Private Healthcare Organisation

Proactive Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) monitoring are key features of Redscan’s ThreatDetect Network MDR service that help to identify attacks targeting on-premise, cloud and hybrid IT environments.

Having first become aware of some suspicious port-scanning activity on the client’s infrastructure, Redscan’s Cyber Security Operations Centre (CSOC) analysts were aware that an attack could be imminent.

Endpoint Detection & Response is an optional, but increasingly valuable part of the ThreatDetect service that Redscan delivers to its clients. In this case, Carbon Black’s Response solution was deployed across a series of the organisation’s endpoints deemed to be high risk, enabling Redscan’s CSOC analysts to achieve greater event visibility, enhance threat hunting and perform swifter incident response.

On this occasion, it was Cb Response that first alerted the Redscan team to the presence of malware on two of the client’s host machines. A Redscan analyst set about quickly investigating the alarm and within several minutes was able to establish that the alert was a true positive. Malware with an unknown signature had been detected and was attempting to terminate and delete the host’s Windows Defender Service, as well as connect to a series of known malicious IP addresses.

A priority two (P2) incident was promptly raised to the client by the CSOC via Redscan CyberOps, the threat notification and analytics platform included as part of ThreatDetect. By accessing CyberOps, the client was able to obtain a full overview of the incident and the remediation guidance needed to respond accordingly. On this occasion the advice was to isolate the infected hosts from the environment, perform a full malware scan and block the observed malicious IPs at the perimeter firewall.

That wasn’t to be the end of the incident however.

Increasing incident severity

Almost immediately after notifying the client of the incident, the Redscan team detected the same malware on two additional hosts, prompting the incident to be escalated to a P1 – a level of classification reserved for critical incidents which pose an extremely high degree of risk.

Redscan’s incident response playbook for malware infections was in full execution at this point. To prevent additional infections, the CSOC used Cb Response to ban the signature of the identified malware binaries and, with the client’s authorisation, used the same tool’s incident response capabilities to quickly isolate all infected hosts from the network.

Investigating the kill chain

Upon containing the malware, the Redscan team set about analysing the kill chain of the attack – how it was able to obtain a foothold on the client’s network and spread so quickly.

By recording each and every file execution and modification, registry change, network connection and binary execution across all installed hosts, Cb Response is an important tool that helps the
Redscan CSOC team perform more detailed digital forensics to inspect deeper into IT networks for signs of malicious activity.

One of the binaries that Cb Response identified was attached to the roaming Windows® profile of one particular employee, who had logged into multiple endpoints, thus spreading the infection in the process.

The malware detected, Trickbot, was a Trojan designed to harvest user credentials, exfiltrate data and add infected hosts to a botnet of devices.

While forensic investigation of network and endpoint log files revealed no evidence of data loss, the malware was observed to have conducted an internal network IP scan – designed to obtain
DNS information about the network which could be used to help attackers spoof network addresses for social engineering scams.

Owing to the advanced, persistent nature of the malware, identifying the source of the attack proved harder to ascertain. Previous variations of the Trickbot malware are known to be widely distributed by spam emails as well as infected attachments and URLs. The team had no reason to suspect that the source of this infection was anything different.

A highly persistent threat

In the week that followed detection of the original four malware infections, the Redscan’s CSOC team observed 12 additional malware binaries resident on hosts, each with a different signature and attempting to communicate with malicious IP addresses in locations including Russia, Germany, France and Canada. The new infections were linked to the roaming profiles of a number of employees, including a system administrator.

Whenever a new infected host was identified, it was quickly isolated from the network for a minimum of 12 hours and scanned to remove the infection. As an additional precaution, particularly given the evidence that a system administrator had been compromised, all of the client’s employees were encouraged to reset their Windows login credentials.

Further forensic investigation by the Redscan team revealed references, within the malware’s code, to RDP-related registry keys. Disabling remote desktop in Windows to mitigate the risk of any unauthorised connections was subsequently recommended.

Preventing future incidents

After receiving confirmation that all infected machines had been successfully cleaned, and with no new infections reported, the incident was finally closed by the Redscan team. Given the severity of the incident, a detailed report was prepared for the client. This included a full event timeline, detailing all actions taken, and a list of recommendations to help mitigate the risk of future attacks.

The advanced persistent nature of Trickbot, and other forms of malware, means that future attacks cannot be discounted. With ThreatDetect Network MDR and Endpoint EDR, the client can be sure, however, that it will be ready to respond quickly and effectively should any anomalous activity present itself.