The Client
A multi-million-dollar distribution and supply company.
Incident Detection and Analysis
In August of 2021, the Bridgehead IT Security Team was notified of suspicious activity while rolling out an Endpoint Detection and Response platform (EDR). The client’s IT Director, Account Manager, and Chief Security Officer were notified. Consequently, Bridgehead’s Cyber Security Incident Response Team was called in to investigate.
Through the review of Microsoft Defender for Endpoint (MDE) logs and system artifacts obtained from the investigation, it was confirmed threat actors were in the client’s environment ready to deploy an encrypting agent on files tagged for ransom. Administrator credentials had been compromised thereby allowing threat actors to disable antivirus programs and provide a mechanism for lateral movement of this ransomware from its original point of entry.
Inventory was taken, determining that many of the servers and workstations network-wide had been accessed remotely and targeted for ransomware encryption. Furthermore, the threat actor also partially compromised the backup system.
Threat Timeline
- Initial access gained through social engineering.
- Compromised administrator credentials disabled the client’s antivirus programs and facilitated lateral movement within systems.
- Early discovery of suspicious activity allowed response teams to act quickly, mitigating the spread of malware.
- The Centralized Computer Security Incident Response Team (CSIRT) ensured threats were no longer present in the environment.
- Team presented recommendations to help prevent future attacks and strengthen client security.
- Deployed security strategies to minimize losses and help the client recover quickly.
Swift Response, Detection, and Remediation
Bridgehead IT was working with a long-time client to implement a recommended solution to improve their security; End-Point Detection and Response (EDR)/ Extended Detection and Response (XDR). Bridgehead IT works as a partner with its clients to provide technology solutions that are tailored to business’ needs. As technology and threats change, Bridgehead IT and its team of experts are there to advise on best practices.
While deploying MDR/XDR Bridgehead IT noticed suspicious activity. Swiftly, Bridgehead IT alerted key team members within the client’s organization to assess the scope of the threat. Through email phishing it was determined that the attackers gained access to critical administrators-level systems, and disabled antivirus programs. The threat actors then moved laterally throughout the network targeting servers, workstations, and exfiltrating data. Once the scope of the threat was ascertained by the incident response team, steps to eradicate the threats and data-recovery were initiated.
Among the key aspects of the recovery effort were terminating critical access points, requiring password changes through all systems, and rebuilding impacted servers and workstations. Targeted malware removal was used to further ensure hardware was clean. Location-based GEO-IP filtering rules, layered segmentation of domains, and LAN-side capture utility were incorporated into security appliance hardening. Images and artifacts were then prepared for the forensics team.
Due to the diligent, quick actions of the incident response team, it was found the client was attacked by ransomware. Once infected, the malware will spread across the network, affecting both the server and workstation environments, but the threat actors were caught prior to this happening.
After Incident Resolution: Beyond the Breach
Preparing for a more secure future; Bridgehead IT stays ahead of technology trends so that relevant recommendations can be provided to support the client. Approaching cyber security proactively, annual security risk analysis across all client IT systems is conducted. Additionally, end-user security awareness training, real time internal vulnerability scans, and Security Information and Event Management (SIEM) are incorporated into the long-term scope.
With controls in place so that the client can take their incident response and planning to the next level, they will be protected in today’s ever-changing technological landscape.
The Methodology
Bridgehead IT (BIT), Inc utilizes a Distributed and Centralized Computer Security Incident Response Team (CSIRT) model compliant with the National Incident Management System (NIMS). In this model, a dedicated, centralized CSIRT (The BIT Security Division) interacts with a client when a security incident has been identified. The BIT Security Division provides high-level analysis, recommends recovery and mitigation strategies, and coordinates with the various divisions of BIT. This model maximizes the utilization of existing staff in strategic locations through the organizations with the centrally located coordinating capability of the dedicated team to provide a broader understanding of the security threats and activity affecting the group. It has management support in assigning needed resources during times of crisis. The model builds on the infrastructure and expertise in the local areas where the company facilitates incident analysis and response (working with others in their own organization and at BIT – systems, network, and security administrators, software developers, LAN/WAN managers, etc. – who are not part of the CSIRT). The CSIRT responds to reports of abnormal activity or other incident reports, participates in incident and vulnerability analyses, lends expertise in testing or assessing the security of the enterprise, and can play a proactive role in promulgating computer security awareness and training throughout the organization. The model provides a centralized team that can collect information from a wide variety of sources and quickly synthesize and disseminate it across the enterprise.
The team has the authority to release organization-wide advisories and other documents, including best-practices, response and recovery steps, and security updates. The team can also be responsible for reviewing and analyzing all IDS or other network, system, or application logs.
