Thwarting the advanced cyberattacks faced by our customers is the daily work of TEHTRIS’ technology with our partners. Let’s dive into a concrete example in the industrial sector.
Context
In September 2022, TEHTRIS and its MSSP partner helped counter the first stage of an advanced attack on a manufacturing company. This manufacturer conducts activities across all continents with multiple production sites and is equipped with TEHTRIS XDR Platform unified solutions for protection, including TEHTRIS EDR.
The incident was handled quickly with no operational consequences for the business activity of TEHTRIS customer. The goal of the attacker remains undetermined. However, given the available evidence, TEHTRIS, along with the customer and the MSSP partner, assessed that it could have been a case of data exfiltration in a cyber-espionage campaign, or the first stage of a ransomware attack, related to retrieval of data for extorsion.
Steps of detection and remediation by TEHTRIS’ tools
Thanks to an Application Policy configured beforehand to detect suspicious encoded PowerShell command line, the analyst received an alert on an event revealing the presence of a stealth backdoor. The use of PowerShell is not malicious per se, but threat actors can abuse PowerShell commands for execution since it is a powerful interactive command-line interface included in Windows (T1059.01 on MITRE ATT&CK framework). This explains why an alert was triggered – but the automated remediation was not activated on the endpoint at time of the incident.
Using TEHTRIS EDR, the analysts explored the logs to evaluate the severity of the alert by identifying the extend of the attack. They were then able to provide remediation by blacklisting the binary that triggered the first alert.
To investigate further, the analysts used TEHTRIS Offline Forensics (TOF), a tool that provides context and allows to identify what actions the attackers conducted before the remediation took place. It appeared that the initial vector of compromise was the exploit of a vulnerability on a wide-spread virtualization product installed on a machine that was not in the scope of TEHTRIS’ protection. The attacker then performed lateral movement (TA0008 on MITRE ATT&CK framework) to spread on the network and infect devices protected by TEHTRIS solutions.
Lessons learned
TEHTRIS XDR Platform provides powerful unified tools to alert on suspicious activities, investigate any kind of threats and remediate incidents. It is also a reliable forensic tool for MSSP analysts who can count on it to determine the perimeter of a compromission.
Since the threat landscape is evolving so fast, and threat actors tend to use stealthier techniques (such as Living Off the Land binaries), analysts must stay up to date with ongoing threats and revise the configuration setup of their cybersecurity tools ever so often.
Coordination, communication and acting fast are key to prevent an attack from going further. TEHTRIS helps you achieve a readiness for every Cybersecurity attack: the ability to hunt & respond.