Darktrace Alert Details
Alert ID: DARKTRACE-AITM-1557-7842 Alert Time: 2024-02-21 16:30:45 EST Severity: CRITICAL (95/100) Source: Darktrace Enterprise Immune System Rule: “ARP Spoofing Detected – Potential Man-in-the-Middle Attack” MITRE ATT&CK: T1557.002 – Adversary-in-the-Middle: ARP Cache Poisoning
Alert Details:
Detection: ARP cache poisoning activity on internal network
Time: 16:25-16:30 EST Network Segment: VLAN 45 (Finance Department)
ARP Anomalies Detected:
16:25:15 – ARP reply from 192.168.45.78 claiming to be 192.168.45.1 (gateway)
16:25:30 – ARP reply from same MAC claiming to be 192.168.45.10 (DNS server)
16:25:45 – ARP reply claiming to be 192.168.45.20 (file server)
Multiple ARP replies from single host for multiple IPs
Source Details:
Source MAC: 00:1A:2B:3C:4D:5E
Source IP: 192.168.45.78
Hostname: Unknown (not in asset inventory)
Location: Finance department (physical access?)
Traffic Analysis:
After poisoning, traffic from finance workstations to gateway was redirected
Traffic passed through 192.168.45.78 before reaching destination
SSL traffic was downgraded to HTTP for some connections
Credentials captured for: webmail.company.com, portal.company.com
Detection Logic:
Single host claiming multiple IPs via ARP (impossible under normal conditions)
Traffic redirection pattern consistent with ARP spoofing
SSL downgrade attacks observed
Pattern matches active Man-in-the-Middle attack
Additional Context:
Unknown device on network (not in CMDB)
Possibly rogue device plugged into network jack
Attack targeting Finance department for credential theft
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed ARP spoofing attack in progress
2. Physical Security
Dispatch security to location
Security Team, Badge Logs
Unknown individual in Finance area with laptop
3. Network Isolation
Block switch port for 192.168.45.78
Cisco ISE
Port disabled; attacker disconnected
4. MAC Blocking
Block MAC address at network level
Cisco ISE, MAC filtering
MAC 00:1A:2B:3C:4D:5E blocked
5. Credential Check
Identify users whose traffic was intercepted
Darktrace, Network Logs
3 users had credentials captured
6. Password Reset
Reset affected users’ passwords
Azure AD, AD
All 3 passwords reset
Jira Incident Report
Ticket: SOC-2024-109 Summary: T1557 – ARP Spoofing Attack in Finance Department Status: RESOLVED Resolution: MALICIOUS – Attacker Removed, Credentials Reset Priority: P1 – CRITICAL Labels: T1557, adversary-in-the-middle, arp-spoofing, darktrace, physical-access Components: Network-Security, Physical-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “ARP Spoofing Detected – Potential Man-in-the-Middle Attack”.
Location: Finance Department, VLAN 45.
Attacker Device: Unknown laptop, MAC 00:1A:2B:3C:4D:5E, IP 192.168.45.78.
Time: 2024-02-21 16:30 EST.
Technique: MITRE ATT&CK T1557.002 – Adversary-in-the-Middle: ARP Cache Poisoning.
2. Technical Analysis:
Attack Chain:
16:00 – Unknown individual enters Finance department (piggybacked through secured door)
16:05 – Individual plugs laptop into network jack in empty cubicle
16:10 – Laptop begins ARP spoofing attack
16:10-16:30 – Attacker poisons ARP caches of finance workstations
16:15-16:30 – Traffic redirected through attacker’s laptop
16:20-16:25 – SSL downgrade attacks on webmail and portal
16:25-16:30 – Credentials captured for 3 users
16:30 – Darktrace detects anomaly
ARP Spoofing Technique:
Normal: Each IP maps to one MAC address
Attack: Attacker sends ARP replies claiming multiple IPs
Result: Workstations send traffic to attacker instead of real gateway
Effect: Attacker can see/modify all traffic
Credentials Captured:
User 1: jdoe@company.com (password captured for webmail)
User 2: bsmith@company.com (password captured for portal)
User 3: kwilson@company.com (password captured for both)
Traffic Intercepted:
Webmail (HTTPS downgraded to HTTP)
Company portal (HTTPS downgraded)
File server access (SMB – not captured)
No sensitive financial data transferred during window
3. Investigation Findings:
Timeline:
16:00 – Attacker enters building
16:05 – Laptop connected
16:10-16:30 – ARP spoofing
16:30 – Darktrace alert
16:32 – SOC investigates
16:35 – Security dispatched
16:38 – Attacker seen leaving (abandoned laptop)
16:40 – Switch port disabled
16:45 – Laptop recovered by security
Physical Evidence:
Laptop abandoned (attacker fled)
Laptop had ARP spoofing tools installed
Captured credentials found on laptop
No identification on device
Indicators of Compromise (IoCs):
Network:
– Attacker MAC: 00:1A:2B:3C:4D:5E
– Attacker IP: 192.168.45.78
Physical:
– Location: Finance Department, cubicle 45B
– Time: 16:00-16:40
4. Containment Actions:
Immediate Actions:
Disabled switch port for 192.168.45.78.
Blocked MAC address at network level.
Security confiscated abandoned laptop.
Reset passwords for 3 affected users.
Network Remediation:
Flushed ARP caches on all finance workstations.
Implemented dynamic ARP inspection on switches.
Enabled DHCP snooping.
Physical Security:
Reviewed badge access logs (found piggybacking incident).
Increased security presence in Finance area.
Implemented mantraps at secure entrances.
5. Root Cause Analysis:
Primary Cause: Physical security breach allowing unauthorized access.
Contributing Factors:
No dynamic ARP inspection on network.
Piggybacking allowed through secure door.
Empty cubicle accessible to visitors.
6. Business Impact:
Operational Impact: Finance network stabilized; no downtime.
Data Exposure: 3 user credentials captured (all reset).
Physical Security: Process failure identified.
7. Remediation & Prevention:
Completed Actions:
Attacker removed.
Credentials reset.
Laptop confiscated.
Technical Controls Enhanced:
Enabled dynamic ARP inspection on all switches.
Implemented DHCP snooping.
Deployed 802.1X authentication for all network ports.
Added mantraps to secure entrances.
8. Conclusion:
An attacker gained physical access to the Finance department and performed an ARP spoofing attack, capturing credentials for 3 users. Darktrace detected the anomalous ARP activity within minutes, enabling rapid response. The attacker fled but abandoned the laptop.
Closure Rationale: Attacker removed; credentials reset; network and physical controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 17:30 EST