Act Two: The Vendor Responds

This is the second installment in the story of detecting network enumeration using Reveal(x).

To recap what we found in Act One:

1. Remote access was used to connect with a mission critical server.
2. The security team saw that a third party vendor installed the non-approved scanning tool
3. A ping sweep was conducted using that tool.
4. A SYN scan was conducted using it.
5. There was a Network Share Enumeration detection covering a wide variety of domain-joined computers

The security team received a quick response from their vendor. Unprecedentedly quick, in fact.

"They NEVER get back to us this fast. Ever."*

An engineer at their vendor apologized in the email. He had installed the scanning tool to try and locate a new server, and then had forgotten to remove the scanner. He also mentioned the hostname of the server he'd been looking for.

The hostname.

"How do you lose a server?!"*

"Why was he nmap-ing a large chunk of the network when he had the hostname?!"*

As amusing and baffling as this might be, it also has real security implications. The scanner does a lot more than just locate missing servers, it can also open remote access, and was not on this organization's list of approved tools.

Having a third party install unknown or unapproved software on a production server takes the problem of shadow IT to a whole new level. The ExtraHop detection didn't unearth an attacker doing reconnaissance, but it did expose something similarly important. The detection recognized anomalous behavior on the network and gave the security team a swift and easy workflow to discover the source, uncovering a security risk in the process.

While that third party engineer didn't have malicious intentions, his behavior was undeniably suspicious and worth investigation.

And the security team, using Reveal(x), caught him.

Want to follow along on a similar investigation workflow? Run through the exfiltration scenario in our demo and stop a simulated breach.

*All quotes are paraphrased.