Having full coverage and monitoring across your digital estate is vital. One Sunday afternoon an e2e-assure client, a higher-education department, experienced an attempted breach that its EDR incumbent had missed. Through our NDR coverage, our analysts were able to detect and contain this malicious activity that poorly configured EDR tooling had missed. But due to the comprehensive NDR coverage we provided, our expert analysts were able to detect and respond to this incident, preventing a ransomware event.
1. What Happened
Late on a weekend, the university’s EDR coverage flagged nothing unusual. In reality, a threat actor was within the environment and was beginning to move laterally, attempting to execute what was a suspected data breach to hold either for ransom or sell. Their existing EDR provider missed the lateral-movement traffic and the attacker’s command-and-control beacons.
Due to the coverage of our NDR solution our analysts quickly flagged malicious looking behaviour with the customer. With clear indicators in hand, we could swiftly work with the customer to deploy our own EDR coverage. In the interest of ensuring maximum resilience for the customer, our team deployed this service out of contract to begin actively monitoring endpoints. In under six hours, our team instrumented over 100,000 endpoints.
Our team worked with the client to help them understand where we would have been able to pick up the previous exploit through our Attack Disruption approach. By using and analysing historic data our team uncovered the points of compromise to help the customer fully understand what had occurred.
“We worked with the higher education organisation to onboard over 100 000 endpoints in just six hours and within 20 minutes, our SOC analyst prevented the attack from escalating.”
That 20-minute window made the difference between an attempted breach and a threat actor entrenched deep in production systems.
2. Attack Disruption: 20 Minute Response
As a result of this incident e2e-assure took over the clients EDR monitoring and our team worked with the customer to implemented Attack Disruption rules. These are pre-defined rules that triggering alerts for signals of malicious activity which immediately contain a machine. Since the initial incident this customer experienced a secondary incident, but with Attack Disruption in place this incident was detected and responded to in under 20 minutes.
3. Spotlight on the SOC Analyst
Our rapid containment was the result of our balance between tech and an expert human-led approach.
Pre-defined playbooks based on customer specific threat intelligence and improved technological configurations create rapid detection rules which can be contextualised and instantly responded to by our UK based SOC analysts. This approach minimise both the impact of an attack and the day-to-day operations of a business.
We were able to implement effective Attack Disruption rules due to expert knowledge and threat intelligence gathered by our SOC analysts but also as a result of the relationship and trust built with our customers. Having the ability to immediately contain a machine is powerful, but also concerning to a organisation who does not fully trust their alert rules or experiences a lot of false positives. The trust that we build with our clients gives them the confidence in our ability to implement this level of detection without impacting their operations.
“It was the combination of context-rich alerts and rapid automated playbooks that stopped the attack before it could spread.”
Lessons Learned
- 24/7 monitoring must cover the full environment environments. Passive NDR sensors reveal threat actor communications that agents and firewalls miss.
- Automated attack disruption reduces dwell time. When 43% of surveyed organisations say speed is a top decision factor, it pays to remove manual hand-offs.
- Proof-backed onboarding accelerates budget approval. In this case, a live proof-of-concept secured executive buy-in for continuous 24/7 SOC coverage.
- Strong client-provider relationships enable seamless teamwork. When trust is in place, teams move quickly to isolate, investigate and recover.
Next Steps
Real-time attack disruption is not a luxury. It is a necessity for any organisation that cannot tolerate downtime or ransom demands. If your current SOC model leaves you exposed to hidden beaconing or slow response times, let’s talk about a proof-backed approach to continuous threat disruption, including consultancy offerings such as table-top exercises and configuration set-ups.
Contact us at info@e2e-assure.com to learn how we can help you achieve the same 20-minute turnaround capability.