Service Briefs & Use Cases

Customer Use Cases

Ransomware Attack
Malicious Network Traffic
Suspicious Connections to Cloud Services
Mobile Device Threats

 

Not-for-profit Healthcare System

ISSUE
Wanna Cry ransomware kill switch communications on customer network.  This malware infects hosts and encrypts files while installing a backdoor Trojan.

HOW WE DETECTED
ThreatWatch behavioral analytics platform detected malicious activity.  We observed indicators in their network that have been attributed to ransomware infections, specifically Wanna Cry.  Ten unique internal hosts attempted to connect to known Wanna Cry sinkhole IPs in a short period of time.

HOW WE RESPONDED
A notification was sent describing potential malicious activity using our proprietary SORAD alert notification.  We provided a list of all the unique IPs associated with Wanna Cry plus recommended actions to contain, remediate and mitigate any existing or future infections.

CUSTOMER RESPONSE AND FOLLOW-UP

Early notification enabled them to proactively address the issue and prevent any encryption.  Although the connections were denied, the customer disconnected Internet access for several days to investigate further and identify ground zero of how the compromise started. In the immediate timeframe after the detection, the company remained on high alert and we continued to keep monitoring their traffic to ensure indicators were no longer in their network.

[Download PDF]       |      [Back to Top]

Large State Judiciary System

ISSUE
Suspicious outbound FTP connection allowed through the firewall to a “not normal” destination.

HOW WE DETECTED
ThreatWatch 2.0® Network behavioral analytics platform detected anomaly.

HOW WE RESPONDED
A notification was sent describing potential malicious activity (possible data exfiltration) using our proprietary SORAD™ alert notification.

CUSTOMER RESPONSE AND FOLLOW-UP

Customer conducted investigation that determined the FTP connection was malicious, which resulted in a change to the firewall rules blocking the traffic. We added attacker’s profile to our consolidated threat reputation monitoring to improve future alert confidence and be on the lookout for similar threats.

[Download PDF]       |      [Back to Top]

Mid-Size Bank

ISSUE
Unauthorized sharing of documents involving users connecting to file sharing and exploiting vulnerabilities in remote control service.

HOW WE DETECTED
Through integration of our cloud security monitoring service, we detected the behavior by observing abnormal network traffic patterns and URL access requests.

HOW WE RESPONDED
When we detect activity that isn’t inherently indicative of a compromise, but is nonetheless suspicious, our notification detail rates the level of confidence we have about the issue, an explanation of potential risk and recommendations for validation of the threat.

CUSTOMER RESPONSE AND FOLLOW-UP

Customer was able to disable specific user accounts associated with the activity.  Further investigation revealed a confirmed instance of custom malware designed to exploit customer banking and account information.

[Download PDF]       |      [Back to Top]

Retailer with E-Commerce Presence

ISSUE
Command & Control traffic indicating a “botnet” type of malware that was connecting to a China-based control server.

HOW WE DETECTED
Malware Command & Control (or “C&C”) traffic patterns were detected along with positive identification of malicious activity from our reputation analysis of the destination system.

HOW WE RESPONDED
The Security Operations Center (SOC) provided phone and e-mail notification describing potential impact of compromised device and recommendation on how to check the device for malware and reimage/clean the device.

CUSTOMER RESPONSE AND FOLLOW-UP
Investigation determined that the device was a malware-infected personal Android device connected to the production wireless network. Device was blocked from future access to the network.

[Download PDF]       |      [Back to Top]

Managed Services Briefs

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search