Skip to main content

New External Host

This alert occurs when Lacework detects a new external host has attempted to initiate a connection with a network or system.

In cybersecurity, this alert is commonly associated with intrusion detection and prevention systems, firewalls, and other security controls that monitor network traffic and block or allow access based on predefined rules and policies.

Why this alert is important

The alert can indicate a potential security threat or vulnerability if an external host not authorized to access the network or system could attempt to gain unauthorized access, steal data, or launch a cyber attack.

Investigation

Investigating this alert involves:

  • Analyzing the network traffic to determine the nature and purpose of the connection.
  • Identifying the source of the connection.
  • Assessing whether the connection is legitimate or suspicious.

Here are some recommended steps:

  1. Collect information about the incident, such as the timestamp, IP address of the external host, destination IP address, port number, protocol, and any other relevant details. Consult with other stakeholders, such as network administrators or security analysts, to gather additional information.
  2. Review the network logs to identify any other related incidents or patterns of activity. Look for anomalies or suspicious activity, such as connections from known malicious IPs, unusual ports or protocols, or unexpected traffic patterns.
  3. Use a port scanner to scan the external host's IP address and identify any open ports or services that may be related to the connection. This can help identify the purpose of the connection and whether it is legitimate or suspicious.
  4. Analyze packet captures of the network traffic to identify any unusual or suspicious traffic, such as data exfiltration, command-and-control traffic, or exploit attempts.
  5. Use IP geolocation tools or domain name system (DNS) lookups to determine the source of the connection and identify any known threats or vulnerabilities associated with the source.
  6. Based on the information gathered, assess the risk associated with the connection. Consider factors such as the sensitivity of the data being accessed, the potential impact of a compromise, and the likelihood of an attack.

Resolution

Follow these steps to resolve the alert:

  1. Use a firewall or network security device to block incoming connections from known malicious IP addresses. You can identify these IP addresses by using threat intelligence feeds, reputation services, or other sources of information.
  2. Implement access controls to restrict access to sensitive data and systems. Use strong passwords, two-factor authentication, and other authentication mechanisms to ensure only authorized users can access critical resources.
  3. Segment your network into smaller, more secure zones to limit the spread of malware or other threats. Use firewalls or network security devices to enforce traffic filtering and access controls between different zones.
  4. Implement IDS/IPS systems to detect and block malicious network traffic. These systems can analyze network traffic in real-time and alert security teams to suspicious activity.
  5. Conduct regular vulnerability assessments to identify and remediate security vulnerabilities in your systems and applications. This can help prevent attacks that exploit known vulnerabilities.
  6. Implement endpoint security solutions, such as antivirus and anti-malware software, to detect and prevent threats on individual devices.
  7. Provide regular security awareness training to employees to educate them on identifying and reporting suspicious activity.
  8. Monitor network activity and logs to detect and respond to potential security incidents. Use security information and event management (SIEM) solutions to collect and analyze different device and system logs.