Sorting
From A to Z
Deployments found: 5
The manufacturing case study focuses on one of the largest manufacturers of steel products to include tubing, pipe and sheet. Assets included a very large network for industrial control systems (ICS) and the necessary supervisory control and data acquisition (SCADA) components which run their manufacturing processes end to end. Prior to our involvement, this manufacturer had routinely removed routine threats but were unaware of sophisticated malware infection or advanced persistent threats. The customer had a large industry suite of cyber defense products which included a firewall, anti-virus suites, multiple intrusion detection software products, endpoint security and other software.
Immediately upon installation, the TrapX DeceptionGrid generated ALERTS and identified malicious activity in two key locations. Both of these were on SCADA processors which were central to the manufacturing process. An attack in this area could severely disrupt ongoing manufacturing processes causing both a shut-down and millions of dollars in potential loss. Our analysis it was determined that both of these malicious processes were communicating through TOR to their attackers. In one case the malicious process was attempting to establish a new command and control connection through TOR. In the other case command and control was established and many types of malware were resident on the station.
Broad Scale Attack Deployed Through One Entry Point
TrapX found several types of malware deployed in this SCADA processor. TR-Dropper.Gen2.trojan allowed full access and control of the infected end-point. It allows for the collection and exfiltration of confidential data. Additionally we found Packed.Win32.Katusha.e malware stealing passwords which was communicating back to attacker IP addresses through TOR.
Over several additional weeks, DeceptionGrid detected lateral movement by attackers that identified two additional command and control sites. The customer coordinated with TrapX and SCADA component vendors to determine the impact of the attack, to eliminate it and then to reprovision the software in all of the effected components.
Attackers Target Authentication Data
Project Background - a Technology Evaluation
Our financial case study focuses on a global insurance institution. Prior toour involvement, there were absolutely no indicators of malware infection or persistent threats visible to the customer. The customer had a robustindustry suite of cyber defense products which included a firewall, antivirussuites, intrusion detection software, endpoint security and othersoftware.
Within a short period of time, the TrapX DeceptionGrid generatedALERTS and identified two malicious separate processes involved inunauthorized lateral movement within the insurance company network.
Upon analysis it was determined that both of these malicious processeswere communicating with multiple connection points in Russia.
These connection points in Russia and the other injected softwarecaptured worked together as an advanced password stealer. The attackerspenetrated the network and had captured password information. This targeted theft of authentication credentials represented a serious threat tothe integrity of the company's overall operations. At this time it has notbeen determined to what extent passwords were captured prior todetection.
Other malware of lower risk identified by DeceptionGrid included Trj/Downloader.LEK Trojan, TROJ_QHOST.DB Trojan, and theW32.Greypack worm. All of these were not detected by the customersexisting cyber suite. Analysis suggests at least one of them might havebeen detected but the alerts were missed against the volume of overallalert traffic.
Critical and Confidential Authentication Credentials at Risk
TrapX determined that critical and confidential password data was beingexfiltrated to Russia. The scope of data compromise is still underinvestigation at this time and the global insurance firm has taken preemptivemeasures to replace credentials on suspected software systems.
Attackers Target Law Enforcement Data
Project Background - a Technology Evaluation
Our case study focuses on a prominent law enforcement agency. This agency has responsibility for many activities which may include highly sensitive investigations into organized crime and terrorist activity. This agency is always interested in improving their cyber defenses and has a large budget dedicated to technology acquisition. Priorities for this agency include the protection of the confidentiality of their ongoing operations, internal processes and their personnel.
This agency conducted a survey of technology vendors and wanted to learn more about deception technology. They were familiar with legacy honeypot technology and found it to be far to expensive to implement both in terms of resources and financial cost. This agency was very cautious and had partitioned several networks within the enterprise. Some were to be used for highly confidential (classified) data only - others for data of lesser confidentiality.
Advanced Persistent Threat Leverages Lapse in Protocol
DeceptionGrid was placed into operation. Within one week the customer security operations (SOC) team received a High Priority Alert indicating the lateral movement of an advanced threat. The malware was automatically trapped and injected into the sandbox for continued analysis. The attackers had established sophisticated command and control and had bypassed the complete array of existing intrusion detection, firewall, endpoint and perimeter cyber software defense.
