Case Studies Attivo Networks Deception Platform for Forensics and Incident Response

Edit This Case Study Record

	Attivo Networks Deception Platform for Forensics and Incident Response

Attivo Networks Deception Platform for Forensics and Incident Response

Technology Category	Cybersecurity & Privacy - Intrusion Detection Cybersecurity & Privacy - Malware Protection
Applicable Industries	Healthcare & Hospitals
Applicable Functions	Business Operation
Use Cases	Intrusion Detection Systems Remote Asset Management Remote Control
Services	Cybersecurity Services System Integration
Challenge	In early 2016, a regional healthcare provider experienced a cyberattack that had the characteristics of Qakbot, an extremely aggressive form of malware popular in 2011. While Qakbot had appeared to be eradicated, it recently resurfaced with new strains and unknown signatures. Known for its polymorphic behavior, Qakbot spreads quickly through a network to steal critical data from its target. The attack started on a few endpoint machines and while the organization’s traditional security measures were able to detect anomalies the information security team could not action the alerts as they were not specific enough. As more alerts surfaced, they became suspicious and deployed cybersecurity devices to gain additional visibility to the legacy domain in their network. Once these devices were in operation, they raised a large number of high-level alerts, revealing a full Qakbot attack that was rapidly spreading through their network. With several new machines becoming infected every few minutes, the team knew they needed to immediately execute an incident response plan, but needed information to remediate. They needed to know where the malware came from, how it was moving laterally through their network, what credentials the malware had compromised, and much more. Read More
About Customer	The customer in this case study is a regional healthcare provider located on the Eastern Seaboard of the United States. This healthcare provider operates multiple hospital locations and is responsible for the health and well-being of a large number of patients. As a healthcare provider, they handle sensitive patient data and are subject to strict regulatory requirements regarding data protection and privacy. The organization has a significant IT infrastructure to support its operations, including numerous endpoint devices and legacy systems. Given the critical nature of their services, maintaining the security and integrity of their network is of utmost importance. The healthcare provider's information security team is tasked with protecting this infrastructure from cyber threats and ensuring compliance with healthcare regulations. Read More
Solution	The information security team had exhausted traditional measures to identify the malware but remained unable to conclusively identify the attack. Luckily, the regional healthcare provider was completing a proof of value (POV) of the Attivo Networks ThreatDefend™ platform and had deployed an engagement server on multiple VLANs in their network. Having seen the BOTsink’ solution’s analysis and forensic capabilities, the security team detonated Qakbot inside of the deployed Deception Platform. As the malware moved laterally within the Attivo analysis engine, the Deception Platform showed which user accounts were used to deliver and execute the payload, exactly where the files were dropped, what processes were responsible for infection and lateral movement, and what the malware’s next steps would be. With detailed attack analysis and forensics, the information security team limited the spread of Qakbot through their network, block external communication to command and control, and wipe the virus off the already infected end-point devices. Additionally, now that they knew the attacker’s signatures, they were well equipped to prevent Qakbot and similar strains from penetrating their network in the future. Read More Log in to view content
Contents

Technology Category

Cybersecurity & Privacy - Intrusion Detection

Cybersecurity & Privacy - Malware Protection

Applicable Industries

Healthcare & Hospitals

Applicable Functions

Business Operation

Use Cases

Intrusion Detection Systems

Remote Asset Management

Remote Control

Services

Cybersecurity Services

System Integration

Challenge

In early 2016, a regional healthcare provider experienced a cyberattack that had the characteristics of Qakbot, an extremely aggressive form of malware popular in 2011. While Qakbot had appeared to be eradicated, it recently resurfaced with new strains and unknown signatures. Known for its polymorphic behavior, Qakbot spreads quickly through a network to steal critical data from its target. The attack started on a few endpoint machines and while the organization’s traditional security measures were able to detect anomalies the information security team could not action the alerts as they were not specific enough. As more alerts surfaced, they became suspicious and deployed cybersecurity devices to gain additional visibility to the legacy domain in their network. Once these devices were in operation, they raised a large number of high-level alerts, revealing a full Qakbot attack that was rapidly spreading through their network. With several new machines becoming infected every few minutes, the team knew they needed to immediately execute an incident response plan, but needed information to remediate. They needed to know where the malware came from, how it was moving laterally through their network, what credentials the malware had compromised, and much more.

