It started with a breach.
F-Secure was contacted by a financial institution in the midst of an active compromise. After engaging Incident Response to perform forensic analysis to identify the extent of and contain the compromise, F-Secure Countercept was retained as the institution’s Managed Detection and Response provider.
Fast forward to the present, and Countercept has successfully detected and responded to over 500 instances of attackers attempting to breach the organization’s network, with more than twenty of these findings being confirmed as critical. Each instance posed a significant risk to the organization and had the potential to incur significant financial and reputational loss.
Below is a small sampling of some of the incidents that Countercept’s threat hunters have detected and responded to.
The Countercept threat hunters discovered that an employee of the bank had deployed a Python-based keylogger in order to gain elevated privileges, with the aim of gaining access to key systems. Countercept detected and contained this activity before the user was able to pass on access to criminal groups, thereby preventing any financial loss.
RAM scraping malware
Soon after Countercept’s EDR agent was installed on the host, a historic RAM scraping malware infection was detected on one of the bank’s application servers. Undetected by the organization’s internal security teams up until this point, Countercept was able to contain it quickly, preventing a significant potential loss given the high number of users for the application.
Different variants of the Andromeda malware were detected across the bank’s estate, spreading internally via USB and file shares. Delivered initially via phishing, this commodity malware injects itself into memory, installs persistence, and then attempts to move laterally via removable media. Countercept was able to study this malware in depth in order to develop effective and efficient detection across the rest of the organization’s estate; targeting particular tactics, techniques, and procedures (TTPs) that survived several iterations of this malware.
The institution was one of many targeted with EternalBlue (MS17-010), an exploit made public by the Shadow Brokers and used as part of the WannaCry ransomware attack in 2017. EternalBlue exploited Server Message Block (SMB) in Microsoft Windows, and the variant used to target the institution was designed to encrypt large amounts of data. Countercept worked closely with the client in order to fully map the infected hosts and put together a remediation plan to effectively remove this threat from the client’s network.
The human element in detection and response
Countercept’s ability to detect and stop such attacks early in the kill chain means that attackers do not have time to gain a significant foothold on an IT network. This prevents attackers from branching out to compromise critical systems, which could result in significant reputational damage, exposure of client data, exposure of intellectual property, or direct financial loss.
This bank’s threat landscape includes the entire spectrum of threat actors and this can be said of the majority of global financial institutions. Advanced attackers continually evolve their capabilities to compromise such organizations and their motivations remain broad; defense capabilities need to advance at the same or – better yet – a faster pace.
Although detecting malware is of value to an organization, it fails to recognize that there are dynamic human attackers behind that malware who can adapt their techniques in real-time. Such attackers can only be effectively countered with an equally skilled and well-equipped hunt team that are trained in the attacker mindset.
Please get in touch to chat about how Countercept provides managed detection and response for financial institutions.
Leave a comment