We are excited to announce a new service that allows companies to get an Endpoint Triage report without forensics experts or software. They can simply run a collector on their system and get a report.
This service has a low, fixed price and results will often be delivered within 24 hours.
This service can be used by:
- MSSP clients who need to make decisions after being notified of an alert.
- Consulting companies who are not staffed for short engagements.
- SOCs who do not have an IR team.
More about the service can be found here.
Below is an example of a recent engagement with an MSSP.
Case Study: Rapid Endpoint Triage Services
This engagement started months after an organization experienced a ransomware incident and never conducted a full investigation. They simply wiped systems and restored encrypted systems believing the initial compromise was via a phishing email.
The organization hired a new MSSP, who wanted to know if the incident was actually fully remediated.
Were the original systems still compromised, and if so, how badly?
They needed Endpoint Triage on key systems and used our Rapid Endpoint Triage Services.
Data Collection
The MSSP and their client identified 6 systems to investigate:
- A domain controller (not rebuilt)
- 5 endpoints (4 were rebuilt)
The MSSP ran our Collector on each live system and data was automatically uploaded to our servers. The Collector requires no installation. They simply copied it to the remote system and launched it.
Endpoint Triage Analysis
Once the data was uploaded, analysis began. We used our automated Cyber Triage tool to quickly identify any bad and suspicious artifacts that would indicate signs of an intrusion.
Our examiners then reviewed the results.
A report was delivered for all 6 systems in less than 48 hours after the data was uploaded.
Findings
From our analysis, a compromised user account was identified and unneeded remote access software.
For our Endpoint Triage investigations, we focus on 4 key elements:
- Malware
- Data exfiltration
- Lateral movement
- Command and control
For this report, we should caveat that 4 of the systems had been wiped, so more results may have been found with the original data.
Malware
No malware was found on the systems. But “Advanced IP Scanner” was used by the attackers to perform reconnaissance.
Lateral Movement
Suspicious logons were identified on the domain controller and they were confirmed with the client:
- The domain “Administrator” account was used for the first time on the domain controller during the incident time frame. This was not previously detected and the account was not previously reset. The host that the connections came from had been wiped and did not have any further clues.
- There were outgoing RDP connections from the domain controller. Those were confirmed to be legitimate.
Data Exfiltration
No signs of data exfiltration were found in the investigation.
Command and Control
The attacker may have been able to retain access using the compromised Administrator account.
Further, the analysis identified 6 different remote access tools:
- Connect Wise (older version of Screen Connect)
- Screen Connect
- Windows RDP
- Open Manage
- Teamviewer
- Putty
- VNC
The client later confirmed that the first 2 were in active use by them and the current MSSP and the later 4 were from prior MSPs.
Impact of Findings
After reviewing the report:
- Administrator account was reset.
- MSSP changed onboarding process to include scans for remote access software.
- Unneeded remote access programs were uninstalled from these hosts and others.
Conclusion
From this engagement, the MSSP and client were able to make changes and move ahead with more confidence that the attacker was not still in their environment. All the MSSP had to do was run our collector on the six systems,
It’s important to make data-driven decisions. Not just wipe and hope for the best. This was a great example of how the organization didn’t fully eradicate the attacker.
If you would like to use our rapid investigation services, please contact us.