Malware Booted on State Government Network

The Network: A U.S. state network with hundreds of servers and workstations across multiple organizations and distributed agencies statewide. The state is in a multi-year digital transformation project to streamline IT, bolster cybersecurity, and enhance citizen access to online resources and state services. They have a state-level role for risk management, cybersecurity standards, and mitigation processes. Information security is a shared service for smaller agencies or smaller local governments that cannot support one in-house. Trusted relationships are important for formal and informal information sharing such as with private industry and the U.S. Federal Government.

The Expectation: Servers and applications within the state government are kept current with anti-virus tools and patched regularly. Intrusion Detection System (IDS) and vulnerability assessment scan the infrastructure to identify gaps before threat actors can exploit them. The state agency uses EventTracker SIEM (Security Information and Event Management) as a single platform for security monitoring as well as threat detection and response.

The Catch: The EventTracker sensor detected the creation of a new service on a workstation. Minutes later, it connected to a site hosted on Amazon Elastic Compute Cloud or Amazon EC2. Amazon EC2 can be used to create virtual servers, an action that should not have been taken on this network.

The Find: The EventTracker platform detected a malware infection after conducting a deep scan of the network.

The Fix: EventTracker recommended that infected servers and workstations be quarantined and re-imaged from the golden master. Additional best practices were provided regarding user cybersecurity awareness and training, especially regarding cloud computing and security.

The Lesson: Up-to-date anti-virus and patching are necessary, but alone are insufficient against today’s advanced and mutating threats. Log correlation and detection is a crucial for visibility and early detection of threats that jeopardize citizen access and public safety Learn more on how to weigh prevention with powerful yet practical cybersecurity.