Tales from the SOC: Surprise! You’ve Got Active Malware.

How ControlScan SOC analysts found antivirus program misses within hours of a new customer’s MDR implementation.


June 28, 2019 • Published by

Did you know that within the average company network there are between 20 and 100 cyberattacks taking place every single minute? The thought can be mind boggling, but keeping your business secure really boils down to two basic requirements: 1) Maintaining control of sensitive data, and 2) Keeping your IT environment free from malicious activity.

Many companies are big enough to have their own IT group; however, dedicating someone to 24x7 threat detection and response is a tall order. Even with a SIEM or other security technology solution in place, today’s advanced malware is designed to bypass traditional antivirus settings. Furthermore, organizations simply don’t have the manpower for the “eyes-on-glass” style log monitoring that catches active malware and code execution as it happens.

Finding Active Malware in a New Customer’s Environment

Late in the day on a recent Friday, a new customer began installation of the ControlScan Managed Detection and Response (MDR) service to their end user systems. This customer is an SMB (small to mid-sized business) that relies on personal computers to keep their business running. Sound familiar?

A few hours after the customer’s implementation was complete—at 12:05 a.m. Saturday to be exact—our MDR service blocked an attempted execution of malware that was present on one of their remote office computers.

As it turns out, this active malware had been on the remote office machine since October 2018. With each user login, the malware was executing and performing data harvesting, as well as making attempts at lateral movement and propagation. A variant of Trickbot malware, it checked for POS systems, gathered information about the network, and scraped the system for usernames and passwords, web history, email data and more.

Upon identifying the malware threat, ControlScan SOC analysts immediately began investigating and cleaning up the malicious files and settings, blocking the infections and stopping further malicious activity from that user profile. All this activity, from initial threat identification to complete containment of the malware, took place in under an hour.

Two days after the initial threat detection and prevention, the same customer had another active malware incident on yet another system. ControlScan MDR blocked the attempted usage of Microsoft Windows tools to perform code execution and malicious code injection and once again, ControlScan SOC analysts immediately began their investigation to uncover the root source. Inside a single user profile, the analyst found eight different active malware variants: DRIDEX, Fireball Web Hijacking, Kryptik, and five variations of Trickbot.

Significant cleanup had to be performed due to the number of threats identified. A team of SOC analysts worked with the customer to network isolate the system, and they began triage and cleanup of the infected user profile and host, working closely with the customer’s IT team. Even with the extent of the infection, the ControlScan team was able to quarantine, block and remove the threats quickly and effectively, and cleanup was fully completed within three hours.

Through their investigation of system files and other artifacts, the SOC analysts were able to determine that the source of these attacks were malicious websites and email links, which makes sense, given that over 90% of attacks are the result of phishing campaigns and other social engineering attacks. One misguided click is all a cybercriminal needs to gain access to an entire business environment.

Traditional Antivirus Misses Advanced Threats  

Prior to becoming a ControlScan client, this SMB had been relying on the standard antivirus protection that comes with Microsoft Windows. While the convenience of a free, included product is cost-effective, you really do “get what you paid for.” These built-in products provide only basic levels of protection and fail to block the advanced threats that are now commonplace.

MDR services are business critical because they provide the necessary manpower, expertise and responsiveness. Employees and companies are being attacked by advanced threats and previously unknown variants of malware much more frequently than they are reused existing malware variants. SOC analysts are trained to spot and appropriately investigate any anomalies represented by these threats.

Immediate Return on Investment

It’s no surprise that the response from this new customer after seeing their immediate return on investment was, “I’m really liking this new MDR service!

Both the attacks outlined above were performing data gathering of cached passwords and user activity, as well as looking for additional assets inside the network that could yield sensitive data for extraction. If the customer’s network hadn’t been properly segmented, a data breach would have likely occurred prior to our services even coming into the picture.

However, any number of bad things could have come from these attacks. At any point in time, these attackers could have launched ransomware and encrypted the users’ environments. They also could have accessed the infected users’ email contacts and sent corrupted files to customers from a company email address. This would surely have erased the trust factor the company had built with their customers.

That's where ControlScan Managed Detection and Response (MDR) comes in. Our MDR service delivers an individualized threat detection program that ensures our customers are protected and they don't have to worry about being victimized by a data breach, malware, ransomware, or any other form of cyberattack.

ControlScan SOC analysts provide that 24x7, eyes-on-glass support. We are watching your systems even while you're sleeping, which gives you peace of mind regarding your operations.

Learn more about the “why” behind managed detection and response by watching our video above, then give us a call at 800-825-3301, ext. 2, and let’s talk about how ControlScan MDR can have your back!