Document toolboxDocument toolbox

Limit intruder dwell time with rapid context gathering

 

Description

In this use case, a hypothetical attacker used an exploit against our machine in the local network, which triggered an alert from an external security service. The attacker takes control over the machine in the local network and leaks information out.

Our external service does not provide additional details about the threat. We will use this Flow to combine the external service data and the data extracted by Devo (interactions between attacker and victim) to check if there's any data flow from the victim to the attacker. If Flow observes an interaction, it will send an email to notify you of the intrusion, and it will provide you with the query to rapidly investigate and mitigate the threat.

In this example, we are mixing alert data from an external IDS service injected into Devo with firewall data. The IDS alerts include data related to intrusions to our machine. They include the attacker source IPs and the victim destination IPs. We will compare this data with the information retrieved by our firewall to check if the victim machine is sending data to the attacker's IP address in order to check if there's data leaking. 

Flow configuration

The configuration of this use case is divided into 3 different parts:

Result

Once you have defined the whole Flow and saved it, click the Start button to activate it. If everything is correctly configured, the Flow will send an email to the given addresses every time an inactivity period is detected.

Import this Flow

Download this Flow in JSON format and import it to your domain clicking the Import option at the top of the Flow canvas. If the JSON object opens on a new browser window automatically, copy all the content, paste it into your notepad and save it in .txt or .json format.