Detecting and Blocking Suspicious Internal Network Traffic

Detecting and Blocking Suspicious Internal Network Traffic

By: Damon Gross

A customer needed to monitor for suspicious internal network traffic.

While they have a firewall between the Internet and their main Web server, they didn’t have one between

the Web server and internal users.

Until they could remedy the situation, they utilized LogRhythm’s SmartResponse™ to block activity.

The SmartResponse Automation Framework is tightly integrated into the LogRhythm platform, providing seamless continuity across the end-to-end threat detection and response workflow.

Users set up SmartResponse actions to be triggered by specific alarms. These alarms can pass data to the SmartResponse action, enabling dynamic, precise execution.

Let’s take a look at the setup

On your desktop, set up Angry IP to do a port scan against a Web server, simulating internal network traffic.

Setup Angry IP

By cloning and modifying an existing AI Engine rule for port scans, the LogRhythm platform began picking up and alerting on activity immediately.

We can add vulnerability scanners to a known exclusion list to reduce false positives on the alarm.

Clone and modify the built-in AI Engine Rule

The Web UI, starting with 7.1.5, gives not only general alarm information, but specific information about the host infected.

The alarm details the risk level, threat level and additional information. In this example, we can see the Web server has access to internal DB servers.

Gain visibility to an alarm

Additionally, we can also see the AI Engine rule block that was used to detect the activity.

Gain visibility to an alarm

The SmartResponse attached to this alarm will run on the Web server itself, eliminating the need to have unnecessary ports open to the Web server.

The SmartResponse will setup a Windows Firewall rule to block all incoming traffic from the IP detected by the AI Engine rule.

Attach a SmartResponse to the alarm

Once you’ve approved the SmartResponse action, you will see from the LogRhythm Web UI that the firewall rule created on the Web server is firing.

Approve the SmartResponse action

View the firewall rule created on the affected host

Finally, double check the rule that was created does indeed work.

You should be able to see that the attacking host is no longer able to communicate with the Web server.

Ensure the rule is firing

Utilizing SmartResponse, we were able to take action against suspicious internal traffic, while minimizing time to detect and respond to threats.

Expand this SmartResponse rule to block other suspicious activities such as communication with a threat list IP address.

Click below for more information on deploying this rule in your organization.

Request More Information