If you use a web proxy that has categorization built-in and you log the requests to your central log system, you can add another layer of detection by alerting on multiple requests for a known malicious destination from a single source. Even though malware can come from almost any site or email, the call “home” is often to a site that is reused. This detection method caught a few infections that were not detected by anti-virus in the last month.

For this example Splunk is used to search BlueCoat logs. We’ll look for categories that indicate malicious sites and count them by user, host, and referrer. The site categories and count thresholds should be tuned to fit your needs.

index=proxy host=bluecoat “Malicious Sources” OR “Malicious Outbound Data” OR “Botnets” | stats count by cs_username, cs_host, cs_Referrer | where count > 1 | table cs_username, cs_host, cs_Referrer, count

Most of the time the results are probably benign, but it should be easy to spot when it hits. These were all for the same user, also note the blank referrer.

Schedule this to run periodically and let your logs tell you when there’s a potential infection.