Situation
NCC Group’s Managed Extended Detection and Response (MXDR) solution identified a potentially dangerous threat for an organization operating in the global commodities sector.
Upon receiving an alert during routine monitoring, NCC Group’s Security Operations Center (SOC) analysts were able to identify, trace, and contain the potential attack, communicating extensively with the customer throughout the incident.
Doing so enabled the organization to adjust their defensive posture, ensuring that they are better positioned to deal with similar attacks in the future.
At a Glance
Organization: Global Commodities Organization
Industry: Commodities
Challenge: Providing a quick, effective response to a dangerous threat identified by NCC Group’s MXDR solution at the organization
Solution: NCC Group’s SOC analysts identified, traced, and contained the attack, nullifying the risk
Result: Due to the rapid response of the SOC analysts, the incident was able to be successfully contained, preventing the malicious actor from gaining access to valuable information
Challenge
A customer in the global commodities sector was a victim of an attempted data exfiltration attack. NCC Group's Managed Extended Detection and Response solution identified the threat and contained it. Follow-up intelligence revealed both attribution and the likely intent of the attack.
During routine monitoring, NCC Group's SOC received an alert from their endpoint detection and response (EDR) solution indicating that unusual PowerShell activity had been identified. PowerShell is a scripting language that provides access to a machine’s inner core, including unrestricted access to Windows APIs.
PowerShell is often used by malicious actors as it can be relatively low profile. Because it is an inherent part of Windows, the commands it executes are usually ignored by security software.
In this instance, a user was lured by a bogus Google Chrome update. This ‘update’ initiated PowerShell activity and tried to import and execute a malicious Dynamic Link Library (.dll) file. This in turn was designed to act as a loader for further pieces of malware, with the likely end goal of theft of commercially sensitive information.
Solution
NCC Group’s SOC analysts responded to this alert promptly and quickly triaged it as high priority with an initial notification sent to the nominated customer contact. Concurrently, a more detailed investigation was initiated by a rapidly convened team of security and intelligence analysts.
Using Carbon Black, they were able to identify the source of the web shell and, more importantly, determined what it was downloading.
At this stage, analysts made the decision to isolate the infected machine, ensuring that the second-stage malware could not be installed. This action contained the attack and eliminated the possibility of far-reaching impact or wider propagation.
Having nullified the immediate risk, the Threat Intelligence team carried out an investigation to identify the source of the malware. Performing malware analysis on the .dll file, they were able to identify the username of the individual who compiled it. Using open-source investigation, the TI team identified another piece of malware compiled by the same username. This file was a log sorter designed to work with a variety of information stealers, one of which would likely have been dropped as part of the second-stage malware infection.
The team was then able to identify adverts on dark web forums for this log sorter. As a result, they also identified social media accounts, a telephone number, and an associated bitcoin wallet.
Ultimately, they were able to identify and observe a private chat group for users of the log sorter, limited to a group of 450 Russian-speaking threat actors.
Result
The customer was updated throughout the investigation phase and a full debrief was given at the conclusion of the incident. Had NCC Group's analysts not acted as decisively as they did, there is a very real chance that the malicious actor could have established a persistent and undetected flow of classified information.
This could have trickled out of the corporate network undetected indefinitely. Instead, the customer was given the reassurance that the attack was identified and contained. The detailed analysis and attribution also allowed the customer to adjust their defensive posture and deliver enhanced and targeted security awareness training to their staff. In short, the customer emerged unscathed and better positioned to repel similar attacks in the future.
"NCC Group's MXDR capability identified, traced, and contained a potentially dangerous threat for an organization in the global commodities sector thanks to a fast-acting and intelligence response from NCC Group's SOC analysts"
NCC Group is a people-powered, tech-enabled global cyber security and resilience company with over 2000 colleagues around the world.
For over 25 years, we’ve been trusted by the world’s leading companies and Governments to manage and deliver cyber resilience. We're proud to deliver important and groundbreaking projects for our clients.
As technology and cyber threats continue to evolve, we remain relentlessly committed to our mission: working together to create a more secure digital future.
Get started on your cyber security journey
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cyber security needs.