How NCC Group’s Network Threat Monitoring service identified an undiscovered Remote Access Trojan

If you pay attention to the news, it may seem as though a different organisation is being breached almost every day by new and evolving cyber attacks.

And it would be a largely accurate assumption. Cyber attacks are becoming ever more frequent and the need to protect data and systems has never been as important.

But breaches can often go undetected for months – and even years – giving threat actors sufficient time to elevate privileges and deploy tools to undertake malicious activities.

Managed Network Threat Monitoring

To guard against this, the NCC Group Managed Network Threat Monitoring (NTM) service is designed to identity Indicators of Compromise (IoC) and alert users to their presence.

Coupled with advanced threat intelligence technology and a 24/7 Security Operations Centre (SOC), an active NTM can reduce detection time from weeks, months or years to mere seconds.

And during a recent customer deployment of our Managed NTM, the service immediately demonstrated its value.

Detecting the undetected

As part of the service, baselining of activity is carried out on the customer’s network traffic so that false positive NTM alerts can be filtered out.

In this instance, this activity led to the discovery of IoCs for the Bandook Remote Access Trojan (RAT) which showed it being active on the network.

Bandook is a sophisticated and stealthy tool used by cyber criminals to gain full control of computer systems while remaining undetected.

The NCC Group SOC worked quickly to identify the infected host machine on the network and observed that the RAT was pushing data, via HTTP POST requests, to unsafe destination domains. A further three infected hosts were revealed after extra investigations.

It’s a team effort

At this point, an urgent priority incident was raised and the customer was advised to disconnect the infected machines from its network. And, given the serious nature of the threat, the incident was swiftly escalated to NCC Group’s Cyber Defence Operations team for malware analysis and a forensic investigation.

Additional analysis found that one of the customer’s authoritative name servers was responsible for numerous malicious domains and had been hijacked for command and control purposes by several, high profile threat actors.

All customers benefit

Our SOC made use of the discovery and developed signatures that identified any similar IoCs across all Managed NTM, SIEM and IDS services. The entire NCC Group customer base utilising these services were therefore immediately protected against the Bandook threat.

With our unrivalled suite of services and scale of expertise in the field, NCC Group is uniquely positioned to ensure our customer’s services are continually updated with the latest threat intelligence.

If you would like to know more about how the NCC Group SOC can detect and respond to threat activity on your business critical IT assets, call MSS sales on 0161 209 5111

Published date:  27 June 2017

Written by:  Dominic Carroll

comments powered by Disqus

Filter By Service

Filter By Date