Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Detecting and Blocking Suspicious Internal Network Traffic


Published on

Internal network traffic in an organization can be as nefarious as an outside hacker trying to gain access to sensitive information. Every organization needs visibility into their network, both internal and external, in order to detect and respond to threats.

Recently, we had an organization that needed a way to detect and block suspicious internal network traffic using SmartResponse from LogRhythm to block shady activity.

View the presentation to see how SmartResponse was enabled to quickly detect suspicious internal network activity against a Web server.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Detecting and Blocking Suspicious Internal Network Traffic

  1. 1. Detecting and Blocking Suspicious Internal Network Traffic By: Damon Gross
  2. 2. A customer needed to monitor for suspicious internal network traffic.
  3. 3. While they have a firewall between the Internet and their main Web server, they didn’t have one between the Web server and internal users.
  4. 4. Until they could remedy the situation, they utilized LogRhythm’s SmartResponse™ to block activity.
  5. 5. The SmartResponse Automation Framework is tightly integrated into the LogRhythm platform, providing seamless continuity across the end-to-end threat detection and response workflow. Users set up SmartResponse actions to be triggered by specific alarms. These alarms can pass data to the SmartResponse action, enabling dynamic, precise execution.
  6. 6. Let’s take a look at the setup
  7. 7. On your desktop, set up Angry IP to do a port scan against a Web server, simulating internal network traffic. Setup Angry IP
  8. 8. By cloning and modifying an existing AI Engine rule for port scans, the LogRhythm platform began picking up and alerting on activity immediately. We can add vulnerability scanners to a known exclusion list to reduce false positives on the alarm. Clone and modify the built-in AI Engine Rule
  9. 9. The Web UI, starting with 7.1.5, gives not only general alarm information, but specific information about the host infected. The alarm details the risk level, threat level and additional information. In this example, we can see the Web server has access to internal DB servers. Gain visibility to an alarm
  10. 10. Additionally, we can also see the AI Engine rule block that was used to detect the activity. Gain visibility to an alarm
  11. 11. The SmartResponse attached to this alarm will run on the Web server itself, eliminating the need to have unnecessary ports open to the Web server. The SmartResponse will setup a Windows Firewall rule to block all incoming traffic from the IP detected by the AI Engine rule. Attach a SmartResponse to the alarm
  12. 12. Once you’ve approved the SmartResponse action, you will see from the LogRhythm Web UI that the firewall rule created on the Web server is firing. Approve the SmartResponse action
  13. 13. View the firewall rule created on the affected host
  14. 14. Finally, double check the rule that was created does indeed work. You should be able to see that the attacking host is no longer able to communicate with the Web server. Ensure the rule is firing
  15. 15. Utilizing SmartResponse, we were able to take action against suspicious internal traffic, while minimizing time to detect and respond to threats.
  16. 16. Expand this SmartResponse rule to block other suspicious activities such as communication with a threat list IP address.
  17. 17. Click below for more information on deploying this rule in your organization. Request More Information