The last few weeks have been dense with cyber news, with ransom attacks and revelations of espionage cases.
Let’s take a look back at the attack process, direct or through the subcontracting chain, the best practices to secure your systems and the possibilities provided by TEHTRIS.
During an espionage attempt on a targeted network, the usual chain of attack is composed of several steps. Everything starts from an initial compromise through exploited vulnerabilities on services, to a confirmation of access and a privilege escalation. The attacker then has the ability to move laterally across the network on the park, in order to exfiltrate and/or encrypt the data.
The TEHTRIS XDR Platform detects the binary during its execution and performs an analysis to identify whether it is a known or unknown threat and stops it at the first symptoms. The various modules that make it up also detect suspicious behavior, such as privilege escalations or lateral movements.
The attacker is thus stopped before a malicious charge is set up. His action is immediately stopped, without his being able to use obfuscation and persistence techniques leading to the modification of the production line.
Supply Chain is used to designate the flows between subcontracting service providers and large companies. Subcontractors manufacture components or offer services used by end customers in various sectors (industry, transport, retail, finance…). End customers often receive the components and results on a just-in-time basis, in order to avoid tied-up inventory and optimize their working capital requirements. Supply Chain experts generally work with high-tech companies with unique know-how.
In large-scale espionage operations, attackers take up positions on service provider networks in order to retrieve data or even access their customers’ networks.
Indeed, although a large company’s information system is properly managed, as part of its outsourcing, some of its partners prove to be a prime target for attackers. Successful and stealthy penetration within this chain offers the possibility for hackers to bounce back to the parent company via intermediate subcontractors. Espionage is carried out remotely and exploits loopholes in these partners who are supposed to be trusted, and where security rules and surveillance may sometimes be less operational.
The fight against espionage is in the DNA of TEHTRIS, it is a permanent fight and it is our commitment to bring you the best weapons to defend you.
Indeed, TEHTRIS has already intervened many times with companies victims of large-scale espionage cases. As an example, TEHTRIS has defended a large French company, present internationally and victim of espionage through its Supply Chain. Although the group was not protected by TEHTRIS at the time of the attack, we deployed and installed TEHTRIS XDR Platform in record time within the infrastructure.
Data feeds to the unified console allowed us to locate the attackers in the park via third-party IoC research and to learn more about the techniques used by the attackers. We were also able to quickly estimate the damage done, including Active Directory (AD) compromise or data theft. Once the information was taken, TEHTRIS EDR expelled the attacker from the network by working jointly with the company and the parties involved. TEHTRIS was thus able to save the organization’s infrastructure by considerably limiting the damage caused by the attack.
The basic principles to be generally applied are as follows:
If you believe that your organization, a client or provider, may be affected, it is first and foremost important to use known compromise indicators and user activity logs to track lateral movements and determine whether or not the organization is actually affected.
Then, we recommend that you contact your security provider to quickly learn about suggested updates and scanning feeds. You can use a qualified incident response organization, such as TEHTRIS, which can be engaged at the first sign of compromise.
You will also need to renew or clean your computer equipment so that hosts and credentials are secure. Afterwards, we recommend that you engage in more active monitoring of your networks for potential anomalies.
It is important to have a supply chain risk management function in place if possible; at a minimum, have a documented list of critical vendors and suppliers in case a breach is reported.
In a cyber security crisis involving espionage, the priority is to deploy a solution such as TEHTRIS EDR combined with TEHTRIS EPP on your fleet. The objective of the latter is to obtain a global visibility on your information system in order to detect, analyze and respond to threats by eliminating them. At the same time, our experts strongly recommend that you install a solution such as TEHTRIS SIEM to have a broad view of your devices (VPN, etc.). Finally, we recommend solutions such as TEHTRIS DNS Firewall to detect possible persistent contacts with attackers’ command and control servers, or TEHTRIS Deceptive Response with the installation of honeypots to deceive attackers.
At TEHTRIS, our experts work daily to analyze the health of our clients’ information systems. Our technologies deployed on a whole fleet allow to detect, analyze and neutralize a threat in a few seconds.
From the moment the perimeter is covered by our solutions, the organization is protected, from the service provider to the large international group, whether private or public. Our solutions have been detecting stealthy cyber espionage operations without weapons or malware for several years.
We regularly carry out intrusion tests on our technologies, on all integrations and perform audits to guarantee our customers the best possible protection.