Part 3 - unravelling the hijack hack of a major retailer’s diverse endpoints and network
Cont’d from Part 2
Pat [not the person’s real name]
It was Friday… 3:50 p.m. Pat – a ReaQta Managed Detection & Response (MDR) Project Manager – had big weekend plans. Well deserved. Hiking boots ready. Snacks packed. Then the phone call. Pat glanced at the boots. Sighed longingly. Tucked them in the closet.
An hour later, the [new] client’s security team had relayed as much information as they could in a first web meeting with Pat.
- They knew they were breached
- Yes – exceptionally high CPU load on a large part of their infrastructure
- Yes – antivirus on all endpoints with data piped to the SIEM
- No – visibility into endpoint processes… and no tools to understand
There were hundreds and potentially thousands of endpoints affected; they had no idea. Primary perimeter (stores and offices)… secondary (home-based workers’ systems)… tertiary (connected endpoints not on their network).
Key revelations helped Pat narrow the field of concerns:
- No ransomware demand screens
- No apparent data exfiltration
- Endpoints were working; financial transaction processing was occurring as expected. The criminals were purposefully leaving the retail façade fully intact.
- Oh, and yes, a huge sale had just started hours ago
The client’s security team agreed to work immediately with Pat’s MDR team to deploy ReaQta to all primary endpoints.
Pat signed off with the client and then briefed the MDR team. On the meeting whiteboard, Pat broke out the next 7 hours into simple sequential segments: Deploy, Track, Identify. Deploy ReaQta to the endpoints in the primary zone. Use ReaQta’s behavior-monitoring playbooks to track and pinpoint anomalous activities. Identify all affected endpoints.
At +8 hours, the MDR team convened again. They had made progress; they had concerns. The tradeoff: speed of response versus risk of impairing critical services. They now knew several hundred machines were compromised. With ReaQta, they had identified key anomalous activities. On the meeting whiteboard, Pat specified the major work steps for the 8 hours to follow. They would pass this “baton” to the next MDR shift.
Pat closed the MDR team meeting and switched over to the client. The client group peppered in the questions before Pat could even say “Hello”. It was like Journalism 101: “Who, what, where, when, why, how?” Pat raised a hand to quell the questions. “I’ve got news that I know you want to hear….”
…TO BE CONTINUED… (DM for the full story).