How we stopped a novel cyber attack in seven minutes

Colin Slater Cyber Security Partner, PwC United Kingdom 06/01/21

In our cyber threat operations team, we frequently find ourselves combatting adversaries ranging from threat actors focused on espionage to cyber criminals. This was the case during September 2020, when several of our Managed Cyber Defence (MCD) clients were targeted by the “TA505” threat actor.

We knew TA505 well from previous encounters. It’s been active since at least 2014, when it started to play a prominent role in the delivery of malware on behalf of several other threat actors. 

More recently TA505 moved on from providing a malware delivery service to third-parties, and has begun running its own spam campaigns delivering bespoke malware developed in-house. Since late 2019, it has added a type of ransomware called CL0P to its arsenal, and in common with other ransomware operators it created its own “leak site” where it exposes data stolen from victims prior to encrypting their files.

The cyber attack begins…

In early September 2020, TA505 mounted repeated phishing campaigns via email against one particular client. None got through the client’s automated defences until 11:28am on September 11th, when a campaign appeared to bypass the email filtering system and successfully landed on endpoints covered by our MCD service. At this initial stage it was clear that not only had they upped the ante by managing to evade other prevention controls, it had also managed to bypass our primary prevention controls as well. 

Having previously detected payloads from TA505 and mapped its distinctive techniques, tactics and procedures (TTPs), we were ahead of the game. Using this data, we created indicators of compromise (IOCs) mirroring TA505’s “fingerprints” and it was these UEBA (user entity and behaviour analytics) rules that triggered the capture. We quickly used these to scan right across the client’s systems and weren’t surprised this revealed further attempts by TA505 to breach their wider defences.

…and the fightback is launched

We needed to act fast before the attacker gained a foothold. Data on the initial detection was autonomously triaged through our highly-engineered automated enrichment and triage bots. This meant that within seconds the alerts were enriched with threat intelligence, matched automatically with other indicators across the estate and confidence scored while the payload was pushed into cloud sandbox systems and verdict analysed. Within minutes our threat hunt analyst team confirmed the threat from TA505 was both real and active.

Using our integrated messaging environments we kept the client closely informed in real-time. We quickly isolated the affected system to prevent any internal spread of the malware and block any data theft or reconnaissance activities that might be underway. This end-to-end process closed off the immediate threat and was completed at 11:35am – just seven minutes after the initial alarm was raised.

Bolstering the defences

However, while we’d stopped the immediate threat by isolating the first system that had been breached, there was still more to do to fully secure the situation. First, our MCD team used rich telemetry data to thoroughly scope the entire incident and provide confidence that every aspect had been dealt with. That took less than 45 minutes.

Then we continued to add more IOCs together with endpoint data insights from the client’s systems. These actions were aimed at combating the attacker’s multiple malware webpage redirects and other changes in its tactics, whether for this campaign or any others – helping to ensure any new attempts were caught in-flight. Here we identified a second workstation that was infected, and immediately isolated it.

Finally, to remediate the client’s systems fully and ensure no further breaches would occur, our MCD team removed all traces of the files associated with the attack chain from the systems in question – including executed payloads and initial “droppers” that were still dormant on drives without having been executed. We also advised the client that any user accounts affected should have all credentials reset, in line with best practice.

A timeline of our response

The chart below maps out how TA505 mounted its attack. It’s often said that threat actors only need to get lucky once – and the moment when our client’s employee opened the infected Word document was when TA505 thought it had got lucky.

From the instant when the breach was automatically detected by our bespoke behavioural rules, our response consisted of the six key steps of incident response, executed on the following timeline:

  • 11:28 – Triage: The IOC alert is ingested, extracted and analysed by our automated system. It sets the case priority to “high” and escalates it to the PwC analysts’ queue.
  • 11:32 – Investigation: The case is picked up by an analyst on our MCD threat response team, who immediately begins investigating the attack chain and telemetry data.
  • 11:35 – Containment: The analyst validates and confirms the threat activity, notifies the client’s security operations team, isolates the infected endpoints and continues root cause analysis, while also adding customised IOCs to track further activity.
  • 12:17 – Scoping: Further investigation and monitoring identify a second workstation accessing a malicious Word document. The host workstation is immediately isolated.
  • 12:33 – Research: Collected file samples and other artefacts are passed to our investigations team, who investigate the attack campaign and supply dozens of additional IOCs to support tracking and blocking.
  • 13:54 – Remediation: Following continual real-time coordination on Slack and with the client security operations team, the incident is deemed to be successfully remediated and closed, with no evidence of data loss or further damage.

These response timeframes were only possible because our automated systems were handling 85 other “low confidence” alerts in parallel – having already auto-closed another 50 false positives in the previous 24 hours. One major learning of this is the ability for our threat hunt analysts to not be burdened with false positives and ‘noise’ – the scourge of any SOC (security operations centre) which we manage through complex automation bots that perform these basic analyst functions.

Be forewarned – and forearmed

The message? Rapid detection through highly-engineered detection content and fast containment, combined with comprehensive automation, are key to successfully mitigating and limiting the impact of a sophisticated attack before it becomes a full-blown breach. We can help.

Contact us

Colin Slater

Colin Slater

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0)7711 589065

Follow us
Hide