It’s Tuesday 9 AM, after a good night of sleep I come in at work and place my badge in front of the reader. As the light blinks green, the door of the circle lock opens up. I step in it, the door closes behind me and after a second or two the other door opens as well.
I work in the Cyber Intelligence Center, the CIC as we call it. We monitor networks of multiple companies for security purposes by using correlation engines, threat intelligence, analysis and getting near real-time alerting. Since there is not a single network that is perfectly secured, companies need to monitor their networks to see if suspicious behavior is taking place, even if they have many security measures in place. Segregating the network properly and using a big firewall is one thing, but what if a hacker places a mini computer in the network by physically sneaking in? And isn’t it really useful to see if certain computers are trying to get through the firewall all the time?
Often this monitoring requires us to process sensitive data to know if something interesting is going on. This is why our team works in a highly secured area of the office where only a few people are allowed to get in. Even within the secured area we are not able to get into the offices of other teams, like incident response and the red team. We want to keep customers’ data as safe as possible.
After quickly scanning through my mails, I have an appointment with one of our customers. The client is in the process of using our monitoring service and now we are going to discuss what they want to monitor. Together with the client we define what their most critical assets are and how we can implement monitoring on these assets. This way we can make sure the customer can get the most out of our product. We are going to make use cases and playbooks that specify what they want to know, how we are going to detect this and in what way they want to be notified. Based on the use cases we start creating rules that will trigger an alarm when certain events happen.
At 13:37 I receive a call from our level 1 team that works on a 24/7 schedule. Apparently one of the rules just triggered an alarm. This specific rule was part of a use case that detects tunnels and covert channels. As a level 2 analyst I quickly start investigating the events. By doing some hunting I can see that a lot of weird DNS requests are being sent to a specific DNS server. Probably someone is using a DNS covert channel to smuggle some data out of the network. I call the customer’s security officer and tell him what is going on. We work together to isolate the machine. Afterwards I provide him with information, so he can investigate what this machine was trying to hide.
Later that day we received an email stating that the machine was infected by malware that used a covert channel to communicate with a command and control center. Luckily we were able to detect this so their IT department could remove the malware. After a short catch-up with the L2 and L3 that are on-call I’m preparing to leave: satisfied because I was able to help this client with preventing a bigger incident and keeping their business running.
Xander Lammertink is a Consultant within Deloitte Risk Services, Technology Enabled Solutions (TES). In TES he works at the Cyber Intelligence Center where networks of customers are being monitored to see if suspicious traffic is taking place. By collaborating with customers the most important assets are identified and we think of ways how to monitor and alert on these.