March 23, 2021

Cyber sec company presented netflow data

We’ve recieved a threat identification report by a cyber sec company which was hired by a higher up in our management as they are somehow privately connected.

Beside it containing a lot of information about certificates, cipher suits, et cetera which you can gather no problem via public access, it also contains very specific traffic flow data. This data consists of timestamps, src ip, dst isp, protocol/ports, bytes/packets recieved/sent. One endpoint of those datasets is always one of our public IPs (with legitimate services) and some remote IP. We’ve checked our firewalls and could confirm those connection attempts happend and the report was somehow accurate, only the reported bytes/packets were always way off.

As they didnt have access to our infrastructure at all they must’ve collected the data either on the remote endpoint or at a hop inbetween. The remote IPs all belong to two relatively popular hosters in the US while we are EU based.

I was wondering if anyone of you were aware of US based hosting companies selling netflow data ? Is this a US thing or a general occurence?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.