Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
December 9, 2023
5 Min View
During the COVID-19 pandemic, the temptation to settle for access and support without emphasizing or implementing security was extremely attractive to react to the sudden need for vast remote access. Furthermore, it became critical to have a user’s mobile experience mirror their in-office environment for efficient success.
However, speeding toward remote access left many companies grasping for answers when their broadened networks became more vulnerable than ever. At UAB, scaling up too fast to support mobile and remote users with an expanded virtual desktop that recreated the in-office desktop experience from within a user’s home had its pros and cons.
In this archived keynote session, Rob Ferrill, AVP and CISO at UAB, walks us through ways to spot the red flags of a vulnerable system that allow cyber-attacks, as well as how to eliminate threats by utilizing innovation and cyber resilience tools to help identify vulnerabilities and integrate into development workflows. This segment was part of our live “Innovation and Cyber Resilience” webinar. The event was presented by InformationWeek and sponsored by NetSPI on November 29, 2023.
View the entire “Innovation and Cyber Resilience” live webinar on-demand here.
A transcript of the video follows below. Minor edits have been made for clarity.
Rob Ferrill: During the pandemic, one of the security tools that our team had implemented, but had not completed the implementation, was an EDR, or an endpoint detection and response tool. This was around the summer timeframe after the pandemic started. Well, as our VDI environment got going, we recognized that the EDR deployment needed to happen quicker.
We needed to expedite the rollout of that tool across our enterprise, so we got that deployed. Those of you who don't have EDR or a managed security service services provider, one of the components that they offer is a monitoring service. They will look at your logs 24/7 and let you, your security person, or your SOC know about any potential incidents that are going on.
For us, that turned out to be the saving grace of what became a notification to us on a holiday. For my team, pre-EDR, we were basically eight to five, Monday to Friday, but we were not a 24/7 SOC. So, having this constant monitoring capability was a huge win.
As it turns out, we weren't working on a particular Monday in January because it was a holiday. It was Martin Luther King Day when this happened. So, our SOC got a notification on this holiday, on a day that they were hoping to enjoy being off at home that quickly turned into a bad day. They got notified that there was some malicious activity on our network. It was found on a conference room computer and needed our immediate attention.
Here's quick a timeline of what happened. The notification that we got on that holiday in January indicated that a computer in one of our conference rooms had utilized a tool called PsExec. I'm sure many of you have heard of that or used it too.
They were using PsExec to perform reconnaissance and dump user credentials on two of the other computers in that department. The attackers had cracked the credentials of that conference room computer, which included a local administrator account. And that account had admin rights to all the computers in that department, so that exacerbated the issue for us.
The alert that we received from this EDR vendor told us that they had discovered similar activity a few days prior. So, in essence, they should have notified us a few days before this occurred that something bad was going on. But as it turned out, it was MLK Day, and we were thankful to have received that notification.
Because if it hadn't been for them, we would not have seen it particularly on that holiday when there was a lot of malicious activity going on. I'm going to get into some of those details to show you what happened. The EDR vendor let us know that the source of this activity came from a conference room computer in one of our departments.
So, that's the exploitation phase that you see there. Under the identification piece, they found that there was a backdoor installed. There are many tools that are used by helpdesk departments to help support their users, and this tool is a remote control or remote desktop product.
Some of you have probably heard of it or used it before, and it's called AnyDesk. And AnyDesk is not a tool that is used by our helpdesk, so we knew that when we found it on these compromised computers, it was being used as a backdoor to get into our network.
At that point, the attackers did not have to go through that VDI to get into our network because they had a direct connection to these computers that had AnyDesk running. So, that was another big find as part of this investigation into this incident.
Read more about:Business Continuity/Disaster Recovery
About the Author(s)
You May Also Like