Using Faddom, you can discover potential security issues, or, if an announcement is made, existing security weaknesses.
The first stage is to make sure that Faddom is collecting external traffic. In order to do this you can follow our guide on How to Enable Data Collection for External Sources. Once this is set, Faddom will collect traffic that is outgoing to the internet from your servers.
Make sure to let Faddom run for 12-24 hours after updating this setting, so that it can collect accurate traffic.
Once Faddom is collecting external data, we can use the tools available in Faddom to see if there are any servers that have been attacked.
Since the vulnerability stems from having local servers access malicious LDAP servers over the internet, this is the kind of traffic we need to look for. The easiest way to do this is to go to the Map tab and look under Software Components. There you should have an LDAP component already. If you do not, you can add a new software component using the following configuration.
Now, select the software component and you will have a list of all the LDAP servers that are being accessed on your network. Hopefully, all the LDAP servers listed are servers that are internal to your network, most likely your domain controllers. If you see an external server here, it is likely that you have been attacked using this vulnerability.
If you do see an unrecognized server here, you can click on search which will show you a map with all the servers that have accessed the unknown LDAP server so that you know exactly which servers in your environment have been affected. See the guide on Software Components for more information.
Receiving Alerts On New Attacks
While the above method is great to see if you have already been attacked, it is even better to know if this happens in real-time. Here is a simple method to do this using the existing tools in Faddom:
- Open the Search tab and click Show advanced panel
- In the Port field, enter: 389,636
- In the Excluded servers/s field, enter the LDAP servers in your network. This will most likely comprise of your domain controllers
- Click on Search
- You will hopefully have an empty map here. Click on Save Query and save this as an application map
- You will need to setup a method of receiving the alerts. Follow our guide on Notifications and Alerts. If there are any new attacks on your servers, you should now receive email alerts from Faddom in near-real time.
Recently, a serious vulnerability was found in the popular Log4J library which allows an attacker to execute code on a server. The vulnerability, CVE-2021-44228, also know as Log4Shell does not affect Faddom, but does affect countless products and can be a serious security risk. To see details on the vulnerability, you can check the NIST website here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
One of the advantages of having full network visibility with Faddom is that you can identify this type of attack quickly and easily by using the above method.