the blog

Anatomy of a Cyber Attack: How One Innocent Email Led to a Full-Scale Incident Response

Anatomy of a Cyber Attack: How One Innocent Email Led to a Full-Scale Incident Response

All you have to do is scan the latest headlines, and it becomes painfully obvious that cyber attacks are on the rise. In fact, brute force attacks rose 400 percent in the early months after the pandemic first hit, and users are three times more likely to click on phishing scam emails pertaining to the pandemic.

Unfortunately, many organizations aren’t giving cybersecurity the attention it deserves, as we discussed in a recent blog article which focused on cybersecurity and COVID-19. All too often we encounter executives and business managers who believe their IT specialists or Managed Services Provider (MSP) have everything under control. That is often not the case, and we have seen many incidents in which an attack could (and should) have been prevented—if the right measures had been put in place from day one. 

In an effort to demonstrate just how important it is to take a proactive approach to security (and to go beyond what your MSP and IT staff can do), we want to share a real-world cybersecurity incident response event we just worked on. As you will see, what began as a seemingly innocent email turned into a full-blown cybersecurity incident. The company’s MSP gave them a false sense of security that everything was fine. Our cybersecurity experts, while doing an assessment, quickly uncovered a real threat and jumped into action. 

The incident: It all started with an email

A B2B business (let’s call them Generic Inc.) started getting reports from both employees and customers of a suspicious-looking email that was prompting recipients to open an attached invoice. Upon opening the attachment, it appeared as though nothing happened, but the attachment was laced with malware. As this email looked a bit different from ones Generic normally sends out, a few people took note. The email was coming from one of their own shared email accounts, so Generic knew something malicious was in the works. 

Their initial response was to contact their MSP. Generic believed their MSP had installed a quality nextgen malware suite and anti-malware tool, neither of which set off any type of alarm. In reality, the MSP had not installed these tools, (despite Generic believing they had). The MSP did, however, take action once contacted and assured them the incident was handled and that their network was secure. 

It’s important to note that anti-malware doesn’t always catch everything. In fact, attackers are getting smarter by the day and are now crafting malware in ways that aren’t always detectable by the typical anti-malware packages. 

Fortunately for Generic, a business partner suggested they reach out to a team that specializes in cybersecurity incident response. They took the advice and reached out to Blue Team Alpha. 

The response: From detection to protection (and beyond)

Generic originally was adamant they were dealing with a Business Email Compromise (BEC) attack that had been handled by their MSP. But Blue Team Alpha quickly uncovered a deeper threat. 

Our team’s first action as part of the Compromise Assessment was to locate the email in question and remove the payload, which we immediately determined was malicious. From there, we determined the Indicators of Compromise (IOCs) that come with this type of attack and installed our tools on Generic’s devices to search for these IOCs (and any other evidence that would signal a compromise). 

We uncovered evidence of IcedID, which is used as a Trojan dropper (often to steal banking credentials), so we immediately transitioned from detection to protection with full-scale Incident Response. As with many of our clients who find themselves in this situation, they wanted to know right away how it happened. We would be able to tell them soon, but our primary focus was to get the attacker out first. 

We switched our cybersecurity tools into a more restrictive mode and utilized techniques such as geoblocking to contain the attack. Luckily for Generic, the attacker was still in the reconnaissance phase, and we found no evidence that any data had actually been taken or that any attack scripts had been executed. Since we were brought in a week after the original email had been flagged, they were lucky the attacker was still performing recon. 

Once containment was complete, we were able to move on to recovery and forensics. Of course, we still continued to monitor Generic’s systems and networks, ready to revert back to containment if needed. During the recovery phase, we reviewed all of the logs from our tool sets and from the victim’s systems and stitched together a timeline of how the attack unfolded. 

In some cases, the threat actor is able to destroy evidence, making it impossible to weave together an accurate timeline. However, our goal is to be able to provide an explanation whenever possible, which we present as a final report, along with recommendations to improve cybersecurity moving forward. 

As a result of our work with Generic Inc., they are currently in the process of amping up cybersecurity throughout all their systems. We have also provided a list of questions and qualifications they can use to ensure their MSP meets all of their needs.

The debrief: Lessons learned

Time is of the essence! 

The cyber attack on Generic Inc. is not an anomaly. In just the last two months alone, we have been called in on several cybersecurity incidents that were in the early stages—enabling us to take the steps required to prevent significant damage to the business, customers, and company’s reputation. 

When an attack is underway, you don’t have days to figure out what to do and who to work with. Every second counts if you want to get a team of cybersecurity experts on board who can stop an attacker before they pull out your data and execute a full attack. 

Do not rely on your MSP for cybersecurity. 

A Managed Service Provider is not a cybersecurity specialist. Unless your MSP is working with a reputable cybersecurity firm such as Blue Team Alpha, you cannot rely on them to handle any type of cybersecurity issue. MSPs look at your business from an operations and features perspective. This is a totally different mindset than information security. 

We think about your business in a different way. Yes, your systems and applications need to function, but we are less willing to give up security in favor of that functionality. That unwillingness to budge on security makes all the difference in the event of an attack. We recommend consulting our list of trusted partners to make sure your MSP recognizes the importance of an expert cybersecurity team. 

Be proactive in your cybersecurity program. 

The best way to avoid an attack is to already have a plan in place should one occur. An Incident Response Retainer allows you to immediately call in an experienced team of cybersecurity specialists who are already familiar with your network. They can respond faster, and you save money with a discounted rate on IR services. We recommend a plan such as this now, more than ever. Not only are attacks on the rise, but the threat landscape is also changing. 

In the past, if you had your data backed up properly and securely, you could avoid paying a ransom to get it back. Now, attackers are spending more time in your network, performing reconnaissance to find the most valuable information, and extracting it. The attacker threatens to release the information to the public, harming the company and its customers, unless a ransom is paid. If you have a team in place, however, that can detect an attacker and respond without tipping the attacker off, you can stop the attacker before they steal your data. 

Generic Inc. was actually one of the lucky ones, suffering much less damage than what we have seen happen to other businesses over the years. But the lessons learned here for Generic are invaluable and ones we feel compelled to share with every business. We simply cannot stress enough the importance of working with certified cybersecurity experts before an attack occurs. Only then can you have the peace of mind that your business is protected and prepared to defend itself in the cybersecurity battlefield. 

Related Posts