Investigating malicious destinations
3032
Created On 05/26/20 23:41 PM - Last Modified 07/20/23 19:31 PM
Objective
When IoT devices on your network connect with malicious destinations, IoT Security is here to help.
Each suspicious connection is presented in the interactive Devices with External Destinations map (Dashboard > Inventory). IoT devices on your network which participated in these connections can be quickly identified and the behavior blocked to prevent these connections from occurring again. Follow these steps to identify and remediate suspicious connections.
Procedure
- Identify suspicious destinations by hovering your cursor over countries filled in with red to identify those with malicious destinations, zooming in or out as necessary.
- Click a country in red to stabilize the pop-up panel displaying its name, number of devices connected to destinations in that country, and the number of devices connected to malicious destinations in that country.
- Click the number of devices connected to malicious destinations to navigate to the External Destinations Inventory List.
The Devices page opens with a filter applied to show devices with malicious destinations in the Inventory table.
- Click a device name to open the Device Details page for it and then use the Network Traffic widget to view malicious destinations.
- Click the Malicious Destinations number and then click the International tab to view a set of malicious international destinations.
- If you recognize them, you’re done. Otherwise, note the device profile for this IoT device and continue to the next step.
- Follow the instructions in the IoT Security Administrator’s Guide to create policy rule recommendations to block IoT devices in this device profile from connecting to these destinations and push them directly to your next-generation firewalls. When enabled, these policies can prevent the malicious behavior from occurring again.