The Challenge

Lucas monitors client locations in real time and for this particular client the Lucas security staff was alerted of multiple threat detection's in several of the client's locations all within a matter of a few minutes.

 

 

The Solution

After receiving the alert, the security team began an immediate investigation.  The alert showed a potential threat-actor (incident that impacts or has potential to impact an organization's security) that was actively scanning multiple client locations.  The POS system is intentionally isolated from other computers so only trusted, internal machines may communicate with it.  However, the source of the scan was an address on an internal network, but not one on the POS network.  Additionally, the same internal addresses had been used to scan three client locations.  This allowed our analysts to deduce the most likely explanation;

​

All merchants are required (per PCI-DSS) to undergo quarterly internal vulnerability scans.  Lucas has extensive knowledge of this process and has worked with multiple clients and vendors to help them achieve compliance goals.  The only reasonable explanation was that a managed security vendor was using a virtual private network (VPN) to perform the internal scan.  This technology allows two or more networks separated by the Internet to communicate as if they were the same network, but without 100% certainty the incident had to be confirmed before closing.

 

The Result

Lucas reached out to the client’s manager of IT and advised him of the unusual traffic and asked if he knew of an approved scanning vendor (ASV) scan.  The IT Manager quickly responded and stated that their managed firewall service provider was performing these scans.  Even though this alert turned out to be a false positive, Lucas realizes the importance of acting quickly with any type of threat encountered and this has allowed our clients to trust Lucas with their systems and data.