The Network: A chain of vacation resorts with several locations in North America. The front desk is supposed to be the gateway to good times.
The Expectation: Prevention defenses are working (antivirus, next generation firewall) and monitoring is in place to catch anything that slips through the prevention layer.
The Catch: EventTracker identified an unexpected connection to China during the graveyard shift, from a machine at the front desk at a particular resort location.
The Find: The system was targeted by malvertising. It was high season for the resort, and so the front desk was staffed in the night shift to be responsive to guests. Even so, the person at the front desk was bored and was surfing the web. In doing so, a website delivered malware via a third party ad server. This malware was able to get by the antivirus on the desktop and began executing. After an initial recon, it “phoned home,” as is often the case with the first stage dropper infections. This was especially dangerous because the front desk station is used to process credit cards during checkout.
The Fix: Quarantine the infected kiosk; ideally re-image the infected laptop before returning to service. Review internet access network policies from such endpoints — a reputable DNS service would have denied the access. After all, when the first line of defense fails, then your second line (detection) and third line (network access control) should help. This is defense in depth.
The Lesson: Stop relying exclusively on antivirus and next generation firewall. Think defense in depth (network access control, endpoint threat detection). Monitoring DNS activity and network traffic are excellent techniques.