Thursday, April 12, 2007

Month of Owned Corporations

Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest of Abuse (DOA) report which lists autonomous system numbers of networks hosting those systems.

SI published the latest DOA report Monday and they are now using that data to illustrate individual companies hosting compromised systems. They started with 3M, then moved to Thomson Financial, AIG, and now Aflac. For these examples SI cites corporate machines sending spam, among other activities. Brian Krebs reported on other companies exhibiting the same behavior based on his conversations with SI.

This is the kind of metric I like to see. Who cares about percentage of machines with anti-virus, blah blah. Instead, consider these: is my company -- or agency -- listed on the SI DOA report? If so, how high? Is that ranking higher this week than last? And so on... Metrics for AV coverage is like reporting on the number of band-aids on a fencer who continues to be poked by an opponent.

6 comments:

Anonymous said...

Don't know if this is of interest to you or not, but I'll share anyway.
https://nssg.trendmicro.com/nrs/reports/rank.php?page=1

Chris_B said...

Just goes to show how poorly many companies manage the firewall egress rulesets.

How in the sam heck are regular PC's allowed to talk out on port 25?

nakliyat said...

thank you veryy veryy nıce very nice....

Richard Bejtlich said...

Anonymous -- thank you very much.

Anyone else know of similar public sites?

Keydet89 said...

I'm not aware of other public sites for listing this sort of information, but it's clear that the owners of the systems have little in the way of visibility into their systems, and very likely little idea of what to do not if but when they find one of these systems.

I work with folks all the time who don't understand why their AV product didn't detect the worm or bot or Trojan on their system, and then also don't understand why I can't help them after they've scanned the system with 3 or 4 different tools, deleted files, and removed the hard drive... ;-)

Harlan
Author: "Windows Forensic Analysis"
http://windowsir.blogspot.com

Vietnam tour operator said...
This comment has been removed by a blog administrator.