Opening a FlowTraq Cloud window for the first time can be like walking into a big grocery store when you’re hungry: There’s a lot to see, and you know there’s something good here… but where to start? This post is intended as a springboard to help you find interesting traffic on your network. The workspaces linked here all show your data as a FlowTraq Cloud customer, which means that anything you see, you can immediately act on. It’s easy, it’s fast, and there’s a LOT to see.
Facebook is one of the most commonly visited sites on the web, both from people using it directly and from “like” buttons embedded in thousands of other websites. Similarly, many web browsing sessions start with a visit to a search engine such as Google, Yahoo! or Bing. NetFlix, YouTube, and Hulu are all popular video streaming sites. Large networks such as these operate many computers over a wide range, any one of which might service a particular request, and which may change over time. To find them on the big Internet they use Autonomous System Numbers (ASNs) to identify themselves; FlowTraq makes it easy to filter traffic on ASN.
Check out how much traffic you are shoveling for each of these sites, viewed by those IP addresses receiving the most data:
Bing (Microsoft): AS8075
FlowTraq Cloud also helps you evaluate your security. Even long after the fact, FlowTraq’s history-long full-fidelity database gives you the data you need to identify attempts to compromise your network. When the media talks about hacking attempts from China or the newest malware, you don’t have to wonder if you’ve been hit: FlowTraq helps you find out.
Earlier this year, Mandiant published a brilliant report on phishing attempts that they traced to a series of IP addresses originating in China. We discussed their results and identified in their report sets of IP addresses worth looking for in your traffic over the last six months.
Check if any of your hosts have been involved with these attacks, successfully or not:
If you see traffic on either of these workspaces, remember that you can inspect the individual sessions. (Sessions for FTP/Windows Remote; Sessions for HTTP / HTTPS) Long-running sessions with many packets exchanged may be a danger sign.