Network Traffic to Rare Destination Country

A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/04/05"
  3integration = ["endpoint", "network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 75
  9author = ["Elastic"]
 10description = """
 11A machine learning job detected a rare destination country name in the network logs. This can be due to initial access,
 12persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing
 13email or opens a malicious document, a request may be sent to download and run a payload from a server in a country
 14which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms
 15may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual
 16destination country for the source network.
 17"""
 18false_positives = [
 19    """
 20    Business workflows that occur very occasionally, and involve a business relationship with an organization in a
 21    country that does not routinely appear in network events, can trigger this alert. A new business workflow with an
 22    organization in a country with which no workflows previously existed may trigger this alert - although the model
 23    will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business
 24    travelers who roam to many countries for brief periods may trigger this alert.
 25    """,
 26]
 27from = "now-30m"
 28interval = "15m"
 29license = "Elastic License v2"
 30machine_learning_job_id = "rare_destination_country"
 31name = "Network Traffic to Rare Destination Country"
 32setup = """## Setup
 33
 34This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
 35- Elastic Defend
 36- Network Packet Capture
 37
 38### Anomaly Detection Setup
 39
 40Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 41
 42### Elastic Defend Integration Setup
 43Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 44
 45#### Prerequisite Requirements:
 46- Fleet is required for Elastic Defend.
 47- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 48
 49#### The following steps should be executed in order to add the Elastic Defend integration to your system:
 50- Go to the Kibana home page and click "Add integrations".
 51- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 52- Click "Add Elastic Defend".
 53- Configure the integration name and optionally add a description.
 54- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 55- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 56- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 57- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 58For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 59- Click "Save and Continue".
 60- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 61For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 62
 63### Network Packet Capture Integration Setup
 64The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
 65
 66#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
 67- Go to the Kibana home page and click “Add integrations”.
 68- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
 69- Click “Add Network Packet Capture”.
 70- Configure the integration name and optionally add a description.
 71- Review optional and advanced settings accordingly.
 72- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
 73- Click “Save and Continue”.
 74- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
 75"""
 76references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 77risk_score = 21
 78rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d"
 79severity = "low"
 80tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
 81type = "machine_learning"
 82note = """## Triage and analysis
 83
 84> **Disclaimer**:
 85> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 86
 87### Investigating Network Traffic to Rare Destination Country
 88
 89Machine learning models analyze network logs to identify traffic to uncommon destination countries, which may indicate malicious activities like unauthorized access or data exfiltration. Adversaries exploit this by directing traffic to servers in atypical locations, often linked to command-and-control operations. The detection rule flags such anomalies, aiding in early threat identification and response.
 90
 91### Possible investigation steps
 92
 93- Review the network logs to identify the specific destination country flagged as rare and assess its historical presence in the network traffic.
 94- Analyze the source IP addresses and user accounts associated with the flagged traffic to determine if they are legitimate or potentially compromised.
 95- Investigate the nature of the traffic, such as the protocols and ports used, to identify any unusual patterns or connections to known malicious infrastructure.
 96- Check for any recent phishing attempts or suspicious emails that may have led to the initiation of this traffic, focusing on links or attachments that could have been used to download malicious payloads.
 97- Correlate the flagged traffic with any other security alerts or incidents to identify potential patterns or coordinated attacks involving the rare destination country.
 98- Consult threat intelligence sources to determine if the destination country or specific IP addresses are associated with known threat actors or command-and-control servers.
 99
100### False positive analysis
101
102- Legitimate business communications with partners or clients in rare destination countries may trigger alerts. Users should review and whitelist these known entities to prevent future false positives.
103- Routine software updates or patches from international vendors might be flagged. Identify and exclude these update servers from the detection rule to avoid unnecessary alerts.
104- Employees traveling abroad and accessing company resources can generate alerts. Implement a process to temporarily whitelist these destinations based on travel schedules.
105- Cloud services with global data centers may route traffic through uncommon countries. Verify the service's IP ranges and exclude them if they are part of normal operations.
106- Research or market expansion activities targeting new regions might cause alerts. Document and exclude these activities if they align with business objectives.
107
108### Response and remediation
109
110- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
111- Conduct a thorough scan of the isolated system for malware or unauthorized software, focusing on identifying any command-and-control (C2) communication channels.
112- Block network traffic to and from the identified rare destination country at the firewall or proxy level to prevent further communication with potential malicious servers.
113- Review and analyze logs from the affected system and network devices to identify any additional indicators of compromise or related suspicious activities.
114- If malware is detected, remove it using appropriate tools and techniques, ensuring that all persistence mechanisms are eradicated.
115- Restore the affected system from a clean backup if necessary, ensuring that all security patches and updates are applied.
116- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Network Traffic to Rare Destination Country

Machine learning models analyze network logs to identify traffic to uncommon destination countries, which may indicate malicious activities like unauthorized access or data exfiltration. Adversaries exploit this by directing traffic to servers in atypical locations, often linked to command-and-control operations. The detection rule flags such anomalies, aiding in early threat identification and response.

Possible investigation steps

  • Review the network logs to identify the specific destination country flagged as rare and assess its historical presence in the network traffic.
  • Analyze the source IP addresses and user accounts associated with the flagged traffic to determine if they are legitimate or potentially compromised.
  • Investigate the nature of the traffic, such as the protocols and ports used, to identify any unusual patterns or connections to known malicious infrastructure.
  • Check for any recent phishing attempts or suspicious emails that may have led to the initiation of this traffic, focusing on links or attachments that could have been used to download malicious payloads.
  • Correlate the flagged traffic with any other security alerts or incidents to identify potential patterns or coordinated attacks involving the rare destination country.
  • Consult threat intelligence sources to determine if the destination country or specific IP addresses are associated with known threat actors or command-and-control servers.

False positive analysis

  • Legitimate business communications with partners or clients in rare destination countries may trigger alerts. Users should review and whitelist these known entities to prevent future false positives.
  • Routine software updates or patches from international vendors might be flagged. Identify and exclude these update servers from the detection rule to avoid unnecessary alerts.
  • Employees traveling abroad and accessing company resources can generate alerts. Implement a process to temporarily whitelist these destinations based on travel schedules.
  • Cloud services with global data centers may route traffic through uncommon countries. Verify the service's IP ranges and exclude them if they are part of normal operations.
  • Research or market expansion activities targeting new regions might cause alerts. Document and exclude these activities if they align with business objectives.

Response and remediation

  • Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Conduct a thorough scan of the isolated system for malware or unauthorized software, focusing on identifying any command-and-control (C2) communication channels.
  • Block network traffic to and from the identified rare destination country at the firewall or proxy level to prevent further communication with potential malicious servers.
  • Review and analyze logs from the affected system and network devices to identify any additional indicators of compromise or related suspicious activities.
  • If malware is detected, remove it using appropriate tools and techniques, ensuring that all persistence mechanisms are eradicated.
  • Restore the affected system from a clean backup if necessary, ensuring that all security patches and updates are applied.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.

References

Related rules

to-top