Overview
Leveraging EDR to accelerate the remediation of advanced threats
After being infected by an aggressive form of malware, a private healthcare organisation leveraged support from Redscan’s Managed Endpoint Detection and Response service to help eliminate it quickly and effectively.
The Incident
Summary
- Large volumes of sensitive patient data
- Targeted by sophisticated malware
- Need for round-the-clock monitoring
As a private healthcare organisation, Redscan’s client processes large volumes of patient data, including highly sensitive medical records.
To improve the protection of this information beyond the level of security offered by traditional perimeter solutions, the organisation uses Redscan’s specialist managed detection and response service supplying the people, technology and intelligence needed to swiftly identify and help address a wide range of threats.
When Redscan’s client was targeted by a sophisticated type of malware that sought to harvest employee credentials and exfiltrate data, Redscan’s experts were on hand to quickly identify, investigate and respond to the attack to minimise operational disruption and prevent patient details from being stolen.
The Investigation
Summary
- MDR
- Incident analysis
- Kill chain investigation
- APT identification
- Future incident prevention
Proactive Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) monitoring are key features of Redscan’s Network MDR service that help to identify attacks targeting on-premise, cloud and hybrid IT environments.
Having first become aware of some suspicious port-scanning activity on the client’s infrastructure, Redscan’s Cyber Security Operations Centre (CSOC) analysts were aware that an attack could be imminent.
Endpoint Detection & Response is an optional, but increasingly valuable part of the service that Redscan delivers to its clients. In this case, Carbon Black’s Response solution was deployed across a series of the organisation’s endpoints deemed to be high risk, enabling Redscan’s CSOC analysts to achieve greater event visibility, enhance threat hunting and perform swifter incident response.
On this occasion, it was Cb Response that first alerted the Redscan team to the presence of malware on two of the client’s host machines. A Redscan analyst set about quickly investigating the alarm and within several minutes was able to establish that the alert was a true positive. Malware with an unknown signature had been detected and was attempting to terminate and delete the host’s Windows Defender Service, as well as connect to a series of known malicious IP addresses.
A priority two (P2) incident was promptly raised to the client by the CSOC via Redscan CyberOps, the threat notification and analytics platform included as part of the service. By accessing CyberOps, the client was able to obtain a full overview of the incident and the remediation guidance needed to respond accordingly. On this occasion, the advice was to isolate the infected hosts from the environment, perform a full malware scan and block the observed malicious IPs at the perimeter firewall.
That wasn’t to be the end of the incident however.
Read more