Threat Detection and Response: How Flowmon Detected an Attack in Real Time

According to a study by IBM, organizations, on average, take more than 190 days to identify a data breach and an additional 60 or more days to remediate the issue. The financial implications of such an event, including mitigation and remediation, run into millions and can pose a serious risk to business continuity.

However, organizations can effectively handle these scenarios with the help of robust security solutions and well-defined processes. As a result, an organization can minimize financial and reputational damage by reducing detection and response times.

This story highlights how Progress Flowmon, a high-powering network monitoring solution was instrumental in detecting a breach experienced by one of our esteemed government customers and demonstrates how the situation was effectively handled with the help of Flowmon.

Recently, one of our government customers experienced a breach.

A server in DMZ running a specific proprietary application was compromised and the attacker gained control over the device. From the initial position, the attacker tried to pivot over the network, move laterally and compromise as many devices as possible, leaving a footprint in the network.

Here is what happened minute by minute.

Time 0 – Address Resolution Protocol (ARP) Scanning

The attacker first conducted an enumeration of devices that are powered on and respond to ARP requests in the same /24 network subnet. Flowmon identified this activity with ARP scanning against 252 devices. Not a single device responded.

Time 0+3 minutes – Internet Control Message Protocol (ICMP) Scanning

The attacker then enumerated devices in the network using the ICMP protocol. More than 100k devices were contacted, creating quite a noise in the network. Flowmon detected this activity as both ICMP ping flood and ICMP scan, providing evidence of over four million ICMP requests hidden in the network traffic.

Time 0+31 minutes – Secure Shell (SSH) Attack

A password spraying attack was initiated against SSH services on multiple servers accessible from the initially compromised hosts. Flowmon detected an unsuccessful attack against SSH service running on 21 distinct servers, providing evidence of almost 3,000 login attempts.

Time 0+45 minutes – AI-Powered Event Analysis

The Flowmon AI-powered event analysis engine connected the dots due to all the malicious activities conducted by a single device. This, in turn, raised the compromised device's threat score to 49 (of 100 maximum), making it the number one concern in the network and flagging it as a priority for human intervention.

Time <1 hour – Event Remediation

The security operation center immediately disconnected the compromised device from the network and collected the evidence required for the national cybersecurity authority to report the incident. There was no further impact on the organization’s environment as they could stop the attack at its early stage.

As described above, Flowmon successfully detected the attack in real-time and provided valuable insights to network administrators to neutralize the threat. The Flowmon AI-powered engine accurately identified the compromised device within a complex network. This allowed the organization to take remediation and save money and resources immediately.

Contact us to see a guided demo of Flowmon detecting threats on time and minimizing their impact.