Malware and Ransomware are becoming all too common. Left unchecked, these threats can devastate corporate networks like what happened to Maersk when the NotPetya attack was unleashed against Ukraine.
While tools like Stealthwatch can help identify which systems have been compromised, a gap exists between identifying the affected clients and taking swift action to prevent a further spread.
What it does
Visualizes the location and threat assessment of wired and wireless clients. Enables single button quarantine of malicious clients using APIs to automate changing vlans and firewall rules to isolate these devices from the rest of the network, until a technician can be dispatched to resolve the situation.
How I built it
We built a containerized application stack with a React front-end and Express back-end. In the front-end, we leveraged Google Maps and placed overlays for the building floor plan and positioned network clients, which we color-coded and provided "quarantine" and "release" actions for suspicious devices. In the back-end, we created collectors that fetch Meraki API data about network clients and firewall rules, listen to the Meraki Scanning API for device locations, and interrogate StealthWatch for the devices which are behaving suspiciously. We then correlated this data to tag the devices with an appropriate risk level in the user interface. When a user "quarantines" a device in the front-end, the back-end uses the Meraki API to apply firewall rules which isolate the device.
Challenges I ran into
The single biggest challenge in trying to create the software was the lack of data in the lab environment. We were quite surprised to find that the lab networks had no clients of any kind, nor was a suitable StealthWatch instance available. We were able to use our in-house CMNA stack to provide the Meraki data. And thanks to WWT's ATC Lab, we were able to secure a StealthWatch instance, a significant perk of being part of the WWT ecosystem.
Accomplishments that I'm proud of
The team has thought about this concept for a bit, and, it was fun and satisfying to see a working solution in a matter of a couple days.
What I learned
Stealthwatch works very easily with our Meraki network and provides data we otherwise wouldn't have regarding traffic on the network.
What's next for NORRIS
The Thelios team at WWT builds a product for provisioning and monitoring many Meraki networks. NORRIS is an additional monitoring feature that could be introduced in the near future.
Chuck Norris has no affiliation nor endorsement with Thelios, WWT, or NORRIS. Chuck, if you're reading this, please don't roundhouse us, we're just big fans. 🙏