Incident to containment - and beyond to productivity

How WithSecure delivers at every stage

Automating security responses often gets a great response time – right down to milliseconds in some cases. Doing this creates all kinds of new problems and a fast response is not always the best way to dislodge a sophisticated attacker. Below is a recent real world example of how multiple teams at WithSecure gather around an incident from start all the way through to recovery and productivity.

Discovery and investigation

The client noticed encrypted files in their network and contacted their SOC team to investigate what happened. Twelve hours later, they decided to disconnect the network from the wider internet and bring in the WithSecure Incident Response (IR) team to lead the investigation.

“The client noticed a lot of suspicious activity and strange files on their machines, and while they had been investigating the issue with their SOC team, they hadn’t had much success, so they decided to reach out for help.” says John Rogers, Global head of Incident Response at WithSecure. “They were concerned because the problems were impacting a critical business application.

The incident response team began the investigation and found evidence of ransomware. They contacted the WithSecure Threat Intelligence team and Tactical Defense team for support with malware analysis of the sample.

“The first thing we did was provide the client with initial guidance and containment actions to prevent further impact from the attack, and we devised a mechanism for ensuring their backups hadn’t been infected. Once we had a copy of the malware, we sent the sample to the WithSecure Intelligence team for reverse engineering while we continued to support the client with their business continuity strategy.” 

Dissecting malware, understanding the attacker

The WithSecure intelligence team shared their knowledge and confirmed the malware family, then shared information about their known tools, techniques, and procedures. This included information that suggested the client would be the victim of a triple extortion threat. 
 
“Whenever an Incident Response consultant or Threat Hunter finds sophisticated malware that they can’t fully analyze, they can pass it on to us,” says one of WithSecure’s Threat Researchers. “We have the skills to reverse engineer and analyze malware samples internally.”

When the Incident Response team found a custom binary on the client’s machine, they sent it to the WithSecure Intelligence team, who confirmed that it was a known ransomware sample with a custom configuration. The team analyzed the sample and fed back to the IR consultants, confirming that the threat group behind the malware was known for exfiltrating data as well as causing a Denial of Service (DoS) attack. 

Once they understood this key information, the client opted to mitigate against the DoS threat by reviewing their external perimeter and implementing DDoS protection. 

However, they were still concerned that their applications contained security vulnerabilities. 
 

Mitigating the threat of DDoS attack

The client wanted to move applications behind a DDoS protection service to protect their perimeter from an established DoS threat. However, they did not have a way of identifying underlying vulnerabilities in their applications.

The WithSecure attack surface management team hunted for vulnerabilities, finding the first vulnerability within a few hours. Over the next few days, it uncovered several potential DOS risks in outdated services. The information was sent to the client in real time so vulnerabilities could be prioritized for rapid remediation.  
 
“We were asked to check for obvious DDoS vulnerabilities across roughly 350 domains, of which 35 were considered high priority,” says Katie Inns, a Security Consultant and core member of the ASM team at WithSecure. “We approached this as if we were carrying out our usual vulnerability scans, but at the same time decided to do some manual testing to try and find any other potential entry points, we were looking for exposed usernames and passwords, as well as potentially exploitable services like remote desktop. We sent our findings to the client as soon as we found them so that they could be remediated.” 

“We were brought in to identify DoS vulnerabilities and any issues on their primary domain, but during our discovery process we found an additional 230 targets within that one domain,” explains Jake Knott, another Security Consultant in WithSecure’s ASM team. “I deliberately tried to identify assets that were behind the new DDoS protection service to try and identify how far they had managed to protect their assets as part of their hardening effort. 

“The interesting thing for us was that we found a way to get around their DDoS protection service, which meant we could have threatened those assets if we had been malicious actors. We raised this issue immediately, and the client took action to resolve it.” 

Switching to XDR

The IR team deployed WithSecure Countercept MDR and worked with the client to contain and eradicate threats. 
 
“As the first attack had gone by almost unnoticed, we needed to get extra visibility to ensure we could rapidly investigate and contain any dormant malware in the environment,” Says Rogers. “This was handed over to the Countercept MDR service so that the IR team could continue with their investigation.” 

The WithSecure threat hunter team started to monitor the new environment, particularly looking for the indicators of compromise that the WithSecure Intelligence team identified. 

“We usually support the response to ongoing incidents by doing three things,” explains one of WithSecure’s Threat Hunters. Firstly, we triage threat actor actions and determining tools, techniques, and procedures, as well as identifying indicators of compromise. Next, we evaluate the threat actor’s progress—tracing their footsteps backwards and forwards to determine the full extent of the compromise. During an incident response scenario we can be confident that all attacker actions have been observed, which means that we can give relevant recommendations to the client. Finally, we continuously monitor for the threat actor’s return, including being ready to act immediately if they are detected.”

Working backwards to see forward

The incident response team created a timeline of the attack showing how the attacker probably progressed through the environment. They also looked for signs of data exfiltration - but found nothing. 
 
“Using the findings from both the Threat Intelligence and the Incident Response teams, we were able to contain infected hosts and begin to understand how the attack had unfolded on the environment,” says Rogers. 
 
“Then, with the evidence provided by the client, as well as remote evidence collections, we constructed a full timeline of events detailing how the attack had taken place. This was important—we needed to ensure that we had a full understanding of what the attacker had done on the network so that we could be sure that we had mitigated all possible damage. We also wanted to identify signs of data exfiltration.” 

The incident response team confirmed the root-cause of the compromise and tracked suspicious activity to a user account authenticating via Citrix. 

“Our timeline activities led us to finding patient zero, and indicated that the attacker had gained access to the environment via a Citrix portal, which allowed employees to work remotely,” Says Rogers. “Although the portal had been patched against security vulnerabilities, the attacker had found the credentials in a data dump. This was later confirmed by the Threat Intelligence team.” 

Recovery and hardening

The attack was contained, a disaster recover site was up and running, and the client began an extensive hardening and recovery project The combined efforts of WithSecure’s Incident Response, Intelligence, Attack Surface Management, and Threat Hunter teams enabled the successful containment of the attack and protected the client against further actions by the threat actor in the short term as they began improvement initiatives. 
 
The dynamic and automatic teamwork shown in this incident is typical of WithSecure teams’ ways of working. Because of the range of skillsets and expertise throughout the business, we can help our clients with whatever problems they face. 
 
This incident timeline is an excellent example of that collaboration in action.

Learn about the teams involved

Incident readiness & response

WithSecure's™ cyber security experts pre-empt, prepare for & counteract cyber security incidents with state-of-the-art incident response software and solutions.

Read more

Attack Surface Management

Go cyber security threat hunting with WithSecure™ ASM, a human led managed cyber security service to understand weaknesses and harden your perimeter.

Read more

Threat research

WithSecure™ expert researchers tackle cyber security’s most advanced threats - from email threats to data breaches - to create free offensive & defensive tools.

Read more