Scrutinizing an infected hostΒΆ

After a user is infected with a virus, the security team must identify what other hosts on the network may have communicated with the infected host.

Workflow

After the infected host is discovered/reported, the following steps can be used to identify other hosts it has interacted with:

Note

This workflow relies on usernames acquired from a network device (router, firewall, etc.) or through enabled integrations (e.g., Active Directory LDAP). If usernames are not available, host IP addresses can be used as identifiers instead.

  1. Under Explore > Exporters > Entities > Usernames, search for the infected host/username and click on it. A new view will open.

  2. Review the Alarms/Events associated with the host, which may include the following violations:

    • P2P and Lateral Movement (infected host may be attempting to extend access further into the network)

    • TCP, UCP, XMAS Port Scan (infected host may be pinging the network for reconnaissance)

  3. Create/run a report with the username applied as a filter to identify all activity where the infected host was either the source or the destination of traffic. Ensure that the time range includes a period before the infection was reported or discovered.

    Hint

    When viewing information associated with a username, click the graph icon to run a report with the username applied as a filter. The filter will be retained even when pivoting to other report types.

  4. Review the output or pivot to different report types for insight related to who, what, when, where, why, and how the infected host communicated on the network:

    • Protocols the host was seen using

    • Countries the host communicated with

    • Firewall events (through vendor-specific report types, e.g., ACL rules, NAT translations, etc.)

    • Destination FQDN reports

    • Activity associated with the host before and after the infection (for additional insight into the techniques used in the initial attack)

  5. If the Host Indexing FA algorithm is enabled, navigate to Explore > Search to look up historical data associated with the IP address of the infected host. This information may provide additional insight based on typical communication patterns and reduce mean time to know (MTTK) during the investigation.

    Note

    If the Use Host Index option under Admin > Settings > Reporting is enabled, Group and All Device reports will use the host index to limit the scope of exporters checked when a host filter is applied.