MXDR, Customer Success

New Customer Tests CloudGuard’s Automated Incident Response

Table of Contents

In August 2023, a new customer partnered with CloudGuard to improve their cybersecurity posture. Little did they know that within days of going live with our CloudGuard Protect MXDR service, a multi-stage incident lurking in their environment would be exposed.

This case study delves into the incident, highlighting the importance of rapid threat detection and automated incident response.

Discovering the threat

threat detection incident response

CloudGuard’s Protect MXDR service wasted no time in proving its worth. Within days of deployment, it raised the alarm on a serious security incident.

We deploy Microsoft Sentinel as a Security Incident and Event Management (SIEM) solution as part of the service. We unified all the customer’s security data into one place, so that it could be rapidly analysed thanks to its advanced algorithms.

This analysis allows us to detect suspcious patterns of anomalies in data that could be indiciative of an attack in seconds.

In this case, suspicious commands and tasks were cleverly concealed within Base64 encrypted payloads – making detection by traditional means nearly impossible.

Once detected, our SOC (Security Operations Centre) team quickly sprang into action.

Decoding the threat

Four security analysts working on their computers in an office.

The SOC team’s expertise was put to the test as they successfully decoded the encrypted payloads.

What they unveiled was chilling: a discreet form of malware had been making recurring attempts to manipulate the registry in the customer’s environment since March 2023.

The threat actors behind this attack were not to be underestimated.

Automated threat enrichment

security automated threat enrichment

One of the crucial aspects of threat detection is understanding the adversary. The problem is that this can take a human hours of painstaking research to accomplish. We reduce this process to minutes thanks to automation.

Automated threat enrichment works by continuously gathering and analysing data from various sources, including dark web forums, hacker chatter, and malware databases. This data is then correlated with the indicators of compromise (IOCs) detected in the customer’s environment.

We machine learning algorithms to identify patterns and link them to known threat actors and their tactics, techniques, and procedures (TTPs).

Here, our use of automated threat enrichment meant the malware could be swiftly linked to an attack by notorious threat actors, suspecting Emotet or Gozi to be the threat group.

Europol states: “EMOTET has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years.”

This attribution provided critical context for the incident response.

Automated incident response is key

Time is of the essence in the world of cybersecurity, and CloudGuard proved its worth once again.

Within just 20 minutes of detecting the threat, CloudGuard’s automated incident response service had not only exposed the malicious command lines but also alerted the customer about the critical incident.

Furthermore, it provided detailed remediation actions, including isolating and rebuilding the affected machine.

Lessons learned

The timeline of this incident is notable. The malware had infiltrated the customer’s environment in March 2023, long before their partnership with CloudGuard began in August. This highlights the importance of continuous monitoring and detection capabilities, as threats may remain dormant for extended periods.

Moreover, the incident proves the value of an integrated MXDR service like CloudGuard’s. Rapid detection, immediate alerting, automated incident response, and actionable remediation guidance proved invaluable in mitigating the threat swiftly.

Ongoing investigation

While the immediate threat was addressed efficiently, the work is far from over.

An ongoing investigation aims to uncover how the malware gained a foothold in the environment and whether any damage was inflicted. The incident underscores the need for proactive threat hunting and post-incident analysis to strengthen defences against future attacks.

The importance of cybersecurity

cloudguard automated incident response

The CloudGuard Protect MXDR service proved its ability in unearthing a stealthy, long-standing threat within a new customer’s environment. The incident proves the importance of robust threat detection, automated incident response, and continuous monitoring.

As organisations continue to face evolving and sophisticated threats, services like CloudGuard’s MXDR play a crucial role in improving cybersecurity defences. The swift identification and mitigation of this incident demonstrate the value of proactive cybersecurity measures in protecting sensitive data and business continuity.

Author: Thomas Shelton
Share:
Author: Thomas Shelton
Share:

Related Resources

CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Private Equity Firm replaces alert-only MDR with 24/7 Managed XDR (Response in minutes)
Preventing malvertising attacks with CloudGuard Managed XDR [real-world examples]
You’re at work, rushing to edit a PDF. You Google “PDF editor”, click the first link, and download what looks like the perfect tool. But what if that simple search just opened the door to a cyberattack? That’s exactly what happened here. A user thought they were downloading a harmless...
managed soc
Managed SOC vs Managed XDR: Find the Better Solution
Whether you’ve already outsourced your businesses cybersecurity operations or are taking your first steps in finding a provider, you face a crucial decision: which security solution is best? You’ve probably found so many different services and acronyms that it’s starting to feel like an impossible task. That’s why we’ve decided...
5 Key Questions for Cybersecurity Vendor Selection [Your Cheat Sheet]
As part of CloudGuard’s yearly review, our Customer Success leaders ran a survey across UK and Ireland based businesses to understand the challenges that IT leaders experienced when assessing the market for cybersecurity vendor selection. The businesses had a wide variety of cyber solutions, experiences and security maturities. The purpose...
Amazon Filters Achieves 98% Security Automation with CloudGuard MXDR
Press Release Manchester, UK, 09 April 2024 – In the face of escalating cyber threats within the manufacturing sector, Amazon Filters, a prominent UK-based manufacturer of bespoke filtration technology, has strengthened its cybersecurity posture through a strategic partnership with CloudGuard’s Protect Plus MXDR service. Amidst growing concerns over the effectiveness...
will ai regulation harm cybersecurity and help hackers
Will AI Regulation Harm Cybersecurity and Help Hackers?
Adopting and leveraging the advantages of AI is accelerating rapidly. Questions surrounding the potential impact of new AI regulations on cybersecurity innovation have sparked discussions within the industry. I was asked about this on our recent webinar about the 2024 threat landscape. In this piece, I aim to provide further...
introducing cloudguard's new mxdr platform
Introducing CloudGuard’s New MXDR Platform
CloudGuard’s MXDR platform is getting ready for Christmas early with its newly updated customer dashboard, offering more detailed insights into your organisation’s cybersecurity operations. I’m Liam, CloudGuard’s Platform Leader, and I’m going to walk you through some of the key changes to our MXDR platform. Clearer overview We’ve overhauled the...
supply chain cyber risk reduction
Accelerating Supply Chain Cyber Risk Reduction (Part 2)
In part 1 of Supply Chain Cyber Risk Reduction , we covered the excellent NCSC advice on how manufacturing businesses can work with supply chain partners to improve overall cyber security controls and reduce risks. After all, it is both through partnership and a shared understanding of responsibilities that both...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.