Even with all the controls your organization puts in place to guard against cyber-attacks, some efforts from bad actors are bound to get through your defenses. That’s why CyberSheath provides the 24/7 monitoring of our Security Operations Center (SOC). To learn what exactly the SOC does to protect our clients and to understand the potential fallout from recent incidents, I recently sat down with Dr. Mark Hatchel, a senior security analyst, who has worked at the CyberSheath SOC for the past year and a half.
A day in the life of a security analyst
“My role is to triage every alert that comes in. All of the alerts are triggered based on rules we have in place,” Mark shares. “Most are false positives, but some are true positives. I investigate each and every alert to see if we have a compromise in an environment.”
When Mark does encounter issues, it’s often because the user gets phished and from there their passwords are stolen, which can result in a whole company being at risk. “Once we find a compromise, we restrict their user access, block their sign-ins, and contact the customer to make them aware of the situation as we work to get their account secure.”
The SOC provides a layer of protection that helps meet the standards outlined in CMMC. Chances are, without support from an external resource like Mark at our SOC constantly watching, detecting, and researching any sort of potential hack, companies wouldn’t be able to meet the 72-hour requirement for reporting incidents.
All sorts of breaches
Fake IRS form
Mark describes a recent noteworthy alert that came across his computer saying that one of CyberSheath’s SOC customers had connected to an emerging group advanced persistent threat. “Those alerts are urgent because that means that there was no other detection beforehand as it is a very new threat. The only detection was the actual connection.”
In this instance, the user was browsing the actual IRS website to get a form. Once they located the resource they needed and clicked on it, instead of downloading the form from the IRS website, the user was redirected to two Russian websites. Once downloaded, the form appeared in zip format for the user to open. If the user would have opened this file, ransomware would have been installed on the user’s device, requiring payment to unlock the computer in question.
“We tried to duplicate the action by immediately jumping on an isolated device, but the websites were already down. They did the deed and when they found out it wasn’t going to work, they quickly took the sites down,” says Mark. “This was a very sophisticated attack. If it had happened to a business that didn’t have our protection, they definitely would’ve been compromised with ransomware.”
Link from supposed trusted source
Another instance had a user clicking on a link in an email that looked to have come from one of the user’s trusted companies. Once the link was investigated, it was determined to be another malicious Russian site. Mark called the customer, talked to the user, and was able to isolate the damage after the adversary had gained full access to their account.
Cypto miner installed
Something else that is happening these days in the unwanted and unnoticed installation of a crypto miner on the machine. These crypto miners use your computer resources to make the adversary money for mining cryptocurrency. At intervals the user’s computer was reaching out to a website that was a well-known crypto mining site. Mark shared that the beaconing out to a crypto site was the telltale sign that this was occurring, as there were no other indications of the malware. When they detected that beaconing, they isolated the device and got it re-imaged.
Spearphishing success
There are different types of phishing, some are spam, some are blanket phishing trying to reach out to wide audiences, and some are targeted, as transpired in this case. One of our clients received a phishing email from somebody impersonating one of their executives. This email contained JavaScript in the guise of an HTML file. We identified the breach and mitigated the damage.
Bad actors frequently send JavaScript or a file attached to the email that appears to be HTML. The insidious thing about JavaScript is that it will redirect a user who clicks on the link to the adversary’s website, and from that website it will either perform credential harvesting or initiate a second stage JavaScript that will then execute on the user’s machine or browser causing a lot of damage.
SharePoint compromise
In this case, a user got compromised and the bad actor placed a document in their SharePoint and then sent it out to many other users. “The bad actors were trying to act quickly, but we detected it and we cleared out every single email that they sent it to,” Mark states. “If that wasn’t detected and stopped it could have gotten bad very fast.”
This attack is noteworthy as most users assume that files in a SharePoint folder for work contain safe documents and files. Placing malicious files in this location where a user’s guard is down, is more likely to lead to that user being compromised.
If you suspect that someone in your organization has been the victim of a cyberattack, time is of the essence. If you would like some assistance in securing your environment, contact us to learn more about how our security operations center speeds incident response and helps mitigate damage.