Bad actors don’t play by the rules, don’t take time off, and they do not keep normal business hours.
In fact, the 2020 Arctic Wolf Security Report found that 35 percent of incidents happen after hours. That’s why year-round, 24×7 coverage is essential to businesses of all sizes.
These facts shouldn’t surprise anyone, but what might surprise you is how many businesses don’t have security controls in place to respond to (or even monitor for) cyberattacks after hours. Traditionally, this has been an expensive proposition.
Organizations either needed to build their own security operations center (SOC), which requires at least 10-12 analysts, or outsource their SOC to a managed security services provider (MSSP) that, unfortunately, tends to overdeliver alerts and underdeliver outcomes.
Arctic Wolf provides an alternative that is designed to provide 24×7 security operations for organizations that need broad visibility and customized incident response. For one of our customers this around-the-clock coverage recently proved vital.
The Manufacturing Target
A Pacific Northwest manufacturing company, with offices nationwide and more than 5,000 employees, uses Arctic Wolf to monitor its IT environments, which include more than 100 servers both on premises and in the cloud.
A public company with compliance requirements and major offices across North America, it originally sought to work with Arctic Wolf to gain visibility into its Azure, AWS, and Office 365 cloud platforms in addition to its endpoints and internal network.
Just after 3:00 a.m. on the first day of September, an Arctic Wolf sensor detected an issue with an SSL certificate and known malware, Metasploit Meterpreter, on one of the customer’s endpoint devices. The Arctic Wolf SOC engineer immediately performed the initial triage and then notified the next-level engineer on the Concierge Security® Team working that night.
Minutes later, once this Arctic Wolf engineer investigated the incident, it was apparent to them that a bad actor had remote shell access to the compromised machine.
The Arctic Wolf Response
Within three minutes of the incident being detected, the Arctic Wolf engineer notified the customer to immediately remove the system from the network and block the malicious IP address on all firewalls. While Arctic Wolf can remotely contain a compromised host depending on the customer’s preference, its agreement with the manufacturer in this case specifically called for the customer to do so on their end.
Seven minutes after Arctic Wolf called the customer, the machine was off the network before the compromise was able to spread and inflict further damage.
The Arctic Wolf Concierge Security Team along with the customer investigated and determined:
- The malware bot was able to establish command and control with the host
- The compromised box was likely gathering information on the system for it to be used as a jump site to launch other attacks
- Based on log file research, it appeared the attack path had its roots in Eastern Europe and may have had its origin in compromised credentials of a remote application server account
- There was not any lateral movement
- The attacker was not able to exfiltrate any data
This large American manufacturer was able to avert a disastrous data breach or possible ransomware attack because it had 24×7 security monitoring and threat detection provided by Arctic Wolf’s expert security team.
The Arctic Wolf Concierge Security Team manages and handles cyberthreats at all hours, providing its customers peace of mind and letting them sleep well at night. When major threats arise—such as this one—we’re there to ensure the customer is rapidly aware of and involved in whatever actions need to urgently take place.
See More Examples of the Arctic Wolf Team in Action
To learn more about how Arctic Wolf and its Concierge Security Team of skilled security experts helps customers with their cybersecurity needs, check out other entries in this series, or read some of our case studies. And to learn more specifically about the Arctic Wolf Agent and the actionable intelligence it provides, read our data sheet.