They were also very familiar with this specific threat actor, TA505, from previous encounters after it began to play a lead role in delivering malware for other threat actors in around 2014. In more recent times, TA505 has progressed from delivering malware on behalf of third parties to initiating campaigns to deliver spam malware it has developed itself. In the latter part of 2019 it added to its weaponry a type of ransomware called CL0P. Like other ransomware operators, it also established a so-called leak site where it discloses data pilfered from victims before encrypting their files.
Read our white paper for more insights.
Early in September 2020, one particular client found itself the target of repeated email phishing campaigns initiated by TA505. None of these efforts breached the organisation’s automated defences until two minutes before 11.30am on 11 September, when a campaign seemed to bypass the email filters to reach endpoints that PwC’s MCD service covers. At this early stage the team could see that the threat actor had upped their game, managing to bypass the PwC team’s primary prevention controls in addition to evading other prevention controls.
Luckily, PwC’s Cybersecurity team was ahead of the game: They had already detected payloads from TA505 and mapped its characteristic techniques, tactics and procedures (TTPs). PwC’s MCD team used this information to create indicators of compromise (IOCs) mirroring TA505’s ‘fingerprints’. These user entity and behaviour analytics (UEBA) rules triggered the capture. PwC was able to rapidly scan the client’s entire systems – not surprisingly bringing to light further attempts by TA505 to breach the broader defences.
If PwC failed to take quick action, the adversary would gain a foothold. PwCs Cybersecurity team used their sophisticated automated enrichment and triage bots to autonomously triage data on the initial detection. In a matter of seconds this meant the alerts were enhanced with threat intelligence, matched with other indicators and confidence-scored while the payload was pushed into cloud sandbox systems and verdict analysed. Within only a few minutes PwCs team of threat hunt analysts was able to confirmed that the TA505 threat was real and active.
During all this PwC’s Cybersecurity team was able to keep the client up to speed in real time via their integrated messaging environments. To prevent spread of the malware internally and block data theft or reconnaissance that was already under way, the analysts rapidly isolated the system that was affected. By 11:35am, a mere seven minutes after the first alarm, this process was complete and had halted the immediate threat.
Isolating the first breached system might have halted to the immediate threat, but PwC still had work to do to secure the situation completely. To do this, the MCD team drew on rich telemetry data to scope the entire incident in detail and give assurance that all the angles had been covered. This was done in less than three-quarters of an hour.
After that the Cyber experts added more indicators of compromise along with endpoint data insights from their client’s systems. The aim of this was to response to the adversary’s multiple malware webpage redirects and other tactical changes either in this campaign or others – and make sure any renewed attempts were nipped in the bud. When the PwC experts identified a second infected workstation, they isolated it immediately.
The last thing the MCD team did to prevent any more breaches from occurring was to make sure traces of the files associated with the attack chain were completely removed from the relevant systems. According to best practice, PwC also recommended that the client have the credentials reset for any user accounts affected.
In the diagram below you’ll see how TA505 staged its attack. The instant PwC’s client’s employee opened the infected Word document, TA505 must have thought it was its lucky day. But not this time.
The attack is first detected late on a Friday morning. By the time the lunch break was over, the PwC experts have successfully gone through the six key steps of incident response:
11:28 – Triage: PwC’s automated system receives and analyses the IOC alert, marking the case ‘high’ priority and escalating it to the queue of PwC’s analyst team.
11:32 – Investigation: One of PwC’s MCD threat response analysts takes up the case and immediately starts investigating the attack chain and telemetry data.
11:35 – Containment: The analyst confirms the threat activity, alerts the client’s security operations people, isolates the endpoints infected and continues root cause analysis, as well as applying customised IOCs to track any further activity.
12:17 – Scoping: Ongoing investigation and monitoring pinpoint a second workstation that is accessing a malicious Word document. The host workstation is immediately isolated.
12:33 – Research: PwC’s investigations team receives file samples and other artefacts that have been collected. They look into the campaign and provide many additional IOCs to support tracking and blocking.
13:54 – Remediation: The incident is deemed to be successfully remediated and closed, with no evidence of data loss or further damage.
Such rapid responses were only possible thanks to the fact that PwC’s automated systems had already auto-closed another 50 false positives in the 24 hours in the run-up to the described attack and were able to handle 85 other ‘low confidence’ alerts simultaneously. These false positives and ‘noise’ make life extremely difficult for any SOC (security operations centre). PwC has responded to the problem by creating complex bots that perform these basic analyst functions on an automated basis.
The moral of our story? The means exist to respond to a sophisticated attack and limit its impact before it develops into a full-blown breach. The PwC Cybersecurity team can help you by applying highly-engineered detection content and fast containment – enhanced with extensive automation. Learn more about our Managed Cyber Defence service.
In this webinar, guest speaker Greg Day, Palo Alto Networks and Colin Slater, PwC UK walk us through their experience of working with key decision makers looking to move from reactive to proactive services.
In this EMEA-wide webinar, guest speaker Greg Day, Palo Alto Networks and Colin Slater, PwC UK walk us through their experience of working with key decision makers looking to move from reactive to proactive services and share:
We will also hear a case study from John Whitehill, Aggreko PLC on how they have benefited from a threat focused protection, detection and response approach.
For further insights watch our webinar recording.