Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Attack Scenarrio SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Attack Scenarrio
What steps are needed to be taken if you find out that one of the systems in your organisation is communicating to the outside world. No ping response from the internal IP.
How can this be avoided in the future. Any kind of reply would surely be helpful.
Anonymous

If the device that is communicating outbound can't be pinged try and do a traceroute to identify where in your environment it may be. If it is a flat network or directly connected to where you are you can use nmap to scan the IP address (make sure you use the setting that says do not ping) and see what you get back from that.

You can also look at your firewall logs to see what it is actually trying to do. You can look at the firewall arp table and as a minimum it will tell you the router that is routing the traffic to you, but possibly the mac address of the device. You can use the mac address to try and identify what type of device or brand it is and if small enough go for a wander and see if you can identify the machine.

You can also look at windows logs to see if that IP was used to log into the environment. So plenty of avenues to try and identify the source.

M
Anonymous

-
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!