![]() ![]() I continued my investigation by checking the message payloads, to determine what information was being sent off-site. ![]() Still suspicious, but no clear evidence of foul play. The Origin header for the direct IP connections in the packets was initiated by a Chrome extension. I downloaded the packets as a PCAP and opened the file in Wireshark for analysis. I queried the Trace appliance for all of the stored packets between the Ubuntu workstation and the unknown peer device for the previous few days and found a large number of outbound websocket connections over a nonstandard port-6332. ![]() It isn't unusual for an employee's workstation to communicate with a peer at a cloud provider as part of normal internet browsing, but the direct IP connection was unusual. A search through the American Registry for Internet Numbers (ARIN) revealed that the peer IP address belonged to a droplet in the DigitalOcean cloud infrastructure. I checked our internal applications and learned that the affected device was an Ubuntu workstation for one of our employees. I began my standard investigation process with measured expectations. Reducing false positives plays a big part in creating accurate detectors, so I wasn't overly alarmed. Less than a day after I expanded our command-and-control detector to include web socket connections, I was rewarded with the following detection: a potential malware infection. Our internal network is well equipped with ExtraHop Reveal(x) Ultra: a Discover appliance, which captures wire data from the network for metric analysis, a connected Explore appliance, which indexes and stores transaction records, and a connected Trace appliance, which indexes and stores packets.īy leveraging these network traffic analysis capabilities, I was able to take moderately suspicious behavior and dig into the details of an exfiltration attack that would have been otherwise impossible to find. In early November, while refining our anomaly-detection service, I found a data leak on our network. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |