Network visibility is crucial to running a strong network security practice. Oftentimes when organizations first deploy Cisco Stealthwatch, it uncovers previously unknown risky or suspicious activity on the network. In some cases, it detects an outright breach.
With Halloween right around the corner, I wanted to share five cases where Stealthwatch uncovered risky or malicious activity in a customer environment. If you want to hear similar stories, please attend my webinar What you can’t see CAN hurt you – and other network horror stories on Thursday, Oct 18, at 1 p.m. ET/10 a.m. PT.
School system identifies rogue server attacking key application
A K–12 school system struggled for months with identifying the root cause of performance impacts to its student information system, a service critical to its day-to-day educational needs. Within 7 days of implementing Stealthwatch, the system administrator identified a forgotten server that had been compromised and was launching denial-of-service (DoS) attacks against the student information system from the network. Because the server had an alternate, unsanctioned path to the Internet and only targeted internal systems, the attacks circumvented the school’s other security measures.
Banking and brokerage firm detects suspicious outbound traffic
A banking and brokerage company purchased Stealthwatch to detect distributed-denial-of-service (DDoS) attacks against its systems. While evaluating the Stealthwatch solution, system administrators also detected three hosts propagating malware and multiple hosts making insecure Telnet connections. Of more concern, it found significant outbound traffic to suspicious servers in China and Israel, where the company did no business.
Government agency finds compromised printer, hundreds of suspicious connections
A government agency discovered several hundred abnormal connections to its network from more than 10 different countries. On further investigation, the agency discovered a printer that had been installed to expedite a project and left operational. The printer remained unpatched with default credentials and was accessible from the Internet. Attackers discovered the printer and used it to gain access to the network and wreak havoc.
Healthcare company detects suspicious P2P traffic to foreign countries
Within 2 weeks of monitoring its network with Stealthwatch, a healthcare company identified malicious activity. Almost immediately, it identified peer-to-peer (P2P) file sharing leaving the network for servers based in China and Russia, where the company does no business. Additionally, the company discovered fake antivirus software, which had infected several hosts and was communicating with outside servers.
Bank discovers application tunneling and Dridex infections
A banking company suspected attackers might be using its network to compromise customer accounts. After implementing Stealthwatch, the company discovered application tunneling, which was bypassing its firewall rules and connecting with servers in Ukraine, Lithuania, and other suspicious countries. The bank also discovered multiple hosts that were infected with Dridex, a piece of botnet malware that targets banks and other financial institutions.
Hear more spooky network security stories
If you would like to hear more network security horror stories, or just want to learn more about Cisco Stealthwatch, please attend my webinar What you can’t see CAN hurt you – and other network horror stories on Thursday, Oct 18, at 1 p.m. ET/10 a.m. PT.
Cool story.