In our companion article, we discussed how we recently rewrote our Incident Response Plan. Our timing to do so was perfect, however we never expected that in lieu of a planned table-top test, we’d have FIVE separate events in March or April which would require us to test the functionality of our new Incident Response Plan. These events were:
- A Zero-Day Exploit of Exchange 2013, 2016, & 2019 – Suite3 had 17 clients still running on-premise Exchange servers, 2 of which showed Indicators of Compromise. This is an example of where threats can materialize through no fault of the business themselves and demonstrates the rapid response of Suite3 who remediated all 17 environments in less than one business day.
- A client whose Internet Service Provider who contacted them to say they were picking up three systems inside their network that were showing symptoms of crypto-mining. Suite3 worked diligently to assess their environment only to find this was a false-positive notification from their ISP.
- A new client who had been with us for less than two months had our ThreatHunter threat detection platform pick up an attempted ransomware encryption event – early intervention limited damage to two virtual servers which were able to be restored from backup limiting business interruption to less than two business days. We could not confirm or deny that any data exfiltration had occurred.
- A client who only relies on Suite3 for data backup and a Microsoft 365 subscription had a remote worker call in suspecting a “virus” on their laptop – Suite3 confirmed the computer had been encrypted with ransomware and the encryption spread to the file share across a VPN connection to the corporate environment. We were able to recover the file share from backup and rebuilt the laptop with a fresh image. We could not confirm or deny that any data exfiltration had occurred.
- A long-time client had a malicious actor login to their VPN connection using legitimate login credentials and encrypt their file server and two key desktop machines. While accessing their environment, there is clear evidence that data exfiltration occurred prior to the encryption. Determining how a malicious actor gained access with legitimate credentials would be purely speculative, but the most likely causes in similar events are typically by a user falling victim to a phishing email and volunteering the credentials to the bad actor, or by a user failing to follow password hygiene best practices and using the same password on their work account as on a public-facing web site that suffers an incident of their own where the credentials are lost and accessible by bad actors on the dark web.
Many people have to touch the stove and feel the pain of the burn to understand the stove is hot. The cyberthreat stovetop is on fire right now, and every business with an internet connection is playing in the kitchen.
Don’t learn the lesson by having to touch the stove yourself – learn from the experience of others. As we reach out to recommend security remediation suggestions, understand it’s to do everything we can to keep you from feeling the pain of events such as these. While no business can ever be 100% free from the dangers and threats of cyber security incidents, the likelihood of a potential event can be greatly diminished by following good password hygiene practices, implementing multi-factor authentication anywhere it’s able to be configured, and by working with Suite3 to have a plan and stick to that plan so that we can all keep calm and compute on.