False Positive or the Real Deal?

Written by AJ Wiggan on 27/07/2018

An ominous flashing red light on a blacked-out computer screen means the promise of a threat. It was 21:26 on a Sunday night and an Intrusion Prevention System (IPS) alert shot across one of our screens. A security analyst usually has just minutes to respond, carry out an investigation on behalf of the organisation under threat and make a critical decision.

Alone, a single security event like this means little, especially if there’s no-one to take the lead and start effective log analysis and correlation. Was this a real attack, or simply yet another one of those bothersome false positives?

A threat hunting story

This IPS alert reported a potential code injection attack against a network device known to be vulnerable to compromise. In fact, just weeks ago the manufacturer of said device declared that patches for this vulnerability are not yet ready for release. The source IP which carried the malicious code originated from an unusual part of the world. Sudden traffic from a country an organisation has never done business in or with before is often a warning sign. However, IP reputation and background checks showed no history of malicious activity.

Further investigations into the network traffic revealed a very small amount of TCP connection attempts (fourteen packets) had come from the source IP, three packets of which were allowed by the firewall over public port 443. So, with a clean record and a negligible amount of traffic observed, at this stage of the investigation there wasn’t anything to suggest this event should be marked as anything more than a false positive.

Geographical anomalies

Forty-five minutes later, another IPS alert was triggered and the same vulnerability signature was seen. This new alert originated from a different source IP located in another completely random location. Like the first source IP, it too had not been recorded for previous malicious conduct.

So, where would the investigation take us next?

Just like an artist, every attacker tends to have his/her own signature pattern. A quirk or a recognisable flourish if you will. It could be that a specific script is used or a specific combination of exploits. In this case, it was the exact same fourteen TCP packets of which three were allowed by the firewall over port 443, the rest being denied.

Curious and curiouser. Throughout the night, over twenty more source IPs tried (and failed) to exploit the same vulnerability. Analysis and correlation revealed this is the work of a malicious attacker making use of IP spoofing and Metasploit

Remediation options

In this case, we knew two things: the exploitable vulnerability did not yet have a manufacture’s patch, and the attacker was using IP spoofing techniques and a malicious script.

In our scenario, there are three solutions:

The first (and highly reactive method) involves immediate blacklisting of any IPs associated with the attacker. This may not be ideal, as there could be a huge number of IPs involved.

The second, more proactive approach, would be to insist all operating systems, applications and anti-malware solutions were up-to-date where possible in order to limit the threat vector.

The third and final solution involves on-going monitoring of all network traffic. The most effective mitigation tactics require on-going threat-hunting, where analysts proactively look for indications of compromise and for any lateral movement across the network.

How would you respond?

Most organisations cannot afford to implement all three options... but imagine if they could! How many threats would be spotted before they did any real damage?

This story shows that relying solely on a signature-based alerting system can leave your organisation exposed to anything from an advanced persistent threat to a zero-day attack. Investing in active threat hunting and log correlation provides the means to spot a complex attack such as this one or even one carried out by an insider threat.


An IPS alert or a single security event tells an IT team very little. A Security Operations Centre consisting of expert analysts with vision across the entire network can see correlations in data, no matter how trivial the initial alert may appear.

In this story, the initial IPS alert meant little, but for the fact that in all the subsequent alerts had the exact same fourteen TCP packets, with the same ones being let through by the firewall on the same port. Although each of these random events appeared unique due to IP spoofing, log correlation and packet analysis determined that they were in fact identical, and therefore, must have originated from the same attacker. Ultimately, the first alert and every alert thereafter were anything but false positives.

When security analysts make that all-important connection between what may at first glance be an innocent false positive, they can save your network from taking a hit that would make the NHS’s Wannacrypt 2.0 assault look like a bad hair day.

So, what can we say? Other than customer protected and disaster avoided. Just another day at the office for the Bulletproof SOC.

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.