ABOUT INTERROGATED™ NETWORK ANALYSIS: The Interrogated™ network analysis tool examines the IP traffic on a network, providing insight to the health of an organization’s security posture as well as traffic origination and profile. lnterrogated™ is intended to consume a company specific file (i.e. a log file), normalize and parse specific details from each event identified in the file and report on the disposition of files. These results are then processed through various solutions for an efficacy report demonstrating the value of a specific tool or service to your organization.
REMOTE CONNECTIONS DISPOSITIONS: The remote connections dispositions show the percentage of IP addresses known to be malicious, suspicious, or benign based on our various threat intelligence feeds.
PROTOCOL DISTRIBUTION: This breakdown offers a high-level insight into the traffic patterns on your network:
- TCP actively listens for a connection and maintains a state of connection like a handshake. lf the connection drops, TCP traffic will time out and disconnect. This is the most common form of internet connectivity.
- UDP connects without listing: it sends data without knowing if there is a connection or not. A higher level of UDP vs TCP traffic is indicative of botnets.
- ICMP is a protocol to direct traffic within your LAN or acknowledge that a system is online. ICMP usually accounts for a very small amount of total network activity. A large number is abnormal and would indicate suspicious activity.
5THCOLUMN PROTECTION: Up to five sources may appear under the 5thColumn protection portal, results will vary. The 5thColumn Protection portal shows the percentage of which source each IP has been validated against.
The following five sources may appear:
- Detected by DNS Disposition Service: Open DNS service validates domain names and IP addresses
- Detected by Malware Provider Service: Cisco Threat Grid
- Detected by Known Attackers & Federated Block List Service: Based on Stanford’s database, DShield
- Tor Networks Monitoring Service: IPs associated with darkweb/tor networks
- Collective intelligence Service: Open source intel collections
REMOTE IP LOCATIONS: Countries listed show where IP traffic is going to. This is useful to visualize the origin of suspicious activity.
FOREIGN vs. DOMESTIC TRAFFIC: Showing the percentage of network traffic staying domestic or traveling in and out of a foreign destination.
TRAFFIC CATEGORIZATION: IP addresses can be categorized to show how your network is being utilized.
ATTEMPTED REMOTE CONNECTION BREAKDOWN: The data is broken down even further to show each IP address and related information. A large percentage of “bad” traffic with a high number of attempted connections is indicative of a targeted attack.
You can download a PDF of this user guide here.