The situation was an obvious case of compromised user credentials. A corporate end user should typically not be
logging in simultaneously from two geographically separate locations. In response, the organization’s Security
Operations Center (SOC) called the end user (who happened to be a technical security staff member himself) to
investigate the matter. The SOC wondered if the user had set up a proxy device from home, was perhaps using his
mobile device to initiate a connection, or was even running his own penetration test just to play with his
colleagues. The SOC determined that the end user had no malicious intent; he was using the VPN in a legitimate
fashion while traveling on a business trip.
Because he was boarding a return flight soon and would not need his laptop, the SOC instructed the user to turn it
off until he arrived back at the home office and could deliver it to the investigation team. Additionally, the SOC
disabled the compromised Active Directory account, and the user’s computer account was removed from the
network.
THE HACK ISOLATED
Once the laptop was received, IT ran a full antivirus scan and found no suspicious files or programs on the system.
The IT team then placed the unit in an isolation/test lab for observation before reimaging it, because they wanted
to identify the source of the problem and take steps to prevent it in the future. So, the computer was isolated and
observed with LogRhythm’s network monitoring probe running.
At many organizations, management frequently over-relies on antivirus and assumes the organization is protected
from any sort of malware damage. This is a serious misconception.
This particular threat was polymorphic in nature and as the name implies, it has the ability to change or “morph”
regularly, thereby altering the appearance of its code. This characteristic bypasses detection by traditional
antivirus tools and signatures. In our scenario, a more advanced scanner was deployed, and a file related to the
threat was indeed found.
A proven, reliable antivirus solution is an important network security tool that you need on your network. But in
today’s virulent, ever-changing threat landscape, it by no means provides the comprehensive protection you need.
There is no substitute for comprehensive
monitoring by a SIEM with a wealth of built-in
knowledge about cryptic security logs and
“My experience with LogRhythm has been extremely
intelligent, pre-built rules to catch unusual
positive. As an SMB, we appreciate the knowledge
activity.
Adobe Flash was suspected as the malware’s
entry point because Shockwave was found to be
improperly patched during a patch-scanning
assessment of the computer. (Figure 2) Unusual,
irregular browser helper objects were also found;
this situation is common when malware wants to
hijack and redirect a browser session or send a
user to a malicious site.
and professionalism that the LogRhythm team was
able to bring to the table. We put a lot of effort into
selecting a SIEM solution, and we are satisfied that
the LogRhythm product meets our needs.”
Terry Burke
Information Security Officer
Central Bank of Barbados
Figure 2. A browser plug-in scan reveals an insecure version of Adobe Shockwave
THE HACK IDENTIFIED
The organization used LogRhythm to initiate a full packet capture and deep packet inspection (DPI) of all traffic
initiated during tests on the computer. A common destination IP address was found that did not belong to the
organization. Naturally, this address raised suspicions: All traffic from the isolated laptop was going to the same IP
address (which did not
belong to the
organization),
“To meet PCI requirements and other data security mandates, organizations
indicating a possible
must have adequate controls for log management, including collection,
hidden proxy
review, retention, and destruction. Automated and centralized solutions like
mechanism on the
LogRhythm are essential for companies to meet key parts of PCI regulation.
isolated computer. See
Coalfire has validated LogRhythm’s technology as meeting requirements
Figure 3.
under PCI and industry standards and best practices for this key control
area.”
Alan Ferguson
Vice President and Co-Founder
Coalfire
Please complete the form to gain access to this content
