Just got an interesting report in from another client helped by HoneyPoint Agent. This time, the client detected a probe against a SQLServer port that seemed to be coming from several hosts on their internal network.
The probe was aimed at identifying SQLServer installations, and while the story seems familiar, the probe itself was different. In this case, the client had network-based intrusion detection tools and other elements of signature-based visibility. However, the probe they were seeing was a new type of probe and signatures had not yet been created. Thus, the signature-based tools were basically blind to detecting the scans of this malware, even while it was beginning to spread across their environment.
HoneyPoint Agent on the other hand, simply detected the illicit traffic. Since deployed HoneyPoints are not real services, any contact with them should be considered suspicious at best or malicious at worst. In this case, the traffic was indeed malicious. HoneyPoint tipped them off to the source IP’s of the scanning and even gave them the data they needed to build network signatures for their network-based detection tools. Several hours later, they had significant intelligence into the scope, capability, source and methods of what they were facing. HoneyPoint had not only served as an early warning system, but had also given them the knowledge to grow their visibility to the overall impact of the security incident.
I love it when customers tell us about how HoneyPoint helped them in a time of need. I truly appreciate it when they catch malware early on and get to take quick, decisive defensive action. We might not win all of the battles in the infosec war, but when we do win a few and something we made helps turn the tide, it makes the MSI team very happy indeed!