A Day in the Life of a Check Point Incident Responder
This blog is a first-hand account from a Check Point Software Incident Responder, outlining a cyber attack which occurred in January of 2019.
First signs of an attack
The call came in first thing in the morning. One of our clients, Linden Bulk Transportation, was under attack. Linden provides bulk and intermodal transport across North America. Somewhere, in an IT environment of hundreds of systems across four geographical locations, a bad actor had bypassed their firewall and anti-virus protections.
I asked Erik Pufahl, Linden’s Vice President of Information Technology, to give me a quick rundown of events…
On a Saturday in January, Erik and his team detected a spike in help desk calls, along with increased network latency as communications among their various systems and servers began to slow. When they investigated some of the servers in question, they noticed a large number of services being enabled and populated.
Immediately, they tried to contain and control the malware by sectioning off what they believed were the infected systems and servers. This proved to be a difficult task, even after weeks of working nights and weekends. Linden’s IT team knew they had a problem, but they didn’t know where exactly.
They needed a fast, thorough assessment of their IT environment but Linden lacked the technology and resources to make this happen. Meanwhile, the malware was constantly evolving and replicating itself, further complicating their efforts to manage issues.
That’s when Pufahl reached out to Check Point’s Incident Response team for help.
All in a day’s work
After talking with Pufahl, my team members and I began to suspect that the attack might be centered around ransomware. In fact, over 75% of our total incident support time these days is around Ryuk, Dharma, Gandcrab, Globeimposter and similar infections.
We see attackers from around the world targeting their victims with pinpoint precision, studying financial reports to understand how much the victim can afford in ransom and then executing the ransomware attacks at times of particular weakness, such as weekends and holidays.
My team turned to Infocyte to contain and respond to the attack. Within 20 minutes, Infocyte HUNT was fully deployed from the cloud and had baselined Linden’s network to discover the active assets within their environment — including across distributed LAN segments — giving Linden and our Incident Response team full visibility into their environment.
After ninety minutes, Infocyte’s incident response platform had finished all inspections and determined that twenty five systems were infected with malware. Two types of banking trojans, Emotet and Trickbot, had bypassed the company’s firewall and anti-virus defenses several months earlier. In turn, they had enabled access for the Ryuk ransomware to enter the company’s network.
With the Infocyte report beside us, we checked for open ports and backdoors that had been infected. But even as we were shutting down compromised systems and creating new firewall rules, we noted new phishing email campaigns, suggesting that the author of the attack was monitoring the network and still trying to maintain access to Linden’s IT environment.
Incident response readiness
After successfully containing the attack and cleaning up infected systems, Linden engaged Check Point to provide ongoing protection and Infocyte for proactive detection and on-demand incident response, enabling Linden to pinpoint and investigate any new potential threats on an ongoing basis.
Combining the two solutions — Infocyte’s incident response software and Check Point’s protection capabilities — Linden has dramatically improved their incident response readiness.
Advice to clients
Some ransomware attacks can be fast moving and apparent. Other cyber attacks penetrate an organization’s defenses quietly and take months, or even years, to identify weaknesses and vulnerabilities within an environment. These persistent cyber attacks are designed to remain undetected until it’s too late, and the majority of companies are not protected with their current security controls.
The most valuable piece of advice we give to clients like Linden is to always be prepared. This means they need to take the time and effort to understand all key elements of their network and how security controls are mapped to the business drivers.
It also means making sure they have visibility across all of their applications and network assets (hosts, systems, servers, and serverless infrastructure). As we have seen, the most prevalent cyber attacks are those with the greatest ability to extort financial gain. Yes, we do see some very sophisticated cyber threats, but unfortunately they pale in comparison to the impact of generally available ransomware, phishing campaigns, and other common attacks.
Learn more! Download the related case study: https://www.infocyte.com/case-studies/linden-bulk-transportation/
Infocyte is an easy path to implement EDR or MDR for mid-size organizations. Learn more from Forrester's Now Tech Report here.
Interested in Sunburst and how to address compromises on your network?
Test out Infocyte's endpoint detection and response platform for free with our community edition: