Blog

How Magna Worked to Reduce Attack Dwell Time

March 24th, 2016 by Peter Nguyen

 

Spear-Phishing-AttackWhat Magna Saw: Targeted Attack Identified Within a Few Hours

The Russians are coming – the Russians are coming!

It’s always challenging to educate employees about good security practices, and almost impossible to prevent everyone from clicking on malicious emails targeted towards the organization.

Recently, LightCyber Magna detected a large number of outbound email connections from a device at a large professional employee organization, so it automatically activated a Magna Pathfinder scan. Pathfinder interrogated the endpoint to look for the root cause of the network traffic.

The Pathfinder scan detected anomalous files or processes and executables on endpoints. In this case it found a Tunneling Process named system_32.exe on an endpoint. This process was communicating with a Russian IP address that Magna Cloud Expert System determined was new. Also, Magna had never seen that file previously on any host in the network. Both the file and the IP address were missed by existing endpoint and perimeter prevention technologies that rely on technical artifacts or signatures of known bad malware and domains. After five minutes of investigation with the Magna Analyst Dashboard, the incident responder concluded that there were only two hosts in the entire company with the same suspicious behavior, so communication to the Russian IP was quickly blocked for all employees using one-click remediation from Magna with the existing next gen firewall.

It was a good thing that Magna found the behavior and file so quickly after the file was installed. The infection was the result of a larger spear-phishing campaign targeting U.S. Federal employees and employees of related organizations, just the beginning of a targeted attack campaign (aka advanced persistent threat or APT) similar to the recent compromise that was revealed at the Office of Personnel Management. With automated investigation incorporating both network and endpoint context, Magna reduced the dwell time of the attack from the industry average of 6-8 months down to only a few hours.

Find out more about LightCyber Magna by clicking here.

 

Leave a Reply

Your email address will not be published. Required fields are marked *