About Customer

The customer in this case study is a regional healthcare provider located on the Eastern Seaboard of the United States. This healthcare provider operates multiple hospital locations and is responsible for the health and well-being of a large number of patients. As a healthcare provider, they handle sensitive patient data and are subject to strict regulatory requirements regarding data protection and privacy. The organization has a significant IT infrastructure to support its operations, including numerous endpoint devices and legacy systems. Given the critical nature of their services, maintaining the security and integrity of their network is of utmost importance. The healthcare provider's information security team is tasked with protecting this infrastructure from cyber threats and ensuring compliance with healthcare regulations.

Solution

The information security team had exhausted traditional measures to identify the malware but remained unable to conclusively identify the attack. Luckily, the regional healthcare provider was completing a proof of value (POV) of the Attivo Networks ThreatDefend™ platform and had deployed an engagement server on multiple VLANs in their network. Having seen the BOTsink’ solution’s analysis and forensic capabilities, the security team detonated Qakbot inside of the deployed Deception Platform. As the malware moved laterally within the Attivo analysis engine, the Deception Platform showed which user accounts were used to deliver and execute the payload, exactly where the files were dropped, what processes were responsible for infection and lateral movement, and what the malware’s next steps would be. With detailed attack analysis and forensics, the information security team limited the spread of Qakbot through their network, block external communication to command and control, and wipe the virus off the already infected end-point devices. Additionally, now that they knew the attacker’s signatures, they were well equipped to prevent Qakbot and similar strains from penetrating their network in the future.

Impact #1	The security team spent several days trying to remediate the malware without the necessary information to do so. Infecting the BOTsink solution decoys had an immediate positive effect on their visibility into the issue. By installing the malware into the decoys, the security team was able to understand its nature, how it communicated with Command and Control, what changes it made to different Windows OSes, and more.
Impact #2	Before the team used the BOTsink solution, the malware was able to spread, but with detailed attack forensics the BOTsink solution provided, the team was not only able to provide the AV vendor with a detailed report of the malware but more importantly, they were able to contain the outbreak and prevent further propagation.
Impact #3	Because the malware was infecting several new machines every few minutes, the ability to save days of work by using the ThreatDefend Platform was a momentous success. The organization was able to drastically reduce the number of infected machines in their network, stop data exfiltration, and, accordingly, saved significant money given that each stolen patient record costs an average of $363 for healthcare organizations.

Impact #1

The security team spent several days trying to remediate the malware without the necessary information to do so. Infecting the BOTsink solution decoys had an immediate positive effect on their visibility into the issue. By installing the malware into the decoys, the security team was able to understand its nature, how it communicated with Command and Control, what changes it made to different Windows OSes, and more.

Impact #2

Before the team used the BOTsink solution, the malware was able to spread, but with detailed attack forensics the BOTsink solution provided, the team was not only able to provide the AV vendor with a detailed report of the malware but more importantly, they were able to contain the outbreak and prevent further propagation.

Impact #3

Because the malware was infecting several new machines every few minutes, the ability to save days of work by using the ThreatDefend Platform was a momentous success. The organization was able to drastically reduce the number of infected machines in their network, stop data exfiltration, and, accordingly, saved significant money given that each stolen patient record costs an average of $363 for healthcare organizations.

Benefit #1	The organization was able to drastically reduce the number of infected machines in their network.
Benefit #2	The organization saved significant money given that each stolen patient record costs an average of $363 for healthcare organizations.

Benefit #1

The organization was able to drastically reduce the number of infected machines in their network.

Benefit #2

The organization saved significant money given that each stolen patient record costs an average of $363 for healthcare organizations.

Download PDF Version

Overview

Attivo Networks Deception Platform for Forensics and Incident Response

Operational Impact

Quantitative Benefit