The Battleground:

The infrastructure of a rural county that has the public works offices such as police department, library, and fire department which is all interconnected.  

The Presumption: 

If an external malicious IP is trying to establish a connection to an internal host, the firewall is responsible for stopping the connection.    

The Discovery: 

One of the members of the NSOC was doing some threat hunting and found a known reported malicious external IP connecting to an internal host. The IP found was connecting to the internal host via SMTP using an executable file. 

Our Solution: 

The customer was notified, and they added a firewall rule to prevent this from occurring again.  

Lessons Learned: 

Just because the port is a known protocol doesn’t mean that it can’t be exploited and cause a breach in a network.