In this blog, we will show you two ways in which Aura can be used to quickly and easily identify new server assets on your network. Being able to detect new servers and understand what assets are on your network is critical to ensuring you maintain the highest levels of security.
New Breaches Might Mean New Assets…
One of the key characteristics of recent security breaches, such as SolarWinds, is that attackers create new virtual servers on your network. Doing this essentially facilitates a command and control infrastucture that mimics the existing servers on your network. While not highly advanced, this is a clever tactic to avoid detection. These virtual servers are typically created in regions similar to where you have existing infrastructure, so that when IP addresses are geographically mapped, they appear to be similar to where the you operate, hoping to evade common bad actor detections most company’s have employed for years. Additionally the virtual servers are created with hostnames which are similar to existing servers on your network so that they would blend into the environment and avoid suspicion, especially for company’s who had no asset awareness.
Identifying New Assets by Detection Date
One of the ways we can identify new servers in Aura is by the date that Aura discovered them. We call this the ‘detection’ date. Aura keeps track of the first and last detection dates for all discovered assets and updates this last detection date on an ongoing basis, keeping a full history of asset detections.
Pulling up the First and Last Detected report in Aura we can quickly identify and hosts, IPs, User IDs, or MAC addresses that have been first or last detected within a specified timeframe. In order to find new servers in the past week, we can simply select to search by hosts first detected within the past week, and filter by server.
The screenshow above shows that several servers that were found. Within this list we can quickly identify one server that appears to be a Virtual server hosted in AWS. The server has a familiar looking hostname to our other server hosts, but does not quite follow conventions, raising some suspicion. We can investigate this asset further by clicking on the server to perform a Network Asset Investigation.
The screenshot above from the Network Asset Investigation view provides more details about the server in question. We can immediately see from the (customizable) Health Check that this new server is active on the network and has been vulnerability scanned. However, the asset is not known to be managed and there is no endpoint security agent deployed. This immediately raises more red flags as we might typically expect all of our servers to be managed in some capacity and that all managed assets have an endpoint security agent deployed. Looking to the Asset Record, we can see that Aura has discovered this asset from analyzing the Qualys vulnerability data and internally applied logic to complete the asset record. From the Data Sources panel, we can see that while Aura will discover assets from all your systems, it looks like just Qualys has been leveraged so far for discovery. The asset appears to be located in the same or similar AWS data centre as our other AWS servers. The IP Detection Profile and User ID Detection Profile panels give us an idea of detection activity over time and we can see that three User IDs appear to be associated with this asset. We could of course investigate further and look into these users in more detail but we will save that for another blog post!
Identifying New Assets by Non-Compliance
Another way that Aura can identify new assets might be through non-compliance with any of the security controls we have in place in our company. Built into Aura, is a comprehensive metrics framework that allows for risk and compliance reporting on many different controls. Out of the box, Aura comes with several common reports, but we could also easily customize and add our own.
For example, in our Aura instance we are able to report on which discovered assets are not in our company CMDB. This would potentially be unusual, as we use the CMDB for ensuring that all of our assets are effectively managed. Pulling up the CMDB Server Compliance report we can quickly identify these servers.
The screenshot above shows that of all servers discovered on the network in the past 15 days (i.e. active servers), 3 of these servers are not in our company CMBD. At the bottom of the report we see a detailed Defects listing, showing the three non-compliant servers, along with some pertinent information about each server. We can see that the same new server we discovered in the first example is also in the list here.
In this post we identified the importance of being able to understand exactly what assets you have on your network. Specifically, new assets are often added to the network as a characteristic of recent security breaches. We highlighted two different ways that Aura can instantly identify new servers on our network. Aura can do this, as it is continually discovering new assets in real-time and updating any assets it has already found over time. While the two methods illustrated above are via reports, a real-time alert could absolutely be enabled in Aura for more proactive detection.
Contact us today for more information or a demo, and see how Aura Asset Intelligence can provide immediate benefit to your organization.