A full investigation continued as DeceptionGrid continued to monitor and capture malware movement. The agency's security operations team determined that there was an internal breach in their protocol. A connection, in breach of the agency's operting procedures, was found between their secure network and one of the less secure networks (lower security rating). This breach in protocol enabled the attacker's access .
Exfiltration of Data Discovered and Halted
The attacker was found to have moved without detection throughout the law enforcement agency network and servers. There were over ten explicit lateral movements made prior to detection by DeceptionGrid. The attacker found and exfiltrated data including the confidential records of agency personnel, their I.D information, their photographs and other highly confidential data. DeceptionGrid enabled the agency to disrupt the attack and then confidently restore normal security protocols.
Multiple Attackers Penetrate National Agency
Project Background - a Technology Evaluation
Our case study focuses on a large national government agency. This agency has hundreds of employees and has multiple facilities disbursed over a large geographic area. This agency wanted to learn more about deception technology as part of their regular evaluation of cyber security vendors.
Massive Penetration by Attackers Detected in Multiple Areas
DeceptionGrid was placed into operation. Starting almost immediately and over the course of several weeks the government security operations command (SOC) team received multiple High Priority Alerts. This was one of the most massive attacks we have ever discovered. We identified multiple attackers in several areas to include over five (5+) attackers using malware servers, over five (5+) attackers linking back data flow to botnet c&c servers and over fifty (50+) remote attackers using TOR anonymous proxy to hide source IP addresses. In some cases the malware was automatically trapped and injected into the sandbox for continued analysis. Multiple attackers had established command and control and had bypassed the complete array of existing intrusion detection, firewall, endpoint and perimeter cyber software defense.
Malware found included Cryptowall, P2P Malware, Trojan-Banker, TrojanRansome, Mobogenie.B and WS.Reputation.1.
Exfiltration of Data Discovered - Broadscale Remediation Required
It is clear that multiple attackers have successfully exfiltrated data from this government agency. The attack vectors varied substantially and compromised workstations and servers across multiple departments. Required remediation was done on a broad scale and included reprovisioning of both workstations and servers. The government involved has been forced to either re-provision on a large scale, or, to perform more time intensive memory dump analysis to better understand the extent of the penetration by this varied mix of attackers. Source attacker IP adresses as known are confidential at this time and part of an ongoing criminal investigation.
Attackers Target Software Company
Project Background - a Technology Evaluation
Our case study focuses on a leading software vendor that provides software through cloud services to their customers in healthcare. This customer's information technology team invested very substantially in defense-in-depth cyber defense software. Their security operations center regularly detected malware and was able to routinely remediate all of these known incidents.
The customer had a strong industry suite of cyber defense products which included firewalls, anti virus suites, intrusion detection software, endpoint security and other software. Our initial installation included over ten (10) vLANS.
DeceptionGrid was placed into operation. Almost immediately the customer information technology staff received multiple High Priority Alerts. These included identified suspicious activity and led to the discovery of several network misconfigurations. Several internal internet addresses were exposed to the internet and open to a variety of high risk protocols. Inbound connections from attackers were operational via SSH, Telnet and Remote Desktop. A TOR (anonymous proxy) obfuscated web crawler had mapped all of the exposed hosts.
Some of the malware was automatically trapped and injected into the sandbox by DeceptionGrid for continued analysis. The attackers had multiple command and control points and had bypassed the complete array of existing security.
Multiple Concurrent Attackers Detected and Remediated
A full investigation continued as DeceptionGrid continued to monitor and capture malware movement. Multiple command and control point in six (6) workstations were linked to attackers in Beijing China, Moldava, and the multiple locations within Ukraine. Dozens of workstations had to be reprovisioned to eliminate access. Manual memory dump and analysis was required across many information technology assets to identify the full scope of the extensive and previously undetected attacker activity. Scope of Data Theft Remains Indeterminate Multiple attackers accessed this technology company's networks workstations and servers. The scope of intellectual property data exfiltration and theft is unknown but under continued investigation.
The ROI4CIO Deployment Catalog is a database of software, hardware, and IT service implementations. Find implementations by vendor, supplier, user, business tasks, problems, status, filter by the presence of ROI and reference.