Uncovered with Stamus Security Platform: Shadow IT

In this series of articles, we explore a set of use cases that we have encountered in real-world customer deployments of our network detection and response solution, Stamus Security Platform (SSP). In each case we work to explain what we found, how we found it, and why it matters.


We recently made an interesting discovery while helping a customer understand the advanced hunting capabilities of Stamus Security Platform. The customer is a very large financial institution with vast datacenter and remote workforce setups along with multiple customer-facing web and mobile applications. They manage a broad security infrastructure, deploying numerous security solutions from the industry’s top security vendors.

Their network security solution from Stamus Networks is deployed with a mixture of physical and virtual probes along with the hunting and Stamus Security Platform features.

In their environment, many of the clients have short IP leasing times, with most devices changing their IP address every 30 minutes. This makes it nearly impossible to lean heavily on IP addresses for threat detection. So, we were going to need to use a different approach.

We typically identify problems or threats within a few hours of deployment, and this case was no different. Although this dynamic IP environment made the effort a little more difficult.

What We Found and How We Found It

In its guided threat hunting interface, Stamus Security Platform provides a one-click view of common and anomalous policy-related activity. For example, one pre-defined filter set can quickly identify new HTTP or HTTPS proxies seen on the network. As such, it was very easy to zoom in and identify communication through a network proxy application deployed on remote VPN clients from the marketing department and uncover a full application-level communications flow.

In this particular case, one thing that jumped out at us was an encrypted proxy network service appearing in a part of the network where it was not expected. Finding this was made more difficult by the presence of significant remote VPN work. That is because there is less on-premise network visibility and significantly more network chatter.

There are a number of items that made this worth investigating. First, this proxy service had not been noticed before, perhaps because it was not operating full time; second, there did not appear to be a regular time when it was operational; third, it appeared to be associated with a number of different IPs (as they changed often); and finally, it only seemed to be active on an as-needed basis and appeared to be arbitrarily selecting IPs.

Using the advanced enrichment and tracking capabilities in Stamus Security Platform, we were able to associate the service with a particular set of clients based on:

  • Analysis of encrypted network communication on the service being used (without any regular timing occurrence)
  • Organizational context (remote VPN clients, sub department of “marketing” group)
  • Track the users/groups logged in (using it)

If we only focused our hunt on IP addresses, this effort would have failed. This is because, as we mentioned earlier, the IPs were changing frequently.

But due to the automation and guidance from Stamus Security Platform, the initial discovery was quite easy.

This discovery triggered an internal investigation that resulted in a simple explanation - a group of engineers had grown frustrated with the complex process of requesting and deploying new services, and they had installed their own “ShadowIT”. Specifically, they temporarily spun up an encrypted proxy service which bypassed the established organizational infrastructure and hence allowed them to download and install any software they wished.

It is interesting to point out that the AV/endpoint protection client was running on the client PC , however the policy was quite allowing.

Why this Matters

What we detected was a very stealthy policy violation that increased the risk and exposure to the organization from unauthorized software installations. While no harm was intended by the group installing the back door, this could just as easily have been exploited by bad actors and used to install malware.

Unfortunately, none of the other systems that were in place were able to unearth this threat.

More Info

Hopefully this gives you a taste of how the Stamus Security Platform can help security teams know more, respond sooner, and mitigate the risk to their organizations. If you’d like to learn more about how it might help your organization or schedule a live demonstration, please click on the link below to contact us.  

Request a Demo

Schedule a Demo of Stamus Security Platform


Related posts

Hunting for Punycode Domain Phishing

Punycode domains have traditionally been used by malware actors in phishing campaigns. These...

Hunting for Suspicious DNS Requests with Long Domain Extensions

When you see a domain request from a user/client to a non-local or otherwise unfamiliar or...

Detecting Attacks Against OpenSSL Vulnerabilities

This blog describes the steps Stamus Networks customers may take to determine if any of your...