Case Study: Detection Of Multiple User and Network Behavior Anomalies In A Strategic Government Body

Praveen Yeleswarapu
Rakesh Dharmavaram
September 3, 2021

The Context

It’s a routine day at work, and a Cybersecurity Analyst walks into the Security Operations Centre, takes the handover of the shift, and keeps vigil within the job. In a couple of hours of handover, he identifies an alert that suggests a potential command-and-control activity within the environment. 

The analyst, with his basics in place, first checks on the Threat Intelligence insights associated with the external IP address associated and observes that it is clean. Next, he further investigates the alert by looking at in-memory insights utilizing User and Entity Behavior functionality on the machine and identifies a strange process (Honeygain.exe) active; the User logged on, and the associated machine belongs to the materials and stores department User. 

On a quick query further- he sees that the suspicious process identified was starting at a time when the organization’s operations are inactive!

The analyst is now suspicious because the alert triggered was associated with both network and file system anomalies. On further analysis, it was identified that the machine resources were being utilized by the Honey Gain application, which pays a user to share system resources and bandwidth respectively. 

Prior to using BluSapphire Elite, the organization was not in the practice of collecting In-Memory log insights. However, a next-generation Anti-Virus software was running on the machine, and it has failed to detect this User, Entity, and Network anomaly. Hence, it could not be established when and how the suspicious application was first utilized by the user. 

The process (Honey Gain) was suspended, and a detailed system cleanup was performed ensuring complete remediation. 

Similarly, multiple such network activities associated with TOR, and Command and Control were identified within the organization and successfully mitigated swiftly with proper response and remediation actions. 

The Conversation

These cases were brought up with the organization’s Security Head and the first query was- how could such an advanced Anti-Virus, Firewall, and other tools have failed to detect these anomalies over a period of time?

Also, there was a sense of relief for the Security Head, when he said, and we quote

“Today, I am more at ease, as I’m given exact insights associated with this attack such as what process activity was involved, from where executable was launched, and what network activities were encountered (Both external and lateral), all on a single pane of glass.”

Such in-depth and detailed data insights allow cybersecurity leaders and professionals like him to make concrete decisions and also put forth a stronger case for active cyber defense within their organizations.

Now, coming back to the pertinent question of the Security Head: How could such an advanced Anti-Virus, Firewall, and other tools have failed to detect these anomalies for over a period of time?

If we look at the cyber threat landscape today, it has evolved consistently and thanks to rapid digitization, the attacks have only grown multifold.

That said, tools such as Anti-Virus, Firewall, E-mail Gateway, Proxy, etc. are dependent on reactive intelligence such as Malware Hash, Rules, etc. in identifying a potential attack on an organization. 

Now, is this approach sufficient to detect new-age cyber-attacks?

Absolutely not.

Advance attackers have found sophisticated methods to bypass AVs/ Firewalls and are consistent in bypassing them at ease. These methods are active as we speak.

Introducing BluSapphire Elite

How do we approach the above challenge? By deploying an efficient platform where the focus of threat detection is  purely on Tools, Techniques, and Practices of an attacker essentially tracking the behavior of an attacker both at Network, System, File System level, combining this with visibility from Security and network infrastructure, and at the same time, utilizing AI and ML functionalities avoiding siloes in communication.

With that context in mind, BluSapphire Elite offers a one-stop solution. Go beyond an XDR.

Powered by AI and Big data analytics, BluSapphire Elite offers you a complete, unified threat detection functionality converging network behavior, User and Entity behavior, Binary Analysis, End Point Behavior, collecting logs from the entire security and network infrastructure, build deception strategies, and finally enables orchestrating automated response, and remediation all via one single platform. 

Here is an example of network communications originating from TOR domains triggered via an active in-memory process within the environment of another host.

  • Tor (aka The Onion Router) is software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. 
  • Tor can be used to promote democracy and free, anonymous use of the internet, it also provides an avenue for malicious actors to conceal their activity because identity and point of origin cannot be determined for a Tor software user. Using the Onion Routing Protocol

Malicious Network Behavior Incidents Identified

In yet another case associated with malicious Entity & Network Behavior, a malicious process; figma_agent.exe was actively visible within the environment.

  • figma_agent.exe is classified as Suspected of Trojan.Downloader.gen it installs itself to the system and waits until an Internet connection becomes available to connect to a remote server or website in order to download additional programs (usually malware) onto the infected computer. 
  • Once a trojan-downloader has been installed on a machine, it will try to contact a remove server or website, where it can either directly fetch additional files for download or find further instructions from the attackers on where to find the files.

From a Network Analysis point of view- multiple browser highjackers were identified reaching out to Russian domains, one such example being: is the unsafe browser-hijacker, a malicious Russian domain that enters a targeted PC when the user reads junk mails and mail attachments.

Another case was identified where domain resolutions were successful involving drive-by download and spyware activities.

PUP applications were observed on one of the hosts; with accessing domain; it was being classified as involved in serial PUP installers in the past. was seen being accessed in multiple scenarios; it is an active offender involving in downloading malware which is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time with an established communication with the C&C servers

Key Outcomes with BluSapphire Elite

  1. Unified data convergence and analysis via Network, System, File System, Infrastructure data powered by Big Data Analytics allowing a single pane of glass view for Security analyst allowing highest degree of visibility on every asset of an organization by breaking data and process siloes. 
  2. Faster detection (under 3 Minutes) of extremely advanced/ sophisticated cyber attacks. 
  3. Automation Driven Response and Remediation (under 2 Seconds) with proactive live threat hunt function building assurance allowing execution of swift incident response.

For details, please take a look at the BluSapphire Elite solution page.