December 21, 2017
Here is how one of our customers, a university data center manager, successfully discovered an intrusion attempt in the data center.
The story began when the data center manager noticed a change to one of the critical and sensitive servers in the organization – the Active Directory server. A ‘change detected’ notification was sent, and the Active Directory service was displayed with a ‘Change detected’ status in illuminIT dashboard.
The manager proceeded to investigate the nature of the change. It was a client from a remote campus, attempting to connect to the Active Directory server using remote desktop. Further on, the manager noticed that the frequency of the remote desktop access was reported as ‘every minute’ – which means that the remote access was attempted in each and every minute over the last few hours. This was getting more and more suspicious. He waited a little while, just to be on the safe side, checked again – and yes, it was still there, the same frequency of access every minute, last access time “just now” – so the intrusion attempt was on.
In the illuminIT display, it was clear which computer was attempting access. This was an internal university computer, belonging to one of the remote campuses. So the Data Center Manager contacted the owner of this computer to investigate what was going on. Well, to cut a long story short – the attempts stopped right away. Of course, the manager updated the firewall rules immediately to prevent future intrusion attempts to the Active Directory server from this campus.
Conclusions? Well, using illuminIT it was easy to notice the intrusion attempt in the first place, and to investigate the details of the access, the frequency and behavior pattern over time to understand whether this is a legitimate remote access or an intrusion attempt.
This is just one example of how illuminIT change detection and investigation capabilities enable quick detection and action of suspicious activity in the data center.