Blog Post

It’s 10 O’Clock. Do you know what your devices are up to?

Threat Hunting with Awake

Today’s enterprise network is much different than those of the last few decades. With the explosion of BYOD, IoT, and OT, the perimeter of your network is more liquid than you might want to believe. After all, endpoint solutions can help–but only when there’s an agent that you can put on a device, and it’s a device that you control (or know about, for that matter). What about everything else? Well, that’s where threat hunting becomes essential. But is that easier said than done?

A great example of this jumped out at me while working with a customer that is a large educational environment. In this network of over 30,000 devices, where does a security analyst start? It helped to have Awake’s behavioral analytics flag a potential compromise:

You don’t see this kind of threat that often given most networks are pretty good at blocking them at the perimeter. This makes it even more interesting because this instance can represent a nice little backdoor into the environment–a way for an attacker to bypass any perimeter security in place, a jump host into the environment, a collection point before exfiltrating data, etc.

At this point, as an analyst, you need to quickly determine what this device is and why it might be accessed from the Internet over RDP. Typically, that process involves threat hunting and consulting DHCP logs to determine which device had the particular IP address at a given point in time (reliable DHCP logs in any real environment, let alone a university, are about as likely as purple unicorns, but I digress). Forty-five minutes or so later, you try to find what the device is by maybe looking up a hand-me-down spreadsheet (ummm, I mean CMDB).

Instead, what I was able to do was click into the details of the device in question which instantly showed me that this is a Windows device that was almost exclusively communicating over TLS and had been active in the network for quite some time!

Looking at the traffic to the device, we see that two separate connections were made by the same IP address roughly a week ago, both having bidirectional communications on TCP/3389. Moreover, the second of these two connections looks a lot like an upload from the internal device!

Ok, so what next? The next thing I noticed was a username within the RDP traffic that contained the word “ecovox.” Moreover, Awake also told me what makes this device “eccentric” or “uniqueish” (it’s a technical term 🙂 ) on the network. I see there is a TLS certificate from SkyFoundry that has been used in communications to this device and this device only:

A little OSINT shows that this company and the ecovox name are heavily related. Better yet, it shows that the product is associated with an energy information system–something that directly interacts with OT devices in the enterprise:

As a result of our threat hunting efforts, we know the following at this point:

  • There is an energy information system operating on the internal network.
  • The system is also accessible from the Internet.
  • Somebody connected to the system from the Internet via RDP and achieved bidirectional communication.
  • That RDP connection had a pattern that could indicate an upload occurred.

What can we learn about the internal device and what it had been up to on the network around the same time? Awake’s expressive language allows us to automatically chain the next few investigative steps.

First, it is very chatty to the outside world:

However, internally, it has had only two communications during the period we’re analyzing: to a couple of internal systems seeming to act as proxies for its access to the Internet:

So why does this matter?

Communications leveraging infrastructure that is less likely to have security agents installed is an excellent way for adversaries to gain a foothold on a network, and to extend their reach farther than just the OT side of the network (network segmentation, they tell me, is overrated 😉 ).

Understanding what is in your environment and how it behaves would seem like not too much to ask for, especially since getting these insights rapidly allows the security team to assess risk and take action just as quickly. Unfortunately, if the threat hunting process takes too long (as it often does for most teams today), you have to just move on and hope skipping past won’t come back to haunt you!

David Pearson
David Pearson

Principal Threat Researcher