When the Observable service sends you an alert, you’ll want to understand it so you can react to it properly. This post will describe how to use the Observable web portal to research a set of suspicious connections.
After you get the alert notification, you’ll probably want to view it in the Observable web portal. That will describe the high-level characteristics of the event: what happened, what it happened to, and when it happened.
In this case, we have a “New Long Sessions” alert. This alert type looks for unusually long connections between two machines - these can be a sign of abuse. It looks for two signals: (1) a “new” long-lived session, (2) an External IP address that geolocates to a country the user has marked as suspicious. These signals help ensure that the alert doesn’t fire for “normal” behavior, and help make sure the alert helps enforce the user’s expectations about their network.
One of the first questions you might ask when looking into this alert is “Does anything else on my network talk to the same External IP?” You can answer this question pretty quickly. The dropdown in the External IP cell has a Find IP on multiple days link:
The Find IP page will summarize known interactions with the External IP over the last month. In this case we can see that it’s just talking to one machine on our network (the Connections column):
Another question you might ask is “Have other users seen similar interactions?” The same dropdown above has an AbuseIPDB link, which points to the excellent AbuseIPDB.com site. In this case we can see that others have reported suspicious activity for the External IP:
We can see from the alert that the External IP is connecting to our local machine (router-4f) using HTTP. To respond to this alert we should ask, “Should that be allowed?” It’s probably not a great idea to have a router’s web interface exposed to the entire Internet - closing it off should prevent this sort of activity.
Looking more closely into the AbuseIPDB listing, we can see that one of the listings is for “Netcore Router Backdoor Usage.” Some research shows that certain Netcore Routers are known to have an abusable services (though most reports describe the vulnerability as applying to 53413/udp and not 80/tcp).
If you want to keep a closer eye on this particular External IP, the Add IP to watchlist link from the dropdown will allow you to set up an alert that will fire any time that IP is observed on the network for the next month:
Detect Threats Faster – Start Your Free, No-Risk Trial