Anomalies
The Anomalies tab provides you with information regarding unusual activity in your network that Lumu’s AI detects as likely instances of adversarial contact, but has not yet confirmed as incidents. Lumu does so by analyzing the behavior of these anomalous contacts and giving a score as output that represents the likelihood of the event being an anomaly or potential incident.
The information on the anomalies view does not persist through time as Lumu’s continuous analysis may deem certain behaviors as suspicious or not using more recent information. If a potential anomaly catches your eye, it is advised to save the data for safekeeping in the way you prefer.
It's crucial to note that this isn't an operational view, but it does offer insights into your network's behavior. You can be certain that Lumu analyzes your company's network metadata on a 24/7/365 basis, providing an early advantage against adversaries attempting to gain a foothold. Rest assured, should any of these anomalies escalate into a confirmed compromise, Lumu will promptly generate an incident for your organization and trigger an automated response through your cybersecurity stack.
It is important to keep in mind that these are not confirmed instances of compromise, but rather suspected potential adversary contacts. Therefore, unless you have more evidence of foul play, it may not be necessary to take immediate action. However, since you are most familiar with your network, if any of these anomalies grab your attention, it's a good idea to investigate further.
Depending on the characteristics of each anomaly, the portal will display it distinctly and show different fields. Next, we will see how the portal may display different anomalies based on their attributes.
Domain Generation Technique (DGA)
Here, you will find instances of suspicious network activity detected from endpoints likely employing dynamic resolution techniques like domain generation algorithms (DGAs) for malware command and control (C&C).
First, make sure DGA is selected at the top of the Anomalies view.
By clicking on each instance, you will have access to a radar chart that will give you context on the frequency of the contacts and the IP and label of the affected endpoint. You can use this information to check on the potentially affected device, ensure that everything is working as intended, and gain peace of mind for everyone involved.
Under the radar chart, you will find a list of the Top Domains that contacted the endpoint in question, along with the number of contacts for each domain.
On the top right, you will find a button toggle between the radar chart, and a specific Endpoint graph that visualizes the contacts this endpoint has received. This graph is similar to the Anomalies graph outlined further in this article, but it is specific to the endpoint you have selected.
You will also find a summary of the contacts involved in this anomaly.
You will also find a summary of the contacts involved in this anomaly, including the time of the occurrence and additional details that you can gain access to in the form of a JSON file.
You can also download all the contact details as a compressed .CSV file by using the provided option.
You can choose to visualize these anomalies as a graph, allowing you to see a map of the detected anomalies and their connections. This can provide you with extra insights, such as understanding how potential lateral adversary movement occurs.
DNS Tunneling
Here, you will find instances of suspicious network activity in the network, characterized by anomalous traffic patterns suggesting attackers may be abusing DNS infrastructure for covert C&C communication or data exfiltration.
First, make sure that the Tunneling option is selected. Here, you can select which anomaly you want to examine.
You can find additional information about the anomaly such as a graph displaying the distribution of traffic over time with the potentially malicious domains, the amount of transferred data, records, and sessions that involved the endpoint. You can access even more details by selecting the relevant option.
This view will offer a more detailed graph alongside request samples from the communication between this specific endpoint and the potentially malicious domain. You can also download the full information regarding these sessions in the form of a .csv file.
How can I use this feature?
For organizations with an in-house threat-hunting team, Anomalies serve as a foundation for hypothesis-driven and AI-based investigation, aligning with established methodologies for threat hunting.
For instance, if an endpoint in your network exhibits anomalies by attempting to access a suspicious domain and initiating contact with other organization endpoints, suggesting potential lateral movement, this information can aid the threat-hunting team in formulating hypotheses for potential compromise and guide the hunt for underlying threats.
While Lumu may not have officially confirmed this anomaly as an incident, if your familiarity with the network and insights from Lumu Analytics trigger concerns, conducting tests to validate or negate the hypothesis can offer a valuable advantage against a potential, yet undetected, adversary. Alternatively, it can provide reassurance that the situation doesn't indicate a compromise
For organizations without an in-house threat-hunting team, Lumu automates the threat-hunting process by generating an incident and triggering an automated response through the cybersecurity stack once a threat actor is detected.
Related Articles
Network Behavior
Lumu’s Illumination Process analyzes your network’s metadata on a 24/7/365 basis to monitor the organization’s cybersecurity state. While doing so, Lumu’s AI is able to create a baseline for the behavior of the network based on your team’s habits ...Analytics View
Lumu’s Illumination Process is the core of Continuous Compromise Assessment ® by Harnessing the power of AI for threat hunting without the time and resource-intensive training that traditional methods require. In this process, network metadata is fed ...Lumu Email Intelligence
Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...MITRE ATT&CK Matrix
The MITRE Corporation is a nonprofit organization founded in 1958 that supports various U.S. government agencies at the highest levels. MITRE ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive matrix ...Compromise Overview
Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...