The Case for Monitoring Internal Network Activity

As a Security Engineer, you are always looking to get your hands on the best tools to defend your network. One security appliance I have become a big fan of is a product called Darktrace.

Darktrace markets themselves as the “Enterprise Immune System” which is some fancy marketing jargon promoting that the device is designed to identify the abnormal behavior in your network. Well, I can tell you from experience its pretty good at doing just that.

The device has raised alerts that allowed us to pinpoint penetration testers in the act, identify the source of network reconnaissance activity, (which in each case so far has been one of my engineers) and catch a particular user using an unencrypted word document to store their passwords. Tell me what other appliance can do something like that!

At a fundamental level, the way Darktrace works is based off of models. These models are a construction of conditional statements using various operators and variables related to network activity.

My friends always ask me, so what the hell is your job exactly?? Well, I am about to give you a better idea. Let me tell you about how the Darktrace appliance allowed me to record a person’s username and password to a core banking system.

While doing some model creation in the appliance, we discovered a preconfigured Telnet model was disabled. This model is simple. If the appliance detects even the smallest transfer of data over the Telnet protocol, breach the model. When a model is breached, an alert is raised for us to investigate.

This was alarming because we want to be aware of all Telnet connections in any network we manage. Reason being, Telnet is a clear text protocol. Meaning that if I can capture this network traffic, I can capture all data being transmitted in a readable format….including usernames and passwords. We immediately enabled it.

Within minutes, we received 43 alerts which prompted us to dig a little deeper.

We identified a large number of workstations connecting to one particular server. In this case, it was the core banking server, the server where all banking transactions occur. The server where mama hides all the cookies. The model was not aware of the criticality of this server but we were.

Again, given the fact that Telnet is a clear text protocol, we knew we had the potential to capture some valuable data.

The other nice thing about Darktrace is that it has a built in packet capture feature. Packet captures are what allow us to review the raw data being transmitted. When a model is breached it records the packets that were transmitted during that time. No need to setup my own Wireshark session.

We quickly downloaded the packets out of the appliance and threw them into WireShark to analyze. Within a few minutes we found what we were looking for…. A set of credentials to access the banking system.

Here is an example of how simple it is to sniff out credentials being utilized over Telnet. (This guy sounds like he was recording this video while in the bathtub but you get the idea).

These credentials in the hands of the wrong person could be a scary thing.

SIEMs have been all the talk the last couple years. I can tell you a SIEM wouldn’t have detected this. This wasn’t recorded in any kind of syslog. Darktrace is a supplement to SIEM. Darktrace excels at analyzing the metadata of network traffic. Who’s connecting to what? Where is the connection going? When is the connection occurring? How is the connection occurring?

With that being said, there are activities in your network that Darktrace is not capable of detecting such as Domain Admin creation. That’s where SIEM is the tool for the job.

Network Admins are always concerned about the connections coming in and out of their network. They think that everything behind the firewall is safe. In reality, the first thing any hacker tries to do is get themselves in the network via phishing emails or other methods and that's when they do their damage. Conducting network recon and seeing where credentials can be compromised such as the issue we discovered above.

Monitoring your internal network activity is just as important as monitoring the data going out of your network (Darktrace does that too).