The Cythera security operations team has detected and responded to several security incidents with our clients over the last few weeks and a common theme brought all of them to light : visibility.
So, you’re running firewalls, and IPS, and next-gen anti-virus, and multi-factor authentication. And you’re logging it all. You’re even pumping it all into a SIEM . Fantastic! You’re already doing better than many organisations.
But what are you doing with that data? Is it just a huge log store? Do you just use it to replay the tape if there is an issue? Does it to populate pretty dashboards? Do you have to write custom log queries or correlation rules to try get any meaningful insights out of it?
They’re in!
Let’s look at a breach we detected, responded to and stopped for a client. Like many of these stories, it started with a user getting phished. They received an email from who they thought was a trusted contact, and in the process was prompted for a login to their corporate email, where they entered their credentials.
The organisation had Multi Factor Authentication so the story should wrap up here. But MFA is not a panacea, and for many organisations multi factor is still a complex beast to roll out everywhere; there’s often legacy apps and multiple operating system dependencies to support. In this case, due to one of these dependencies MFA had been disabled for a specific application and the attacker worked that out, and used it to start accessing and downloading data.
Detecting this incident is where visibility goes well beyond logging. User behavioural analytics picked up that the user was accessing services from both unusual and multiple locations. Deception technology meant the attacker hit tripwires we had set in the organisation. What might have been completely missed in many organisations, or just another alert log to others was for us transformed into an investigation our team responded to, and ultimately used to stop the attack mid-flight.
What else did we find?
- Attacker was bouncing between VPN’s trying to mask themselves and bypass geo blocking.
- One of the IP’s had been used in a previous brute force.
- They accessed services the user had never accessed before.
Many of the organisations we work with focus heavily on prevention capabilities, but are often blind to events and incidents when those prevention mechanisms let something through (and they will all miss something at some point).
If you need help with security monitoring, visibility as well as security detection and response our Managed Detection & Response Platform can provide you with real value. Reach out to us if you would like to discuss.
