint ground to question what you are seeing,” he said.

Harpaz said that this diverse data set collected from both Windows and Linux machines gives Guardicore researchers a step-by-step account of how botnet attacks unfold.

“We record the attacks to a high resolution so we have the full attack chain,” she said.

Ziv said that this detailed account shows what elements of the attack worked and which ones failed.

“This helps defenders see what they are facing and know exactly what they’re tackling in their own network,” he said.

Centra is deployed inside the data center and cloud workloads and maps communication among machines to understand how servers communicate within the network.

The platform then establishes rules based on threat research and existing patterns of communication in the network. Users can also use the data to create a blacklist.

“For example, now there is a new vulnerability that targets remote desktops, so now I can say I want to limit to the minimum the ability for such communication to go on in my data center,” Ziv said.

When Guardicore identifies a new botnet campaign, the company will add an entry to the encyclopedia. Harpaz said that she hopes to receive contributions, questions and suggestions from the cybersecurity community to improve the encyclopedia and plans to link out to other cybersecurity resources from the encyclopedia.

Guardicore also created the Infection Monkey, an open-source tool that simulates breaches and attacks, and has documented botnet attacks in several Github repositories.