Recently I encountered an issue where malware had infected a client's machine and began sending out spam to various mail servers on the Internet. I had encountered this same issue a few years ago with another client.
In both cases the infected machine was found by checking or enabling logging on a security policy/rule in place on the firewall at the edge of the network.
In prior mentioned incident, a rule was created to permit and log and SMTP traffic. After this was done, the logs showed the source IP addresses of all SMTP traffic, including the infected machine. The allowed the machine to be identified and removed from the network. In the later case the firewall had a IPS component that was running in log only mode that allowed the offending machine to be identified.
Both cases showed the importance of logging traffic on firewall rules/security policies. It is also a best practice to forward all logs to centralized logging server running syslog, Splunk, logstash/elasticsearch, a SIEM or some other log correlation software so that logs can be analyzed and even have alerts generated from logged events.
In both cases the infected machine was found by checking or enabling logging on a security policy/rule in place on the firewall at the edge of the network.
In prior mentioned incident, a rule was created to permit and log and SMTP traffic. After this was done, the logs showed the source IP addresses of all SMTP traffic, including the infected machine. The allowed the machine to be identified and removed from the network. In the later case the firewall had a IPS component that was running in log only mode that allowed the offending machine to be identified.
Both cases showed the importance of logging traffic on firewall rules/security policies. It is also a best practice to forward all logs to centralized logging server running syslog, Splunk, logstash/elasticsearch, a SIEM or some other log correlation software so that logs can be analyzed and even have alerts generated from logged events.
