Over the course of a several-month analysis of its network traffic, one Czech banking institution detected several anomalies pointing to the possible presence of an attacker in their network. However, they were not sure whether it was the case of false positive or not and they did not have any tools at their disposal that could help them to solve this problem. Thus, they contacted us to see whether we could lend them a helping hand in this matter.
Together with the customer, we agreed on the implementation of Endpoint Detection and Response (EDR) solution for monitoring of suspicious activities on endpoints and servers and helping to detect whether an attacker has access to any of their internal end systems or not. The solution was successfully installed in course of one morning, and after lunch, we already had several results indicating the presence of an attacker on important customer's servers.
We immediately configured a stricter detection mode for monitoring network activities from these servers, launched processes, and executed commands. Due to this information, we could confirm that the attacker has access to these servers, what activities he has been performing, and how he entered the systems after only two hours. We temporarily blocked all network communication from these servers with EDR and removed all attacker's remnants, including the backdoors he was using to access the systems.
Logs of running processes revealed that the attacker used a publicly available RDP to sign in and that he used it in order to enter the network for the first time. We discovered a compromised account that was used to sign in and recommended the customer to change the passwords as well as to reconfigure this RDP service to become unavailable from the Internet.
With EDR solution, we obtained all the information we needed to help us with tracking down the attacker and to remove his traces from all infected systems. At present, our customer has an EDR solution deployed as a replacement for an antivirus product and the monitoring is performed by our Cyber Defense Center.