How Secure Network Analytics can help?
In 2021, we had quite a memorable PoC of the SNA at a well-known and big construction company from Germany.
The main challenges were interesting and calling:
- Obtain internal (east-west) network visibility
- Gain security awareness and visibility at branches
- Detect communications with insecure network protocols
- And Find illegitimate communications between internal segments
All these blanks could be sufficiently fulfilled by the SNA.
The story I’d like to share is about how we proactively detected lateral worm propagation, which had connected to more than 1300 hosts in the company.
That was one of the days when we were tuning an SNA installation. Since it works on supervised and unsupervised machine learning (ML), the procedure is needed to diminish the number of false positives during the PoC. Suddenly we encountered a new alarm in Exploitation category. Exploitation category tracks direct attempts by hosts to compromise each other, such as through worm propagation and brute force password cracking.
That alarm definitely raised some concern! Little had we clicked on the category alarm, we found the exact IP address of the host, which was considered as a propagation point. The SNA appended 2305% of concern to this host as an exploitation point.
This is because the system expected 32 thousand of internal points and observed 737 thousand. That means that the summary of security events included in this alarm was tremendous.
Wow, this was indeed a surprise! As you can see below this host scanned and successfully connected to 1359 hosts including NTP, Web, File Servers and Domain Controllers. This is a definition of Worm Propagation event. From this point we can easily see and export all the touched endpoints, timestamps and host groups.
Investigation proceeded. Then we dived in associated flows, since Netflow is a primary source of data for the SNA, we could find a lot valuable data there. There we tracked down the exact timestamps and order of connections. Furthermore, it is seen which source and destination ports were used for this connection. The section Peer is not zero, which means that the connections were truly established.
Finally, we took a look at the host report and experienced a lot of other security events.
From this point the investigation was continued with other tools and solutions. SNA gave the means to dig into the data and alarmed about this suspiciousness: one host has scanned and connected to more than 1300 hosts. Regardless, we can call it a critical security incident.
What are the next steps?
Firstly, it is needed to understand the legitimacy of this behavior. A good idea is to connect to an AD server, check who was logged in and question this user. If the behavior is illegal, the touched hosts should be isolated/quarantined as quickly as possible. By the way, such kind of automation can be done with SNA’s webhooks. Then, you have a variety of options to figure out what was going on, but this is already forensics. Forensics specialists use Windows events and logs, user data, connection tables, CPU register entries, SIEM/Firewall logs – basically, everything that can be relevant for the investigation.
P.S.: in our case there was a happy end. One admin from that company used a pentesting tool to scan and find all hosts in a specific octet, but they did not notify us. Nothing bad happened, but the value of the SNA was surely proven!
If you are interested in a POC or further information, please contact us.