Contact Us

Contact Us

Please get in touch using the form below

I prefer to be contacted by:
View our privacy policy
Find out if your organisation has been compromised by the Zerologon Windows server vulnerability. Download Zerologon Detector.

Overview

Leveraging EDR to accelerate the remediation of advanced threats

After being infected by an aggressive form of malware, a private healthcare organisation leveraged support from Redscan’s Managed Endpoint Detection and Response service to help eliminate it quickly and effectively.

Redscan case study
Industry
Healthcare
HQ
UK

The Incident

Summary

  • Large volumes of sensitive patient data
  • Targeted by sophisticated malware
  • Need for round-the-clock monitoring

As a private healthcare organisation, Redscan’s client processes large volumes of patient data, including highly sensitive medical records.

To improve the protection of this information beyond the level of security offered by traditional perimeter solutions, the organisation uses ThreatDetect – a specialist managed detection and response service supplying the people, technology and intelligence needed to swiftly identify and help address a wide range of threats.

When Redscan’s client was targeted by a sophisticated type of malware that sought to harvest employee credentials and exfiltrate data, Redscan’s experts were on hand to quickly identify, investigate and respond to the attack to minimise operational disruption and prevent patient details from being stolen.

The Investigation

Summary

  • ThreatDetect™ MDR
  • Incident analysis
  • Kill chain investigation
  • APT identification
  • Future incident prevention

Proactive Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) monitoring are key features of Redscan’s ThreatDetect Network MDR service that help to identify attacks targeting on-premise, cloud and hybrid IT environments.

Having first become aware of some suspicious port-scanning activity on the client’s infrastructure, Redscan’s Cyber Security Operations Centre (CSOC) analysts were aware that an attack could be imminent.

Endpoint Detection & Response is an optional, but increasingly valuable part of the ThreatDetect service that Redscan delivers to its clients. In this case, Carbon Black’s Response solution was deployed across a series of the organisation’s endpoints deemed to be high risk, enabling Redscan’s CSOC analysts to achieve greater event visibility, enhance threat hunting and perform swifter incident response.

On this occasion, it was Cb Response that first alerted the Redscan team to the presence of malware on two of the client’s host machines. A Redscan analyst set about quickly investigating the alarm and within several minutes was able to establish that the alert was a true positive. Malware with an unknown signature had been detected and was attempting to terminate and delete the host’s Windows Defender Service, as well as connect to a series of known malicious IP addresses.

A priority two (P2) incident was promptly raised to the client by the CSOC via Redscan CyberOps, the threat notification and analytics platform included as part of ThreatDetect. By accessing CyberOps, the client was able to obtain a full overview of the incident and the remediation guidance needed to respond accordingly. On this occasion, the advice was to isolate the infected hosts from the environment, perform a full malware scan and block the observed malicious IPs at the perimeter firewall.

That wasn’t to be the end of the incident however.

Read more

Our Recommendations

Perform regular antivirus scans
Ensure that antivirus software is continually updated to detect the latest malicious file signatures.
Block malicious IPs
Block external IP addresses identified as malicious to prevent malware from receiving instructions from a Command and Control (C2) server.
Isolate infected machines
Any infected machines should be isolated from network as soon as possible, scanned to quarantine any infection, and left in isolation for a minimum of 12 hours.
Review staff training needs
Regular security training can help to instill best practice and improve awareness of the latest social engineering and malware attacks.
Enable multi-factor authentication
Use of MFA provides an extra layer of authentication by requiring users to enter a verification code, received via phone call, text message, or a mobile application, to access systems that process personal data.