Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco

Five Stories from the Guardians of the Network

Jeff Moncrief

The moment when customers first turn the lights on in the network can come with some major revelations. After only a few days of operation, Cisco Stealthwatch’s comprehensive network visibility can uncover threats, policy violations, and areas of risk that would have otherwise gone undetected.

The Cisco Stealthwatch team is passionate about helping organizations gain a better understanding of their environment. Here are a handful of instances where team members were able to uncover threat activity in customer networks after only a few weeks of running Stealthwatch.

There’s a storm brewing in the cloud

Do you use cloud servers? Many organizations are turning to the cloud to help streamline operations and become mobile. But cloud servers introduce a new attack vector into the network, and it is important to make sure these servers are properly maintained and secured.

One media company lost track of a cloud-based server that was accessible from the Internet and went unpatched for months. Using flow-based monitoring from Stealthwatch, the server was identified and determined to be compromised.

An attacker had used a remote desktop application to gain access to the server. From there, the attacker was able to move laterally to the company’s data center and siphon sensitive information. Without Stealthwatch, the media company may have never identified the breach.

Rogue servers attack from within

Modern networks are large and complex, and keeping track of every machine can be a challenge. When a server falls off the map, attackers can be quick to compromise it to gain a foothold and move laterally throughout the network. This scenario caused a major headache for one K-12 school system.

The school system struggled for months to identify the root cause of performance impacts to its student information system, a service critical to its day-to-day educational needs. When the system went down, schools in the district were unable to complete a variety of activities, including recording grades, but the IT team was at loss as to the cause.

Within 7 days of implementing Stealthwatch, the system administrator identified a forgotten server that had an alternative path to the Internet, which meant it wasn’t adequately protected by the system’s perimeter defenses. The server had been compromised, and an attacker was using it to launch denial-of-service attacks against the student information system from within the network.

Come for the DDoS attacks; stay for the malware and data exfiltration

Sometimes when you try to solve one challenge, you uncover bigger problems. This happened to one banking and brokerage company that purchased Stealthwatch to detect distributed-denial-of-service (DDoS) attacks against its systems. While evaluating the Stealthwatch solution, system administrators also detected three hosts propagating malware and multiple hosts making insecure Telnet connections. Of more concern, it found significant outbound traffic to suspicious servers in China and Israel, where the company did no business, indicating possible data exfiltration.

A printer that talks too much

Out of the thousands of hosts on the average enterprise network, specialized devices such as printers are easily overlooked. When these devices are not maintained and patched properly, they can create a path into the network for attackers.

During a Cisco Stealthwatch evaluation, a government agency discovered several hundred abnormal connections to its network from more than 10 countries. Upon further investigation, the agency discovered a printer that had been installed to expedite a project. The printer remained unpatched with default credentials and was accessible from the Internet. Attackers discovered the printer and used it to gain access to the network and wreak havoc.

The agency detected the activity during a Stealthwatch evaluation. If the agency had Stealthwatch in place prior, it could have identified the suspicious activity before damage was done.

When the FBI comes knocking

Sometimes when an organization is breached, they are the last ones to hear about it. This happened to a global oilfield services company when the FBI contacted them with evidence they were compromised by attackers based in China. Stealthwatch was deployed and, in less than a week, had identified a user account that was logging in from China and exfiltrating gigabytes of critical files. That user’s login information had been stolen, and the thieves used his account’s privileges to access anything they wanted on the network.

With Stealthwatch, organizations can monitor traffic to unusual geographies and suspect countries. This way organizations can quickly detect large amounts of traffic going to regions they don’t do business in, which is a strong indicator of exfiltration.


These are only a few examples of how Cisco Stealthwatch and the Stealthwatch team help customers protect their network and achieve their goals. To learn more about how the Stealthwatch team has assisted customers, read the Guardians of the Network.


More from this contributor:

Combatting cyber-threats is difficult in any industry, but the healthcare industry in particular faces a number of challenges in protecting their...
Imagine you are sitting at your desk in your workplace, and your eyes are closed. Now imagine a stranger is in the room with you, stealing something...
Hospitals are responsible for more than the medical wellbeing of their patients. They also house highly sensitive information on patients and...