Blog

Einblicke in das SOC-Team

Detect, Respond and Escalate: Preventing Further Compromise for Account Hijacks

Detect, Respond and Escalate: Preventing Further Compromise for Account HijacksStandard-BlogbildStandard-Blogbild
22
Feb 2023
22
Feb 2023

As the prevalence of Software-as-a-Service (SaaS) and multi-factor authentication (MFA) as a primary vector of attack continues across a variety of organizations and of every size in multiple industries, it is more important now than ever for organizations to utilize every tool at their disposal to mitigate account compromise at the earliest possible stage. 

Having incident response is helpful, but when depending on human analysts to react to and appropriately respond to a huge variety of threats there will no doubt be gaps and those gaps can lead to disaster. Having not only an automated response capability, but an intelligent autonomous decision maker which can respond and actively escalate actions as events unfold is paramount to preventing compromise.

In November 2022, Darktrace responded in real time to a threat actor that had gained access to a customer email account and created a new email rule in an attempt to conceal their activity, all while sending their own outbound malicious emails. 

This blog explores how Darktrace uses autonomous response (RESPOND) technology to instantaneously stop the hijacking of a customer SaaS account, without causing any major disruption to their business operations.

Details of Attack Chain

The initial compromise took place when a threat actor logged in from Florida, United States, an unusual location compared to the account holder’s expected login location in the United Arab Emirates. Just over an hour later, a new email rule was created from the same unusual IP address. This rule moved all emails originating from alansari[.]ae, a domain associated with a money transfer service that the account holder had occasionally used, into the “Conversation History” folder and marked them as read. Thereafter, the user began to receive malicious spoof emails purporting to be from alansari[.]ae. This example of social engineering highlights a low effort, high yield method many threat actors employ which relies on the trust of users in known correspondents and services, making it harder to identify and mitigate spoofing in phishing.

Figure 1: Darktrace DETECT showing the unusual login location in Florida, United States, compared to the account holder's expected login location in the United Arab Emirates.

This anomalous activity triggered an Enhanced Monitoring model, whereupon the Darktrace SOC team sent a Proactive Threat Notification (PTN) to the customer, alerting the security team to this attempted account compromise. Darktrace RESPOND automatically forced the user to log out and subsequently disabled the account, while the Darktrace SOC team assessed the incident and liaised with the customer. These two actions performed in tandem added immense value for the security team who were given time to further investigate this incident while preventing further abuse of the compromised account. RESPOND was able to analyze the pattern of behavior and escalate its action in accordance with the specifics of the observed attack instantaneously, which could have taken human teams’ hours of analysis.

Figure 2: Image demonstrating the actions taken by Darktrace RESPOND in response to the suspicious activity detected on the device in question. The first action was a forced log out, which was followed up by the account being disabled. 

The Darktrace SOC team determined that the purpose of this email rule creation was to conceal legitimate incoming emails from the money transfer service, while sending spoofed emails to induce the account holder to send money to the threat actor. 

Three days after the initial compromise, Darktrace observed one such spoofed email claiming to be from alansari[.]ae. However, it was immediately placed in the junk folder by Darktrace RESPOND, again demonstrating the effectiveness and immediacy of autonomous RESPOND actions. Given the account holder had a history of receiving emails from the money transfer service, it is likely that without the instant and autonomous actions of Darktrace RESPOND they may have fallen victim to the attacker’s attempt. 

Schlussfolgerung

Ultimately, Darktrace RESPOND demonstrated its automated response capabilities and its autonomous decision allowed it to detect and respond to an account compromise at the initial compromise stage, preventing the attacker from stealing funds from the account holder. 

By enabling autonomous response, the human security team was freed up to provide deeper investigation into the incident and mitigation, while ensuring the threat actor was not able to further exploit the privileges of the account.

Although this compromise focused on funds being embezzled from an individual, this intrusion could have easily escalated to a more widespread breach of client data. Safeguarding customer networks requires rapid response and an intelligent decision maker able to respond to ongoing incidents and escalate actions at the earliest stage. 

The Darktrace suite of products, including RESPOND and its dedicated SOC team and services, provides autonomous and instantaneous protection from attackers before they can leverage compromised accounts to further penetrate a network, or exfiltrate sensitive company data. 

Credit to: Brianna Leddy, Director of Analysis and Lydiane-Ashley Belle, Cyber Security Analyst.

More in this series:

Keine Artikel gefunden.

Sie mögen das und wollen mehr?

Erhalten Sie den neuesten Blog per E-Mail
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.
EINBLICKE IN DAS SOC-Team
Darktrace Cyber-Analysten sind erstklassige Experten für Threat Intelligence, Threat Hunting und Incident Response. Sie bieten Tausenden von Darktrace Kunden auf der ganzen Welt rund um die Uhr SOC-Support. Einblicke in das SOC-Team wird ausschließlich von diesen Experten verfasst und bietet Analysen von Cyber-Vorfällen und Bedrohungstrends, die auf praktischen Erfahrungen in diesem Bereich basieren.
AUTOR
ÜBER DEN AUTOR
Lydiane-Ashley Belle
Cyber Security Analyst
share this article
ANWENDUNGSFÄLLE
Keine Artikel gefunden.
COre-Abdeckung
Dieser Artikel
Detect, Respond and Escalate: Preventing Further Compromise for Account Hijacks
Teilen
Twitter-LogoLinkedIn-Logo

Verwandte Artikel

Keine Artikel gefunden.

Gute Nachrichten für Ihr Unternehmen.
Schlechte Nachrichten für die Bösewichte.

Starten Sie Ihren kostenlosen Test

Starten Sie Ihren kostenlosen Test

Flexible Lieferung
Sie können es entweder virtuell oder mit Hardware installieren.
Schnelle Installation
Nur 1 Stunde für die Einrichtung - und noch weniger für eine Testversion der E-Mail-Sicherheit.
Wählen Sie Ihre Reise
Testen Sie selbstlernende KI dort, wo Sie sie am meisten brauchen - in der Cloud, im Netzwerk oder für E-Mail.
Keine Verpflichtung
Voller Zugriff auf den Darktrace Threat Visualizer und drei maßgeschneiderte Bedrohungsberichte, ohne Kaufverpflichtung.
For more information, please see our Privacy Notice.
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.

Demo anfordern

Flexible Lieferung
Sie können es entweder virtuell oder mit Hardware installieren.
Schnelle Installation
Nur 1 Stunde für die Einrichtung - und noch weniger für eine Testversion der E-Mail-Sicherheit.
Wählen Sie Ihre Reise
Testen Sie selbstlernende KI dort, wo Sie sie am meisten brauchen - in der Cloud, im Netzwerk oder für E-Mail.
Keine Verpflichtung
Voller Zugriff auf den Darktrace Threat Visualizer und drei maßgeschneiderte Bedrohungsberichte, ohne Kaufverpflichtung.
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.

Check out this article by Darktrace: Detect, Respond and Escalate: Preventing Further Compromise for Account Hijacks