Documentation
OmnipeekOmnipeek User GuideDownload PDF
Real-World Security Investigations : Investigation #1: Tracing the course of a server attack
Investigation #1: Tracing the course of a server attack
A security tool on an enterprise network raised an alert about unusual activity on a server. (In the screenshots below, identified by the address 10.4.3.248.) When the IT team investigated, they discovered that the server had been compromised by a security attack. Unfortunately, the security tool provided no further information about the attack, such as who the culprit was and which other systems, if any, had also been compromised.
To answer these questions, the team turned to Omnipeek. Using the Compass dashboard, they were able to see that the compromised system had initiated a spike in Common Internet File System (CIFS) traffic shortly after the attack had begun. The Compass dashboard below shows an example of such a CIFS spike.
Because their LiveCapture had recorded all network traffic around the time of the spike, the team was able to examine network activity in detail to explore this burst of traffic and its consequences.
To learn more about the systems involved in the CIFS spike, the team opened a Peer Map, showing all IP communications during the period in question. The Peer Map confirmed that the compromised server had communicated with several other systems.
Next, the team filtered traffic to show communications only from the compromised server. This made it easy to identify the three other systems that the compromised server had communicated with after the attack.
The forensics system’s Nodes view provided another look at the communication among these systems during the critical time of the attack.
Now the IT team knew which servers to focus their attention on in their efforts to contain the attack and reverse its effects. In addition to quarantining and repairing 10.4.3.248, the IT team would also focus on 10.4.58.15, 64.12.165.91, and 205.188.9.185.