A security team in a large financial services firm noticed irregular behavior from several hosts. They saw a lot of activity that suggested network mapping was underway, which typically means that an attacker is using a compromised host as a stepping stone to move laterally around the network. During the investigation, the team determined that the attackers had been attempting a brute force attack on a database that contained sensitive company secrets and customer data. Time was critical with this attack underway. To contain the attack, they needed to understand the full scope of what was compromised, where the attack was coming from, and what data was at risk. Specifically, they needed to find and isolate hosts that were showing signs of compromise, as well as the machines those hosts were accessing. Then they needed to quickly quarantine these machines to limit the damage.
- Persistent and non-invasive real-time monitoring of network and application communications to help identify anomalous behavior
- Ability to determine when an attacker is moving laterally around the network, by monitoring east-west traffic
- Visibility into which files and data are being accessed, to determine the risk
- A complete picture of compromised assets to help quarantine
The security team detected an attack that was using compromised servers to hunt for high-value assets. They needed a way to monitor the environment in real time so they could detect anomalous behavior—and isolate and solve the problem.
The Security team was already using ExtraHop to alert them about potential breaches. With ExtraHop in place they were able to quickly identify compromised hosts, reveal the sensitive data that was exposed, and discover the malicious external servers involved. They were also able to strengthen the security measures needed to stop future breaches by isolating how the breach occurred in the first place. In this case they were able to find the compromised servers that were successfully using a brute force attack on the database and see the data being queried to understand exactly what the attackers were up to. By using ExtraHop to monitor the real-time communications across their network, they saw a spike in probing the network with ICMP ping requests and port scanning, which are early indicators that an attack may be under way. Using the ExtraHop Explore Appliance they were able to dig deep into this activity and see that it was in fact malicious activity coming from a few compromised hosts. Looking at all the systems these hosts had tried to access, they noticed a database that contained critical business data and personally identifiable information. If this system was compromised and the data stolen, not only would the business be impacted, but they could potentially be fined by the government for lack of compliance. Looking at the logins for the database they could see that a brute force attack that was executed. Was it successful? Their wire data showed that the compromised host had gained access to the database, and had executed a series of queries within the database to capture this sensitive customer data. Realizing that this posed a severe risk to the organization, the team quickly located an FTP client that had been established by the malicious agents, and they blocked a transfer of these sensitive records to stop the attackers in their tracks.
Without a platform like ExtraHop, it might have taken months to catch this malicious activity resulting in widespread damages and data leakage. With ExtraHop, the Security team had the visibility it needed to thwart an attack on their critical business systems. ExtraHop provided a single view across all systems which made it easy for the team to follow the intruders' activity across complex systems and gather the data they need quickly. The team was able to respond to an attack in real-time, isolating the compromised systems, determining what data was at risk, and ultimately stopping a data transfer that would have caused the organization irreparable harm.