Emotet Caught in a City

The Network: A municipal government serviced by an MSP requested that the EventTracker SIEM sensor be installed on hundreds of monitored endpoints.
 
The Expectation: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for the government agency.
 
The Catch: Over a weekend, and within hours of onboarding, the municipal government serviced by an MSP was found to be infected by Emotet malware which had mutated and propagated throughout the network. The threat was discovered and contained following two email exchanges with our SOC, providing the MSP time to deal with the problem in an orderly manner during normal business hours the following business day, knowing that the threat had been neutralized.
 
The Find: Just two hours after installation, our SOC alerted the MSP of suspicious activity in the network. In the meantime, EventTracker security analysts started a deep-dive investigation including:
 
  1. Assessing the extent of infection in the customer environment
  2. Collecting incidents of compromise (IOCs) which could later be used by EventTracker’s advanced features like suspicious process termination and behavior analytics 
 
The Fix: After a second notification from EventTracker, the MSP authorized the automatic shutdown of bad processes and IP communication, neutralizing the threat and providing the MSP and the municipality time to remediate and recover from the infection. This was made possible due to the collaboration afforded by Co-Managed SIEM services and the SIEM platform’s machine learning and automated response capabilities.
 
Our SOC responded to the customer with all investigation findings and informed them that all EventTracker sensors at the infected customer premise were updated with EventTracker’s advanced suspicious process learning and process lockdown options, which contained further malware propagation.
 
The Lesson: Our observation and investigation found that the below best practices could have limited the spread of incident:
 
  • Firewall best practices, like an implicit deny-all-service rule would have terminated all unknown ports communicating outside the customer infrastructure
  • Role-base-access control and least privilege policies
  • Avoid usage of generic user ID
  • Stringent DNS access policies
  • User awareness and training on phishing emails
  • Content filtering web traffic
  • Defense in-depth strategies