The Battleground:

A federal government contractor working in the defense sector.

The Presumption:

If an external malicious IP that is trying to establish a connection to an internal host the firewall is responsible for stopping the connection.

The Discovery:

One of the members of the NSOC was doing some threat hunting and found a known reported malicious external IP connecting to an internal host.

After conducting a more thorough search the NSOC found that 158 different IPs were trying to log into an FTP server as admin over a time span of a couple of hours.

Our Solution:

Since InfusionPoints is contracted to manage the customers FTP server and Firewall, a member of the NSOC was able to login into the FTP and is able the admin account and log into the firewall and block the addresses.

Lessons Learned:

Disable admin access externally to prevent potential breaches and have geo-filtering enabled.