Service Briefs & Use Cases

Customer Use Cases

Ransomware Attack
Malicious Network Traffic
Suspicious Connections to Cloud Services
Mobile Device Threats
Audit Compliance to Avoid PCI Fines

 

Not-for-profit Healthcare System

ISSUE
Wanna Cry ransomware kill switch communications on customer network.  This malware infects hosts and encrypts files while installing a backdoor Trojan.

HOW WE DETECTED
ThreatWatch behavioral analytics platform detected malicious activity.  We observed indicators in their network that have been attributed to ransomware infections, specifically Wanna Cry.  Ten unique internal hosts attempted to connect to known Wanna Cry sinkhole IPs in a short period of time.

HOW WE RESPONDED
A notification was sent describing potential malicious activity using our proprietary SORAD alert notification.  We provided a list of all the unique IPs associated with Wanna Cry plus recommended actions to contain, remediate and mitigate any existing or future infections.

CUSTOMER RESPONSE AND FOLLOW-UP

Early notification enabled them to proactively address the issue and prevent any encryption.  Although the connections were denied, the customer disconnected Internet access for several days to investigate further and identify ground zero of how the compromise started. In the immediate timeframe after the detection, the company remained on high alert and we continued to keep monitoring their traffic to ensure indicators were no longer in their network.

[Download PDF]       |      [Back to Top]

Large State Judiciary System

ISSUE
Suspicious outbound FTP connection allowed through the firewall to a “not normal” destination.

HOW WE DETECTED
ThreatWatch 2.0® Network behavioral analytics platform detected anomaly.

HOW WE RESPONDED
A notification was sent describing potential malicious activity (possible data exfiltration) using our proprietary SORAD™ alert notification.

CUSTOMER RESPONSE AND FOLLOW-UP

Customer conducted investigation that determined the FTP connection was malicious, which resulted in a change to the firewall rules blocking the traffic. We added attacker’s profile to our consolidated threat reputation monitoring to improve future alert confidence and be on the lookout for similar threats.

[Download PDF]       |      [Back to Top]

Mid-Size Bank

ISSUE
Unauthorized sharing of documents involving users connecting to file sharing and exploiting vulnerabilities in remote control service.

HOW WE DETECTED
Through integration of our cloud security monitoring service, we detected the behavior by observing abnormal network traffic patterns and URL access requests.

HOW WE RESPONDED
When we detect activity that isn’t inherently indicative of a compromise, but is nonetheless suspicious, our notification detail rates the level of confidence we have about the issue, an explanation of potential risk and recommendations for validation of the threat.

CUSTOMER RESPONSE AND FOLLOW-UP

Customer was able to disable specific user accounts associated with the activity.  Further investigation revealed a confirmed instance of custom malware designed to exploit customer banking and account information.

[Download PDF]       |      [Back to Top]

Retailer with E-Commerce Presence

ISSUE
Command & Control traffic indicating a “botnet” type of malware that was connecting to a China-based control server.

HOW WE DETECTED
Malware Command & Control (or “C&C”) traffic patterns were detected along with positive identification of malicious activity from our reputation analysis of the destination system.

HOW WE RESPONDED
The Security Operations Center (SOC) provided phone and e-mail notification describing potential impact of compromised device and recommendation on how to check the device for malware and reimage/clean the device.

CUSTOMER RESPONSE AND FOLLOW-UP

Investigation determined that the device was a malware-infected personal Android device connected to the production wireless network. Device was blocked from future access to the network.

[Download PDF]       |      [Back to Top]

Large Retailer

ISSUE
Customer had to prepare for and pass an external audit within 90 days in order to avoid penalties of up to $100,000 per month. According to Gartner, achieving PCI compliance (Level 1) can cost up to $1 million.

OUR SOLUTION

  • Audit Efficiency – a single pane of glass where the customer could easily generate the necessary reports to demonstrate compliance
  • Address PCI Requirements – successfully perform the required logging of devices within the customers Cardholder Environment
  • Monitor Compliance – establish metrics, baselines, and reporting to provide on-going information regarding compliance posture

VALUE TO THE CLIENT

  • Affordable solution implemented within the customer’s deadline
  • Timely response to potential compliance or audit findings with capability to identify, examine and manage security compliance issues in near real-time and on a reporting period basis
  • Good for business – Retailer maintains their customers’ trust by safeguarding their credit card data

[Download PDF]       |      [Back to Top]

Managed Services Briefs

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search