Internal network traffic in an organization can be as nefarious as an outside hacker trying to gain access to sensitive information. Every organization needs visibility into their network, both internal and external, in order to detect and respond to threats. Recently, we had an organization that needed a way to detect and block suspicious internal network traffic using SmartResponse from LogRhythm to block shady activity. View the presentation to see how SmartResponse was enabled to quickly detect suspicious internal network activity against a Web server.

1. Detecting and Blocking Suspicious Internal Network Traffic
By: Damon Gross

2. A customer needed to monitor for suspicious internal network traffic.

3. While they have a firewall between the Internet and their main Web server, they didn’t have
one between the Web server and internal users.

4. Until they could remedy the situation, they utilized LogRhythm’s SmartResponse™ to block
activity.

5. The SmartResponse Automation
Framework is tightly integrated into the
LogRhythm platform, providing seamless
continuity across the end-to-end threat
detection and response workflow.
Users set up SmartResponse actions to
be triggered by specific alarms. These
alarms can pass data to the
SmartResponse action, enabling dynamic,
precise execution.

6. Let’s take a look at the setup

7. On your desktop, set up Angry IP to do a
port scan against a Web server, simulating
internal network traffic.
Setup Angry IP

8. By cloning and modifying an existing AI
Engine rule for port scans, the LogRhythm
platform began picking up and alerting on
activity immediately.
We can add vulnerability scanners to a
known exclusion list to reduce false
positives on the alarm.
Clone and modify the built-in AI Engine Rule

9. The Web UI, starting with 7.1.5, gives not
only general alarm information, but specific
information about the host infected.
The alarm details the risk level, threat level
and additional information. In this example,
we can see the Web server has access to
internal DB servers.
Gain visibility to an alarm

10. Additionally, we can also see the AI Engine
rule block that was used to detect the
activity.
Gain visibility to an alarm

11. The SmartResponse attached to this
alarm will run on the Web server itself,
eliminating the need to have unnecessary
ports open to the Web server.
The SmartResponse will setup a Windows
Firewall rule to block all incoming traffic
from the IP detected by the AI Engine rule.
Attach a SmartResponse to the alarm

12. Once you’ve approved the
SmartResponse action, you will see from
the LogRhythm Web UI that the firewall
rule created on the Web server is firing.
Approve the SmartResponse action

13. View the firewall rule created on the affected host

14. Finally, double check the rule that was
created does indeed work.
You should be able to see that the
attacking host is no longer able to
communicate with the Web server.
Ensure the rule is firing

15. Utilizing SmartResponse, we were able to take action against suspicious internal traffic,
while minimizing time to detect and respond to threats.

16. Expand this SmartResponse rule to block other suspicious activities such as communication
with a threat list IP address.

17. Click below for more information on deploying this rule in your organization.
Request More Information