Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

The New Normal for Cybersecurity

Cybersecurity seems to be making news headlines more and more recently. Hackers are becoming more widespread and more efficient with ransomware attacks up 105% from 2020 to 2021 according to the 2022 Cyber Threat Report. With new virtual realms such as the Metaverse close within our reach, it is crucial that proper protocols are set in place. 

For a Security Operations Center (SOC), monitoring customer infrastructure activity and quickly mitigating cyber threats is always a top priority, but it is especially important right now as conflict continues between Russia and Ukraine. Current Advanced Persistent Threats (APTs) and destructive malware includes: 

  1. Disinformation, defacements, Distributed Denial of Service (DDoS) 
  2. Destructive Wiper Communities  
  3. WhisperGate 
  4. HermeticWiper 
  5. IsaacWiper 

 All of the attacks are initiated to spread propaganda or disrupt normal operations for businesses and individuals. The Destructive Wiper Communities are different destructive malware with the intention to erase computer hardware and delete data and programs having crippling results for these businesses.  

 Following the initial attacks on Ukraine, cyberthreats were heightened globally by over 800%. While the Ntirety SOC team have not seen any targeting of Ntirety customers, we know that this could change at any moment, so we remain vigilant. We are continuing to take steps to enhance cybersecurity postures and increase monitoring for cyber threats.  

 Many data breaches can be tracked back to the tiniest flaws such as a weak or stolen password. As cybercriminal groups grow, it can be difficult for security teams to seal the cracks and fix the bugs fast enough. Protecting your business should be an ongoing effort, as there will always be cyberthreats. It is important to have all the right tools and technologies in place working together. 

 Cyber attackers look for access into endpoints- these endpoints are easily readable, readily available, and easy to access. As remote work has become increasingly more common, these endpoints, which were once located in relatively secure buildings, have moved outside of the four walls of an office. From these endpoints, cybercriminals will steal data and take down critical applications. Malicious attacks can include: 

  • Phishing: Users surrender personal information by responding to fake official emails or links to fake websites 
  • Malware: “Malicious software” designed to damage or control IT systems (Example: Ransomware) 
  • Man-in-the-middle attacks: Hackers insert themselves between your computer and the web server 
  • DDoS: “Distributed Denial of Service” A network of computers overload a server with data, shutting it down 
  • Internet of Things & Edge Processing: Rogue data thefts; user error (not encrypting) 
  • SQL Injection Attack: Corrupts data to make a server divulge potentially sensitive information 
  • Cross-Site Scripting: Injects malicious code into a website to target the visitor’s browser 

Attackers are continuing to evolve their game and crowdsource their efforts. They can find vulnerabilities and exploit weak points within cyber infrastructures. With the help of Ntirety’s SOC your business will have eyes on your cyber infrastructure 24x7x365. For more information watch our recent webinar here and stay tuned for the next blog in this series.