Skip to main content

New Vulnerable Internal Connection

This alert occurs when Lacework detects a new connection has been established between two internal hosts or systems that may be vulnerable to security threats or attacks.

Why this alert is important

This alert indicates an attempt by an attacker to move laterally within your network, compromising other systems and data. Identifying and addressing vulnerable processes and applications within your network can help reduce the risk of a security incident and protect your sensitive information.

Investigation

Investigating this alert involves several steps, including:

  1. Identify the source and destination hosts.
  2. Identify the protocol and port number used for the connection. This information can help you determine the type of traffic involved in the connection and the vulnerability's potential impact.
  3. Identify the specific process or application that initiated the connection and the one that received the connection. This can help you identify which systems may be vulnerable to specific types of attacks.
  4. Check for known vulnerabilities. This can be done by reviewing vulnerability databases, such as the National Vulnerability Database (NVD) or vendor-specific advisories.
  5. Analyze the network traffic involved in the connection, including any packet captures or logs, to determine if any suspicious or malicious activity occurred. This can help you identify if any data was transferred or malicious commands were executed.
  6. Review the logs of the systems involved in the connection to determine if any suspicious activity occurred, such as changes to system files, processes, or configurations.
  7. Conduct further investigations such as system scans, reviewing user activity logs, or interviewing personnel involved in the systems or applications.

Resolution

Resolving this alert depends on the incident's details and the potential security risks. You can leverage the following general steps to resolve the incident:

  1. Implement appropriate security measures to reduce the risk of exploitation, such as patching vulnerabilities, implementing network segmentation, restricting access, and using security monitoring tools.
  2. Monitor the network for any unusual activity associated with the connection, such as unusual traffic patterns, file transfers, or other suspicious activity.
  3. Conduct regular security assessments to identify and address any vulnerabilities in the network and systems. This can help prevent future incidents and improve overall security posture.