Skip to main content

CyberWins: Arctic Wolf Concierge Security Team Defends Financial Services Company From PowerShell Threat

The financial services industry is home to an unending treasure trove of sensitive data. That’s why industry organizations are squarely in the sights of sophisticated hackers, as evidenced by high-profile data breaches ranging from Equifax to Capital One. 
For this reason, many Arctic Wolf customers come to us from the financial services industry. For smaller customers, our services are offered through their MSP and recently, we uncovered a significant threat to one of them. This customer, despite having a fully configured endpoint security configuration and antivirus, had a serious risk that Arctic Wolf security experts discovered before it could slip through the cracks.

The Target

A leading market credit card service, which manages nearly 2.6 million credit cards, knew it needed better visibility across its entire environment and endpoints. Its IT organization realized early on that remote employees posed a significant risk, and worked with Arctic Wolf to ensure their protection. To address the risk, the company installed and configured the Arctic Wolf® Agent so that it could rely on the agent’s endpoint detection capabilities for devices that were not connected to the corporate network. In addition, Arctic Wolf connected to their endpoint detection and response (EDR) application to get additional visibility across their environment.

What We Discovered

At approximately 7:45 PM, the Arctic Wolf security operations platform escalated an event within our SOC. An Arctic Wolf Concierge Security® Engineer, confirmed an anomalous PowerShell script running on a remote worker’s laptop. This presented a potentially significant threat that could have allowed an attacker to escalate privileges and compromise the customer’s whole network. The finding demanded immediate action.

What Happened Next

The Arctic Wolf engineer reached out to the customer right away to alert their IT security team of the incident. Not surprisingly, they did not recognize the unauthorized script and requested that the device be immediately contained. This action prevented the host from communicating with any other host via their VPN and stopped communication over the user’s home WiFi connection, cutting off any lifeline to its command and control server.

The Arctic Wolf Response

The Concierge Security Team ran its response playbook to ensure the customer was protected. The following steps were executed as soon as the incident was detected.
  • Verified the threat
  • Notified the customer
  • Quarantined the endpoint via Arctic Wolf Managed Containment
  • Investigated the endpoint’s activity and subsequent network traffic in efforts to discover how the script arrived on the endpoint
  • Sought to discover what its full capabilities were 
  • Ensured the script was not installed or configured on other devices on the network 
  • Made certain that the infection was limited to this one specific device—which it was
After the threat was remediated, the customer issued the user a new computer and based on guidance from CST, wiped the offending device upon its return to IT. 

Enhanced Protection Going Forward

The post-mortem of this event did not simply stop at this point. More work needed to be done. The Arctic Wolf Concierge Security Team helped the customer perform an architecture review in which Arctic Wolf security experts made strategic recommendations. This included:
  • A thorough review and training into best practices around endpoint security, antivirus, and group policy configurations 
  • Ensuring that workstations and laptops were configured for least privilege access but still allowed employees to do their jobs as effectively as possible 
  • Helping the customer implement these suggestions to eliminate this potential attack vector and help reduce its attack surface against future cyberthreats

See More Examples of the Arctic Wolf Team in Action

To learn more about how Arctic Wolf and its Concierge Security Team of skilled security experts helps customers with their cybersecurity needs, check out other entries in this series, or read some of our case studies. And to learn more specifically about the Arctic Wolf Agent and the actionable intelligence it provides, read our data sheet