Even if you work ever so little with information security, you have probably heard about the benefits of using a Cyber Security Operations Centre, or CSOC. However, real stories of concrete actions are less common, as organisations often are reluctant to open up about the attacks they have faced, let alone the details of those attacks. Fortunately, challenges like these can often be overcome at the very beginning – that is, if you are using a CSOC.
This blog presents a real, anonymised example of a cyberattack, including its background, stages and solutions. Although the organisation was not yet using our CSOC to its full extent at the time of the attack, the CSOC was, however, a significant asset in solving the case and gathering evidence.
The story is narrated by an analyst working at Loihde's CSOC. The customer has authorised the anonymised presentation of the case.
Background
Where did it all start? The attacker initially gained access to the organisation's network environment through an RDP port open to the Internet, which was used for remote control of Windows workstations. Once the attacker gained access to the remote management server, he managed to perform lateral movement in the internal network. After installing attack tools, the attacker scanned data from devices in the internal network, eventually cracking several user IDs and workstations and getting his hands on a lot of data.
Measures
If a full-scale CSOC service had been in place, the attack could have been stopped earlier. Now, the attack was detected by the endpoint detection and response (EDR) service.
When our CSOC was being deployed to the customer, we discovered the Mimikatz malware, which can be used to attack Windows user IDs, among other things.
We investigated the situation manually by using SentinelOne's Deep Visibility and Remote Shell. They led us to known where and how the malware that affected the organisation's network was operating. As the organisation only just had started using a CSOC, there were not as extensive logs available as there would have been if the CSOC had been in full use. In this case, the Remote Shell investigation was done directly on the device. Among other things, the log files of the Mimikatz malware provided clues and further information and evidence about the incident.
Evidence and eviction process
Attack tools were found on the hacked devices, including the above-mentioned Mimikatz and Cobalt Strike. There were also threatening messages on the workstations and their format matched the Conti ransomware. After gathering evidence, we determined the extent of the data breach. The logs that we found and the tools that we used helped us with the tracking process. In addition, we drew a timeline of what had happened at each stage of the attack.
Firstly, we removed the old RDP rule from the firewall, fixing the point of entry, where the attacker had gained access to the organisation's network. Secondly, we installed SentinelOne on all hacked devices and disconnected them from the network. Lastly, we recreated the hacked user accounts in Active Directory.
Follow-up
We reviewed the customer's firewall rules and monitored detected threat indicators using SentinelOne's Deep Visibility.
Even though the customer’s organisation was at the beginning of its CSOC journey when the attack began, there were already clear and immediate benefits of the CSOC service. The anomaly was detected and interpreted. The customer was actively informed at various stages of the situation. The continuity of the customer's operations was ensured throughout the process. Finally, the investigation was reported and presented to the customer.
Five tips:
- Storage of logs: This is how evidence is preserved.
- Limiting the number of connections: Only necessary connections should be allowed.
- SentinelOne: The more modern the endpoint detection and response (EDR) service, the more visibility the CSOC gets.
- Humans are usually the weakest links in information security.
- The SOC triangle: A SOC provider needs sufficient visibility into the network environment to take countermeasures. The corners of the triangle are: log management (SIEM), endpoint protection and response (EDR), and network detection and response (NDR).