Skip to main content

New External Client IP Address Connection To Vulnerable Application

This alert occurs when Lacework detects an external client with a previously unknown IP address connected to a vulnerable application within an organization's network.

This alert can indicate a potential security threat as the new external client IP address may be associated with malicious activity or unauthorized access.

Why this alert is important

Detecting and investigating this alert is important to ensure the security of your organization's network and prevent any potential data breaches or security incidents.

Investigation

Follow these steps to investigate the alert:

  1. Check the logs or security tools to determine the IP address of the external client that established the new connection. Look for any signs of malicious or suspicious behavior, such as multiple failed login attempts or unusual access patterns.
  2. Review the vulnerability or weakness that the external client is attempting to exploit. This could include a known software vulnerability or misconfiguration in the application, web server, or network.
  3. Evaluate the incident's potential impact on the organization's systems, data, and operations. Consider the level of access the external client may have gained and what actions they may have taken.
  4. Collect as much information as possible about the external client, such as the country of origin, time and date of the connection, and any other relevant metadata. This information can help identify activity patterns and assist with future threat hunting.

Resolution

Follow these steps to resolve the alert:

  1. Immediately block the IP address and prevent any further unauthorized access. Assess the vulnerability and implement any necessary patches, updates, or security controls to prevent similar attacks from occurring in the future.
  2. Verify that the connection was unauthorized and that the client is not a legitimate user. If the connection was malicious, conduct further analysis to determine the scope and impact of the attack and take appropriate response measures, such as containment, eradication, and recovery.
  3. If a legitimate user initiated the connection, investigate why it was not authorized and take steps to ensure that it does not happen again.
  4. Consider implementing security controls such as intrusion prevention and detection systems, access controls, and vulnerability management to prevent similar incidents.