Internal Visibility = Super Easy Threat Hunting

Details in this story have been anonymized to protect the privacy of the individuals and businesses involved.

I recently trained at a major financial services institution with a ton of branches (standard hub and spoke deployment, meaning all their remote traffic comes through the central data center) and several billion (USD) in assets. As you can imagine, this makes them a pretty attractive target for bad actors.

After going over some basic analytics (database, SSL, Citrix, etc.) they asked me for my number one sexiest solution bundle; I didn't even hesitate. Every organization—especially if you've got an extended network—needs GeoIP Monitoring. Here's why.

The Story

We installed the GeoIP bundle, and five minutes later...

Me: "Hey, look, a single IP address in branch IP space just reached directly to Korea for DNS."

Student1: "What? No."

Student2: "That shouldn't happen."

Student1: "We block that. Don't we?"

Student2: "Screenshot that."

Me, leading the witness: "I wonder what that IP in the branch is doing..."

The suspect IP wouldn't respond to RDP, so it probably wasn't a Windows box. We pulled up the super hacker tool Firefox and browsed to the suspect IP.

A CCTV login page appears!

The login page helpfully lists the vendor. Me, leading the witness again: "Is this the vendor you use for in-branch CCTV?"

Students 1&2: "No!"

A quick internet search turned up the default password (root/root) and we were in.

Yup! It's a control head for two CCTV cameras in a bank branch.

Student1: [type type type] "I just emailed [redacted] to ask her what's the deal with this camera."

Student2: "But how is this camera reaching to Korea for DNS?"

We click on the CCTV's Admin page and then the Network page. The CCTV had a manually configured IP, netmask, gateway, and two DNS servers.

Student1: "Screenshot that."

Student2: "I wonder how many more of these there are..."

Me: "Give me ten seconds and I'll tell you."

We then broadened our investigation to find out whether or not any other rogue devices in bank branches were exhibiting the same indicator (i.e. DNS requests to South Korea).

The Takeaway

Threat hunting is ridiculously easy when you can detect and explore all network traffic in real time. This exercise also illustrates a fundamental truth in network security:

You can't remediate what you don't know about.

Modern networks are complex, ever-changing beasts. You need pervasive, always-on monitoring that the bad guys can't opt out of so you can watch what's going on inside your network—and make damn sure you also watch the traffic going out.

To learn how ExtraHop Reveal(x) gives security teams the complete visibility, behavioral analytics, and investigation automation they need to close security gaps and expedite threat investigations, visit the product page.