Cyber Security Threat Hunting Case Study

The Client was a Financial Services Institution (FSI) with 2031 networked windows. 216 were in a central office, with another 1815 in-satellite offices.

EXECUTIVE SUMMARY 

1) The Engagement with the Client: Threat Hunting at an FSI that suspected a breach

2) The Tools and Services: How we assisted the Client with our toolset and services

3) The Client Outcome: The benefits the Client reaped, including continued services

 This report does not discuss the essentials of cybersecurity awareness training, though we do cover the value of using training to mitigate vishing threats in a separate whitepaper.

THE CLIENT

The Client was a Financial Services Institution (FSI) with 2031 networked windows. 216 were in a central office, with another 1815 in-satellite offices. The Client’s IT/IS Team informed CyberSecOp of the system requirements and the shape of the network so that our threat hunting solution could be installed into the client’s environment without issue.

THE ENGAGEMENT

The Client employed CyberSecOp to deliver managed security services in the form of a Compromise Assessment on the critical infrastructure of the bank following suspicion that there may be threat actors on the network.

THE PARTNER (CyberSecOp)

CyberSecOp is a fast-growing MSSP that has hunted threats for some of the biggest financial institutions in the region.

THE PROCESS

CyberSecOp was able to configure the evidence collection system and scan the network without causing any downtime to the customer’s servers or services. The full assessment took approximately 10 days, with multiple scanning rounds completed within that time to optimize the client’s opportunity for remediation of the first layer of findings. We performed the Compromise Assessment, identifying the breach of the client’s network and discovering that it happened 3-4 months ago based on the evidence we identified. Upon discovering a breach, CyberSecOp initiated a containment phase, effectively isolating the malicious content, and then coordinated with the FSI’s IT team to investigate and discover any other remedial actions that needed to be taken. Following the breach CyberSecOp advised on how to communicate the results of the discovery to the Client’s users and conducted a Breach Postmortem during which CyberSecOp reviewed the report and findings with management at the FSI.

Steps in CyberSecOp’s Compromise Assessment included

REMEDIATION

CyberSecOp performed the following services as a part of the breach remediation:

-       Forensics and Threat Hunting, detailed reporting, and data gathering/tagging

-       Deploying CyberSecOp Managed Detection Response system to ensure any future breach was discovered much sooner than this one.

-       Perform vulnerability and penetration scan to identify and remove vulnerabilities. 

-       A complete analysis of the malicious software the threat actor left on the Client server, including insights into what would have happened if the software had been activated.

-       Worked with the client’s technical team to purge the system and ensure that there were no remaining backdoors for the threat actor to sneak back in through.

OUTCOME

-       Threat actor’s access and malicious software were removed from the multiple devices, and vulnerability where remediation 

-       The Client now has an active contract with CyberSecOp for Managed Detection and Response and quarter compromised assessments

-       The Client servers and all endpoints continue to be scanned periodically to validate that the remediation is complete and that no further threat actors have breached the network

IN CONCLUSION

Threat hunting and backups are critical, keeping a copy of your data in reserve is one of the best ways of reducing financial risk. It is highly recommended to use a security team that can analyze any provided decryption tool, to ensure there is no further threat present. 

It’s also critical to ensure your organization takes step to ensure security of all systems, through implementation of Managed SOC, MDR services, and Employee Security Awareness Training.