<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Uncovered with Stamus Security Platform: Shadow IT

In this series of articles, we explore a set of use cases that we have encountered in real-world customer deployments of our network detection and response solution, Stamus Security Platform (SSP). In each case we work to explain what we found, how we found it, and why it matters.


We recently made an interesting discovery while helping a customer understand the advanced hunting capabilities of Stamus Security Platform. The customer is a very large financial institution with vast datacenter and remote workforce setups along with multiple customer-facing web and mobile applications. They manage a broad security infrastructure, deploying numerous security solutions from the industry’s top security vendors.

Their network security solution from Stamus Networks is deployed with a mixture of physical and virtual probes along with the hunting and Stamus Security Platform features.

In their environment, many of the clients have short IP leasing times, with most devices changing their IP address every 30 minutes. This makes it nearly impossible to lean heavily on IP addresses for threat detection. So, we were going to need to use a different approach.

We typically identify problems or threats within a few hours of deployment, and this case was no different. Although this dynamic IP environment made the effort a little more difficult.

What We Found and How We Found It

In its guided threat hunting interface, Stamus Security Platform provides a one-click view of common and anomalous policy-related activity. For example, one pre-defined filter set can quickly identify new HTTP or HTTPS proxies seen on the network. As such, it was very easy to zoom in and identify communication through a network proxy application deployed on remote VPN clients from the marketing department and uncover a full application-level communications flow.

In this particular case, one thing that jumped out at us was an encrypted proxy network service appearing in a part of the network where it was not expected. Finding this was made more difficult by the presence of significant remote VPN work. That is because there is less on-premise network visibility and significantly more network chatter.

There are a number of items that made this worth investigating. First, this proxy service had not been noticed before, perhaps because it was not operating full time; second, there did not appear to be a regular time when it was operational; third, it appeared to be associated with a number of different IPs (as they changed often); and finally, it only seemed to be active on an as-needed basis and appeared to be arbitrarily selecting IPs.

Using the advanced enrichment and tracking capabilities in Stamus Security Platform, we were able to associate the service with a particular set of clients based on:

  • Analysis of encrypted network communication on the service being used (without any regular timing occurrence)
  • Organizational context (remote VPN clients, sub department of “marketing” group)
  • Track the users/groups logged in (using it)

If we only focused our hunt on IP addresses, this effort would have failed. This is because, as we mentioned earlier, the IPs were changing frequently.

But due to the automation and guidance from Stamus Security Platform, the initial discovery was quite easy.

This discovery triggered an internal investigation that resulted in a simple explanation - a group of engineers had grown frustrated with the complex process of requesting and deploying new services, and they had installed their own “ShadowIT”. Specifically, they temporarily spun up an encrypted proxy service which bypassed the established organizational infrastructure and hence allowed them to download and install any software they wished.

It is interesting to point out that the AV/endpoint protection client was running on the client PC , however the policy was quite allowing.

Why this Matters

What we detected was a very stealthy policy violation that increased the risk and exposure to the organization from unauthorized software installations. While no harm was intended by the group installing the back door, this could just as easily have been exploited by bad actors and used to install malware.

Unfortunately, none of the other systems that were in place were able to unearth this threat.

More Info

Hopefully this gives you a taste of how the Stamus Security Platform can help security teams know more, respond sooner, and mitigate the risk to their organizations. If you’d like to learn more about optimizing your network detection and response and how it might help your organization or schedule a live demonstration, please click on the link below to contact us.  

Request a Demo

Peter Manev

Peter Manev is the co-founder and chief strategy officer (CSO) at Stamus Networks. He is a member of the executive team at Open Network Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software, and he is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is a regular speaker and educator on open-source security, threat hunting, and network security at conferences and live-fire cyber exercises, such as Crossed Swords, DeepSec, Troopers, DefCon, RSA, Suricon, SharkFest, and others. Peter resides in Gothenburg, Sweden.

Schedule a Demo of Stamus Security Platform


Related posts

In the Trenches with NDR: NDR Discovers Crypto Wallet Stealer on U.S. University's Network

Tl:DR: A Large U.S. university lacked sufficient visibility into a large segment of its environment...

The Rise of Network Infrastructure Attacks and What to Do About Them

TL;DR: In recent months, CISA, MITRE, CVE.org, and others have announced critical vulnerabilities...

In the Trenches with NDR: K-12 School District Maximizes Visibility While Avoiding Alert Fatigue

TL;DR: An American school district needed to monitor over 5000 school-owned student devices, making...