A U.S. software vendor believed that it had an infected server due to several behavioral abnormalities spotted by its security team. Even though the company had several security platforms in place, including an antivirus, sandbox and a SIEM, they couldn’t confirm their suspicions.
The company reached out to Cybereason to help it figure out if its hunch was valid. In fewer than 24 hours Cybereason deployed its sensors across the customer’s entire environment of 19,000 endpoints, allowing their security team to immediately start detecting threats. The platform discovered a unique advanced persistent threat that had compromised the company's IT environment months earlier.
The attack targeted the company's Outlook Web App server in a way that allowed the adversaries to record authentication credentials. This provided the attackers with a backdoor into our customer's environment and allowed them to collect and retain ownership over all of the company’s user credentials. These credentials are akin to the hackers having a set of keys that opened every door in the company’s office. In fact, having this information allowed the hackers to maintain persistent control over the organization’s IT environment for almost a year.
The security team’s instincts were spot on: there was more to the OWA server’s odd behavior. However, this suspicion was only confirmed months after attackers had compromised the system. Only by using behavioral analysis was the security team able to detect, understand and contain this clever hack. Even the most talented security analysts would have spent weeks manually investigating the situation to discover the threat.
To learn how full endpoint visibility and automatic detection revealed the full attack, read the case study.