Cyber Vault Discovery Part 2 — Explorer

Before continuing with this article, please go over Part 1 of the series to learn about the basics of Cyber Vault and the Dashboard interface.

The Explorer interface allows you to observe how the network evolves over time. It aids in the exploratory analysis of anomalous behavior and helps uncover patterns of concerns that need to be addressed.

If you select the ‘All’ option from the subnet dropdown, then a special summary view is displayed. It represents an aggregated sum of all live hosts, and TCP and UDP ports across all subnets.

It shows the state of the entire network at a particular point in time.

You can use this to quickly investigate different states of the network and observe how hosts and discovered concerns change over time. To see an individual subnet you can select it from the dropdown. The graph will change from an aggregated view to a single subnet view.

The timeframe dropdown controls how far back to populate the network map. The options vary from the Past Hour to the Past Month. Once you select a timeframe the network map will be updated.

Network Map

The network map is interactive. You can zoom in and out and also you can do a selection zoom. The graph can be exported as an image or CSV file.

In order to visualize different states of the network, you can use the network map graph. In contrast to the Dashboard network graph, which looks identical, the Explorer interface provides an additional interaction with the network map. To select a specific historic network snapshot you can click on a point on the map. The selection will be acknowledged by a graph annotation that clearly shows what was selected. The time field above the graph will also be updated to reflect the selection. Using the interactive network map you can quickly navigate through different stages of your network. This gives you control and visibility of the entire history of your network.

The insights of Cyber Vault’s Explorer tool can help with forensics investigations and answer the question: how did the network evolve over time. You can see what hosts were live and what ports were open at what time. This gives IT administrators an indispensable tool for analyzing their network and discovering patterns of anomalous behavior.

The rest of the interface looks very similar to the Dashboard interface. It shows you details of all live hosts and their identified open ports and concerns.

The TCP and UDP Port Summary tables will show all open ports in the network snapshot and the services running behind them. An important distinction between the Explorer view and the Dashboard view is that the Explorer view will show you the network summary at an exact point in time while the Dashboard view will show an aggregated view of the entire time frame. For example, in the Explorer view you can see that at some points in time the same host can have different number of open ports over the past 24 hours. But the Dashboard view summarizes all open ports in the past 24 hours regardless of when they were open.

The Explorer interface aligns with how applications run behind the open ports. Sometimes a user can open an application to do some work. During this time the application can open a port. Once the user is done with the application, the port will be closed. Because Cyber Vault’s discovery sensor continuously monitors the network, it can detect ephemeral open ports. This means that an open port discovered at one time might be currently closed. An actual inspection of the host will determine the current status of a port. The latest network snapshot can also be used to see if a port was last seen as open.

Ephemeral ports can be a security concern. If an intruder observes them in an open state she can launch an attack. It is a good security practice to investigate why a port was open and take mitigation steps to make sure it is secured. This can be achieved by uninstalling the underlying application that opened the port or creating a firewall rule to filter it.

The Explorer interface gives network administrators important clues of what applications run on a host over time. This information can identify additional concerns that appear only during certain times of the day or certain days of the week. This is how Cyber Vault can deliver constant visibility across the entire network.

The Explorer interface can also help understand how hosts go up and down on the network. This can be used for troubleshooting when a known host goes down but it is supposed to be up. With the Explorer interface you can see the exact time a host goes down. Additionally you can investigate new live hosts that are not supposed to be on the network. You can browse the network’s snapshots and identify when a host went live. For example, if a host is going live at odd hours of the day, say 2 AM every morning, and then shuts down after 2 hours of work then this might be a sign of suspicious activity. Moreover, if an unrecognized host appears on the network you’ll be able to immediately see when this happened and what ports and applications were running on the host.

The Explorer tool can show you how your hosts change over time, when they come online and when they go offline and as they come online what open ports and what applications are running on them. These insights help IT administrator learn about their network and keep it secure.

Cyber Vault’s Explorer interface shows how your network evolves over time. It can help detect anomalous patterns and zoom in on the exact time they’ve occurred. It is an indispensable forensics tool that will help uncover areas of concerns that were hidden before. And finally, it is an exploration tool that will help you understand your network on a deeper level.

Originally published at https://www.cybervault.app on March 18, 2022.