How we stopped a novel cyber attack in seven minutes

We needed to act fast before the attacker gained a foothold. Data on the initial detection was autonomously triaged through our highly-engineered automated enrichment and triage bots. This meant that within seconds the alerts were enriched with threat intelligence, matched automatically with other indicators across the estate and confidence scored while the payload was pushed into cloud sandbox systems and verdict analysed. Within minutes our threat hunt analyst team confirmed the threat from TA505 was both real and active.

Using our integrated messaging environments we kept the client closely informed in real-time. We quickly isolated the affected system to prevent any internal spread of the malware and block any data theft or reconnaissance activities that might be underway. This end-to-end process closed off the immediate threat and was completed at 11:35am – just seven minutes after the initial alarm was raised.

However, while we’d stopped the immediate threat by isolating the first system that had been breached, there was still more to do to fully secure the situation. First, our MCD team used rich telemetry data to thoroughly scope the entire incident and provide confidence that every aspect had been dealt with. That took less than 45 minutes.

Then we continued to add more IOCs together with endpoint data insights from the client’s systems. These actions were aimed at combating the attacker’s multiple malware webpage redirects and other changes in its tactics, whether for this campaign or any others – helping to ensure any new attempts were caught in-flight. Here we identified a second workstation that was infected, and immediately isolated it.

Finally, to remediate the client’s systems fully and ensure no further breaches would occur, our MCD team removed all traces of the files associated with the attack chain from the systems in question – including executed payloads and initial “droppers” that were still dormant on drives without having been executed. We also advised the client that any user accounts affected should have all credentials reset, in line with best practice.

The chart below maps out how TA505 mounted its attack. It’s often said that threat actors only need to get lucky once – and the moment when our client’s employee opened the infected Word document was when TA505 thought it had got lucky.

From the instant when the breach was automatically detected by our bespoke behavioural rules, our response consisted of the six key steps of incident response, executed on the following timeline:

• 11:28 – Triage: The IOC alert is ingested, extracted and analysed by our automated system. It sets the case priority to “high” and escalates it to the PwC analysts’ queue.
• 11:32 – Investigation: The case is picked up by an analyst on our MCD threat response team, who immediately begins investigating the attack chain and telemetry data.
• 11:35 – Containment: The analyst validates and confirms the threat activity, notifies the client’s security operations team, isolates the infected endpoints and continues root cause analysis, while also adding customised IOCs to track further activity.
• 12:17 – Scoping: Further investigation and monitoring identify a second workstation accessing a malicious Word document. The host workstation is immediately isolated.
• 12:33 – Research: Collected file samples and other artefacts are passed to our investigations team, who investigate the attack campaign and supply dozens of additional IOCs to support tracking and blocking.
• 13:54 – Remediation: Following continual real-time coordination on Slack and with the client security operations team, the incident is deemed to be successfully remediated and closed, with no evidence of data loss or further damage.

These response timeframes were only possible because our automated systems were handling 85 other “low confidence” alerts in parallel – having already auto-closed another 50 false positives in the previous 24 hours. One major learning of this is the ability for our threat hunt analysts to not be burdened with false positives and ‘noise’ – the scourge of any SOC (security operations centre) which we manage through complex automation bots that perform these basic analyst functions.

The message? Rapid detection through highly-engineered detection content and fast containment, combined with comprehensive automation, are key to successfully mitigating and limiting the impact of a sophisticated attack before it becomes a full-blown breach. We can help.