Page 19 - index
P. 19
With the operators failing to provide truthful information regarding IP ownership and routing, the
RIRs also cannot provide accurate information, and any attribution analysis can only as
accurate as the information provided.
It is interesting to note that internal to China, the information seems to be more accurate than
what is available from the RIRs – perhaps because it was purposefully being skewed at the RIR.
Considering CHINANET is the ISP for the entire country, if ownership and routing information is
not accurate or is falsified, it makes subjective analysis extremely problematic at best.
Clearly this IP is being a nuisance by scanning both internal and external hosts, and there
should be concern regarding all traffic from this ISP - and potentially from this country in general
- if activity of this nature continues to be tolerated.
With the activity observed from this province being just number eleven in the rankings, the
members of DarkWolf Labs are curious to know what we will find in the activity from the other
provinces, and will continue monitoring this activity to provide analysis and additional
information to help others recognize and defend against this malicious activity.
Mitigations
From a technical perspective, having a multi-layered defense is key to detecting and stopping
malicious activity early, which also helps with overall detection rates, thus minimizing the impact
to an organization when defenses fail.
A good methodology to start with for any organization would be the Council on
CyberSecurity's 20 Critical Security Controls, which are geared towards addressing the key
threats confronting networks today, as they are continuously being reviewed and updated.
An additional measure in your multi-layered defense is ensuring network and system monitoring
and detection is in place through your IDS/IPS, with the alerts being fed into your log
management/SIEM solution for review, analysis, and potential action.
Furthermore, organizations can take proactive action regarding suspect actors conducting
scanning/reconnaissance of your infrastructure by using host based tools such
as DenyHosts, FailToBan, or a Windows platform equivalent.
A more robust, supportable solution and force multiplier would be leveraging a robust threat
intelligence (TI) platform, enabling you to block these miscreants and associated activity at your
network boundaries, and clearly identify them in your log management/SIEM solution for review,
analysis, and potential action according to your specific security policies and acceptable level of
risk.
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
