Every 11 seconds there is a ransomware attack. Bad actors are targeting companies and critical infrastructure systems for their next opportunity. In many cases, they infiltrate their target and then wait to strike. OpenText™ Managed Detection and Response (MDR) has caught numerous malicious activities within hours of implementation and prevented attacks from causing major financial and reputational damage. Fabian Franco, Senior Manager of DFIR, Threat Hunting and SOC, OpenText, and Kevin Golas, Director of Worldwide Cyber Security Services, OpenText share their expertise and thoughts on how MDR is an essential part of a cyber resilience plan.
Q. How have the recent supply chain ransomware attacks escalated the need for managed security services?
FF: The urgency was always there. However, the publicity of the JBS and Colonial Pipeline attacks showed just how vulnerable infrastructure is to a ransomware attack. Now that security leaders can see what a threat actor can do from halfway around the world to cripple our supply chain, there is an increased emphasis on the need to invest in cyber security solutions. Companies can no longer simply purchase a technology, set it and forget it, and assume that they are fully protected. There is a need to have managed services teams in place to find attacks like Solar Winds. These teams of experts are the ones most likely to find the latest versions of ransomware moving around within environments.
Unfortunately, a lot of people think that these ransomware attacks all of a sudden happened, but the truth is that the attackers have likely been in the environment for a couple of months already. Attackers are moving laterally, accessing data and using persistence techniques. They may also be injecting malware into the backups. Then when they see an opportune moment, they hit these places with ransomware all at the same time making it harder for authorities to clean up the activity and run an investigation. The recent attacks shed light on how vulnerable the supply chain is, and how organizations need to invest in both cybersecurity technologies and managed services to catch these threats before they can do damage.
Q. What common techniques and tools are attackers using?
KG: At the end of the day, ransomware is the number one thing that’s hitting companies and is the easiest way in for attackers. It doesn’t matter which tools they use, but Colbalt Strike seems to be one of the easiest ones to use. When it gets into the hands of people that know what they’re doing, it’s extremely dangerous.
FF: Each malware has its tool in the tool chest, and Cobalt Strike is typically the secondary downloader. When a machine is infected, attackers won’t immediately drop Cobalt Strike on it because they want to make sure it’s connected to a domain and something interesting is on it. If for example, it was my home computer, most of the time the threat actor isn’t going to waste their time on this. Now, if it was an employee that clicked on the phishing email on his work machine, then it has a domain on there. That becomes a lot more attractive and interesting for the threat actors. Then they might send them a phishing email that has a malicious macro or a malicious link, for instance, an IcedID malware that is running on his environment. Once they can confirm that it is a domain, they’ll go out and deploy Cobalt Strike onto the machine. Cobalt Strike is typically a secondary piece of malware that’s deployed and is not tied to one single campaign.
Q. Are attackers becoming more sophisticated?
FF: When we look back at the Cassia attack as an example, the first time the attackers got in was during regular business hours when activity was peaking. Typically, threat actors will push phishing emails out during busier times when workers are receiving a lot of emails and are more likely to accidentally click on a link or open an attachment. Once an attacker is in and persisted within the environment, then they’ll wait to deploy the ransomware during off-peak times when organizations have limited staff to monitor alerts. For instance, striking when people are headed out for a three-day weekend. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed. Attackers are often in the environment and critical signs are being missed. If companies don’t have a managed security service provider, that’s when they need a specialist to go in and investigate.
Q. Has the team found any newly discovered, previously unknown threats?
KG: With one of our clients, shortly after we were added to their network we identified a new C2 beacon that Cobalt Strike was using, that wasn’t previously reported. OpenText was the first to identify it and post it publicly to make people aware and to know about that Cobalt Strikes command and control channel. We can uncover threats within minutes of us being deployed on a system. As soon as our telemetry and log sources are being ingested into the platform, within minutes we can see what is going on. We can do this because we have our TTPs already set up. Then we can customize them even further based on our customer’s requirements and industry.
In one scenario, as soon as we got on the box, we realized 412 IP addresses were coming from Russia, and attacking from an RDP that was open to the internet. We can see how the attacker moves and how they infect other machines and move laterally. The customer then wanted to deploy additional agents to have even more visibility. OpenText MDR was able to see how attackers were affecting the other networks, and within minutes, were able to start mitigating risks, reducing potential damage and adding value.
Q. How do you leverage shared intelligence?
FF: The more clients that are being managed by an MDR service the better perspective teams have across their client’s environments. The more data we have, the better solutions we are going to be able to provide for our clients, and the more data sets we can analyze and conduct threat hunting. We see trends across our MSP clients and in verticals like healthcare. When we see something happening in one of our environments, we sweep through all our client’s data to make sure it doesn’t exist elsewhere. OpenText MDR will identify tactics, techniques and procedures (TTPs) related to a new malware that’s targeting a particular environment and then write that TTP and apply it to our clients and notify them in real-time. We fully integrate OpenText BrightCloud® Threat Intelligence into our MDR platform. The integration into the SIEM provides valuable loopback information. As we identify a new piece of malware, we’re notifying customers to make their threat intel the best that it can be.
For more information on OpenText MDR visit: Managed Detection and Response – OpenText Security