RESEARCH

Case Story: Intruder Detected and Threat Mitigated in 36 Minutes

28th of September 2017

In today’s ever-changing threat landscape, staying on top of sophisticated threat actors is a full-time responsibility for organisations. However, managing these threats full-time presents a challenge for most – and a large portion of security breaches stays undetected for hundreds of days.

Here, we share a story from one of our clients, who successfully detected and mitigated a security breach before the incident escalated to a full-scaled breach and data leak. 

The Challenge

We were approached by an insurance organisation that wanted a reliable, cost-effective way for it to stay on top of its threat management and ensure that it was alerted to any signs or indications of unauthorised access or compromise. 

The organisation already had antivirus and IDS solutions in place, provided by an industry leading vendor. NCC Group’s Security Operations Centre (SOC) was also managing any alerts on the customers 24/7 managed security incident event management (SIEM) solution.

However, with an increasing number of successful attacks typically bypassing these types of defences, the organisation realised it required a more robust approach. It turned to NCC Group, for an advanced Managed Detection and Response (MDR) solution to offer this capability and to replace its current unmanaged IDS solution. 

The Solution

Within two weeks of being brought on board NCC Group’s 24/7 SOC, with support from the Cyber Defence Operations team, were able to inform the insurance organisation about a high severity incident detected by NCC Group’s threat sensor engine that had been implanted onto the network.

The alarm indicated that an internal system within the organisation was communicating with a malicious domain using a suspicious HTTP post string.

Using the network threat sensor and correlating data with the managed SIEM, NCC Group’s SOC operatives were able to triage and analyse the incident and ensure the organisation was alerted in a timely fashion so that it could investigate and take action.

Within 17 minutes of the incident being spotted, NCC Group analysts were able to:

  • Triage the alarm
  • Research the external domain and found that it raised an alarm against the NCC Group Threat Intelligence feed 
  • Use the packet capture technology on the network threat monitoring (NTM) sensor to search for other similar traffic, identifying the date that the internal system started communicating with the suspicious domain
  • Correlated the data in the SIEM to identify that the internal system was in fact a wireless access point and that in the 24-hour period around the incident there were seven PC clients connected to it. This enabled the investigation to be significantly narrowed down

Within a further 19 minutes, the client: 

  • Picked up the incident and started looking at remediation options
  • Identified and turned off the access point
  • Started to investigate the seven potential machines that might have been infected

So, within 36 minutes of the initial alarm being raised, the client was protected from further damage and loss of data from the malware infection.

Thanks to the advanced detection capabilities of the NTM threat sensor, which used indicator of compromise detection based on NCC Group proprietary threat intelligence, the organisation was able to identify a suspicious traffic pattern and take action in order to prevent any further infection or spread across the organisation’s network. 

Conclusions

This case story is a great example of the benefits of MDR solutions that move beyond the traditional protective monitoring and device management provided by a Managed Security Service Provider (MSSP). With a strong focus on 24/7 monitoring, threat detection and a rapid cyber incident response, this enhanced capability can uncover events and activity that may not be observed or detected using traditional alerting and/ or signatures, based on what is known to be malicious. In the case of the insurance company, it would not have been possible to detect, react and respond to an intruder in such a short time frame (36 minutes) without the unique combination of proprietary knowledge, skills and technology that are offered by an advanced Managed Detection and Response (MDR) solution.

An interesting footnote is that at the time the incident was detected by our SOC team, the customers IDS appliance remained in place, (this is standard practice while we tune the MDR solution), however although the IDS was from a market leading vendor it failed to detect this incident.

Read more about our managed security services here, or see Neal Hindocha's advice on how to prepare for a breach in the video below.