NETSCOUT Arbor Edge Defense, or AED, is an industry leading DDoS attack protection solution that acts as a first and last line of smart, automated perimeter defense for your organization. It’s deployed on your premise, just inside the internet router and outside your firewall where it acts as a first line of defense, by blocking inbound DDoS attacks …. protecting the availability of your network, services or stateful security devices such as firewalls or VPN concentrators.
But AED can do more than just block inbound DDoS attacks. Acting as a last line of defense, AED can also be used to detect and block outbound indicators of compromise that have been missed by other tools in your security stack - to stop the proliferation of malware before a data breach or, as we’ll show in our example, before a ransomware attack occurs. More specifically, let’s take a look at how AED can be used to stop a Ryuk (Ri-yuke ) ransomware attack.
For the Ryuk ransomware, it is well known to be seeded by the Trickbot Remote Access Trojan. Therefore, you should be on the lookout for IoCs related to the Trickbot malware. Let’s demonstrate how AED does this. Armed with NETSCOUT’s ATLAS or 3rd party threat intelligence feeds, Arbor Edge Defense has the ability to detect and block both inbound and outbound threats or indicators of compromise.
Here we see that AED is blocking some outbound threats. Let’s investigate further. The ATLAS Intelligence Feed has categorized these threats as Command and Control and Malware.
Let’s drill in further to the Command and Control alert. We’ll adjust our time down to the last 5 minutes to see what’s happening most recently.
There we see a single IP address inside our organization actively communicating with a known command and control infrastructure outside our organization.
We can drill in further to get more details such as IP protocols and ports being used, timing of the event, total bytes or packets blocked…. and as we can see ATLAS has identified this threat as communication to a known Trickbot command and control infrastructure.
This communication was automatically blocked by Arbor Edge Defense. And because it’s deployed outside your firewall, it’s blocked communication that has been potentially missed by other tools in your security stack.
In other words, Arbor Edge Defense has acted as a last line of defense to block communication to the Trickbot malware and prevent the download of the Ryuk ransomware.
For more information on the NETSCOUT Arbor Edge Defense product, please visit the product page on netscout.com