While October is famous for National Cybersecurity Awareness Month, and we provide resources and recommendations for our customers, really every month should focus on this business-critical topic. Given the frequency of Ransomware attacks, all industries need to be increasingly vigilant. This includes many aspects of cybersecurity, such as user training, endpoint security, network security, vulnerability management, and detection and response to incidents.
Industries such as healthcare and energy and utilities are susceptible and arguably the most vulnerable to ransomware or other cybersecurity incidents. Government agencies and schools have also become top targets. Small businesses, which previously felt they were too small to be of interest to criminals, are finding that they too are a target. Any organization with a digital presence should have resilient cybersecurity capabilities. Otherwise, they might not survive a cyberattack.
Stories from the SOC
The scope of cybersecurity is quite broad, but I’d like to share some of our Stories from the SOC experiences, to show how we provide services and products to protect our customers in real-life scenarios.
Data exfiltration
The most recent story is about detecting and remediating data exfiltration in our SOC for a customer. The AT&T Managed Threat Detection and Response Security Operations Center (SOC) observed a connection between a customer asset and an indicator of compromise (IOC) with a known reputation as part of a malicious network ecosystem hosting and distributing malware.
Facilitated by a relationship with Darktrace and their Cyber Intelligence Platform, an alarm was produced based on the observance of data being transferred out of the network over a 4-hour period via several external connections. Upon the acknowledgment of the alarm, the SOC was able to research correlating events and provide the customer a detailed explanation of what took place within the customer environment thus aiding in the proactive mitigation of this threat.
Phishing incident
The AT&T Managed Threat Detection and Response (MTDR) analyst team was notified that a user fell victim to a phishing email. The user received an email that was quarantined by Microsoft Office Advanced Threat Protection (ATP), but still opened the email, clicked a link and entered their credentials. The customer was notified about the successful phishing attack and requested additional information about what occurred between the successful attack and when the account was disabled.
Within 45 minutes, the MTDR analyst created an Investigation, attached all suspicious logs, and a report containing all the events between the attack and lockout. Due to the rapid information gathering, the customer was able to quickly start the remediation process and determine if any sensitive information may have been compromised.
Ransomware
One of the AT&T Managed Threat Detection and Response customers recently almost had an incident involving ransomware. In our analysis of what turned out to be the activity of the Sodinokibi ransomware gang, we were able to move quickly. Thanks to the SentinelOne advanced EDR platform, the attack was quickly detected and stopped automatically. Then, the combined efforts of the MTDR SOC, Threat Hunters, and the AT&T Alien Labs team led to a swift customer escalation, root cause discovery, and analysis of the Sodinokibi ransomware gang.
These attackers leverage search engine optimization (SEO) to ensure compromised sites hosting links to malicious files are pushed up to the first page of Google results for commonly asked questions. In this case, a user was taken to a compromised site and downloaded a file containing a malicious JavaScript file. While the JavaScript file was executed, there was little impact on the organization thanks to SentinelOne correlating and associating the activities that followed as malicious and autonomously stopping the attack.
And, with the help of AT&T, the client was able to take further remediation steps, enable additional proactive prevention policies, and confirm no other malicious domains were observed across the network.
Conclusion
We’re in the business of solving problems for our customers, and the stories above are only a few examples of what we have in our broad portfolio of cybersecurity products and services. Happy National Cybersecurity Month!