As the state of the workforce is constantly changing, leaving holes for infiltration, attackers are becoming smarter, more vicious, and show no signs of slowing down.
Several articles and speeches have been made encouraging businesses and organizations to upgrade and improve their cybersecurity defenses. The White House recently released a statement, “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”
A cyberattack can take place when you least expect it and at the most inconvenient times. Calling upon a managed services provider (MSP) with access to the right specialized resources for assistance during a breach can be the greatest option for a business unprepared or unequipped to respond to a cyber security incident. In this post, I’ll detail how a large ecommerce service provider spotted malware in an email sent to customers, which led to the discovery of a much more extensive intrusion that our MSP team helped contain and remediate through escalation.
The Incident
Our customer, Pseudocorp, had a business model that operated with two separate environments: an internal infrastructure for corporate use and an ecommerce infrastructure which their consumers used. When Psuedocorp’s consumers reported receiving emails spoofed from their Exchange server, our MSP team was called in to assist in restoring the server quickly. After the restore, our team looked further into the issue and discovered that a Psuedocorp employee laptop infected with malware was responsible for relaying the emails to customers. While unsure of how the malware made its way into the laptop, our team followed the appropriate playbooks to quickly help contain the individual threat.
The following week three additional workstations in the corporate environment were discovered to have malware infections. At this point, Pseudocorp’s lean IT team gave our MSP team complete visibility into their network. Our MSP team performed an initial scan of the environment and found a long list of issues, including malware on 30 systems and rogue devices accessing the network.
Our MSP team, working with our dedicated Security Operations Center (SOC) identified a much bigger issues that a workstation or two infected with malware. Following the workflows defined in our IT service management platform (ITSM), we determined it was necessary to escalate to our cyber security team to handle the incident response moving forward.
The Escalation
Our managed services practice is fully integrated into our professional services practice, allowing our MSP team the ability to easily and quickly escalate issues to highly specialized personnel within other teams like cybersecurity, cloud, and networking when necessary. This was one of the situations where escalation was needed as Pseudocorp’s malware issues had essentially taken their corporate operations offline. Email was halted, making it impossible for accounting to send invoices and generate company revenue. Customer response times were increased, as many employee devices were compromised, and the ecommerce environment had no staff on the corporate network to manage it. With the ecommerce environment still up and running for Pseudocorp’s customers, the situation could be compared to a NASA control center emptied while a space shuttle was still midflight.
The escalation by MSP set in motion the formation of a new response team:
- Technical Project Manager to manage the team and help orchestrate duties across members
- Risk and Compliance Specialist to validate threats and determine compliance risks
- Security Technology Consultant to build the defense strategy
- Cloud Application Consultant to review Active Directory and assist with remediation in terms of patching, configuration, and integration needs
After more scans of the environment, this newly formed team discovered Pseudocorp was under an active attack. They worked together and assembled a coordinated defense strategy:
- Seal the perimeter. All known ports associated with Trickbot were blocked, and a new next generation firewall was deployed with enhance visibility.
- Cut access. Password resets were sent out across Pseudocorp’s employees, paying special attention to the accounts with privileged access.
- Eliminate the attackers command and control capability. Cisco Umbrella was deployed, providing cloud-delivered security blocking known bad connections.
- Mitigate lateral movement using Cisco Amp for Endpoints.
With the proper technical controls in place and the Converge incident response team concluding their investigation, Psuedocorp was able to operate at full capacity again with confidence that stronger defenses were now in place.
The Takeaway
With any attack on your business, it is critical that you act fast with a solid plan. Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by the end of this year. In 2020, it was published that the average cost of a data breach was $3.86 million, enough to cripple or completely take out many businesses.
Every attack is different, which is why the standard MSP model in other organizations isn’t set to be as vigilant against an active attacker. Our team’s processes and controls, integrated SOC and ability to escalate issues and pull top-tier resources quickly from across North America is what truly brought an end to this active attack, potentially saving the business from a complete shutdown.
Can you calculate the cost of downtime in the event your organization is under attack? Who is watching the alerts in your environment? Are they doing so around the clock? If you’re unsure of your answers to those questions, your organization should take advantage of our world-class managed services team’s experience, expertise, and business focus. Converge’s Managed Services free the CIO and IT department from admin tasks, giving them the time they need to focus on bringing value to their company’s business. Engage with an expert today to get started.