- Chris Abella
- December 8, 2014
Visibility gets you many things: high-performing applications, faster remediation and, perhaps most importantly, peace of mind. That's why we're super excited to show off our recently announced partnership with the FireEye Threat Analytics Platform (TAP). Taking advantage of the ExtraHop Open Data Stream, we combine industry-leading security expertise from FireEye with the ExtraHop platform's unprecedented wire data visibility.
In the video above, I walk through an example security event and show how the ExtraHop-FireEye integration enables you to track the attack from the initial compromise to the final data exfiltration:
- A malicious actor from a known bad domain/IP sends a phishing email message with a malicious attachment. This is a common method for gaining initial system access, alongside stolen credentials or internal bad actors.
- An unsuspecting user opens the attachment, and their host is compromised.
- The compromised host downloads a rootkit from the same bad domain over HTTP, which then replaces common utilities and disables all logging.
- The rooted host builds an outbound SSH connection to use as a reverse tunnel for command and control. Although firewalls block inbound SSH connections, outbound connections are often allowed.
- The malicious actor scans the network for potential database targets using, for example, an Nmap TCP-SYN scan, a type of stealth port scan that avoids the full TCP three-way handshake.
- Once an unsecured, internal database is found, the malicious actor tries common username/password combinations to identify possible points of access.
- With successful credentials, the malicious actor queries the database for sensitive data.
- After the sensitive data is found, the attacker uploads it to a hosted FTP server (hosted at the same origin IP) and then kills all connections.
- Use FireEye to identify and alert on malicious characteristics in HTTP request and response metrics from ExtraHop, such as md5 fingerprints, IP addresses, and domains.
- Investigate other events related to the source IP address, such as email messages with large attachments and outbound SSH connections.
- Investigate the contextual communications of the target host using ExtraHop, including a flood of ICMP traffic and a high number of TCP SYNs sent without corresponding connections established. Combined, these communications indicate an Nmap TCP-SYN scan.
- Verify suspicious SSH and HTTP activity in ExtraHop, and examine unusual database communications that show a spike in data requested as well as Access Denied errors with common database usernames. The ExtraHop platform can even expose the exact SQL query that resulted in the large database response.
- Switch over to FTP communications for the targeted host to see a large FTP upload to the attacking IP address. With the ability to see which database was accessed and which queries used, you can take appropriate steps to address the data leakage.
This is a companion discussion topic for the original entry at http://www.extrahop.com/post/blog/track-the-entire-threat-lifecycle-with-extrahop-fireeye-tap/