One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2037911 |
| Date de publication | 2020-11-16 12:00:00 (vue: 2020-11-16 12:10:32) |
| Titre | Stories from the SOC – Multi-layered defense detects Windows Trojan |
| Texte |
Stories from the SOC is a blog series that describes recent real-world security incident Investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
Malware infections are common and are often missed by antivirus software. Their impact to critical infrastructure and applications can be devastating to an organization's network, brand and customers if not remediated. With the everchanging nature of cyberattacks, organizations need a layered security strategy. They shouldn’t depend solely on a single layer of security to keep them protected. A multi-layered approach can help to provide anything that slips through the cracks is caught before it effects their business.
The AT&T Managed Threat Detection and Response (MTDR) analyst team received an alarm indicating detection of a potentially malicious executable on a customer's SQL server that was presented as mitigated by their antivirus software. Despite the mitigated status, the team completed more analysis and discovered a history of similar events on the host. Based on the review of the server's event history, the team determined the threat was not mitigated and engaged the customer for remediation. MTDR served as the second layer of defense for this customer, quickly detecting a threat that slipped through the cracks before any damage was done.
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
The initial alarm surfaced as the result of multiple events indicating that malware had been detected, removed, and no longer posed a threat to our customer's SQL server.
Expanded Investigation
Alarm Detail
Malware infection alarms are common, but anti-malware software ordinarily attends to malicious files effectively, not requiring any further action. Upon review of the server's alarm and event history, the team found that similar ‘Malware Detected' alarms were observed days before. The older alarms were isolated, first-time occurrences and were successfully mitigated by the security controls the customer had in place. These alarms were closed as auto-mitigated.
Response
Building the Investigation
Reviewing instances of this nature should be considered standard practice. A detailed history of the involved asset or of others affected by similar malware usually serve as indicators of a persisting malware infection.
Armed with historical context, we concluded this was likely a persisting malware infection affecting this server. All of the identified files, alarms, and events were gathered into an Investigation and presented to the customer with a recommendation to perform extensive scans on the asset at their earliest convenience.
Customer Interaction
The customer began their investigation shortly following the creation of the Investigation and the notification from our team. They confirmed the server had been compromised and were able to remediate the infection soon after.
This incident serves as a reminder on why centralized logging and threat detection is important; the server's detailed history allowed us to conclude that there was a compromise despite anti-malware logs stating no further actions were required for mitigation |
| Envoyé | Oui |
| Condensat | ‘malware able action actions affected affecting after alarm alarms all allowed analysis analyst anti antivirus any anything applications approach are armed asset at&t attends auto based been before began blog brand building business but can caught centralized closed common completed compromise compromised conclude concluded conducted confirmed considered context controls convenience cracks creation critical customer customer's customers cyberattacks damage days defense depend describes despite detail detailed detected detected' detecting detection detects determined devastating discovered done earliest effectively effects engaged event events everchanging executable executive expanded extensive files first following found from further gathered had help historical history host identified impact important; incident indicating indicators infection infections infrastructure initial instances interaction investigation investigations involved ioc isolated keep layer layered likely logging logs longer malicious malware managed missed mitigated mitigation more mtdr multi multiple nature need network not notification observed occurrences often older ordinarily organization's organizations others perform persisting place posed potentially practice presented protected provide quickly real received recent recommendation remediate remediated remediation reminder removed reported required requiring response result review reviewing scans second security series serve served server server's serves shortly should shouldn’t similar single slipped slips soc software solely soon sql standard stating status stories strategy successfully summary surfaced team them these threat through time trojan upon usually why windows world |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.