Identification
On a Saturday morning in February, while conducting routine security monitoring, a potential malware threat was found by COCC’s Security Operations Center in a subset of activity originating from a client financial institution. The threat, which was later identified as the banking Trojan Emotet (see sidebar), was discovered in the midst of reaching out to malicious domains, essentially phoning home in an effort to establish a foothold and spread throughout the financial institution’s workstation environment.
For a service that provides continuous security monitoring, finding and isolating a potential security threat is a major part of the job. So what makes this case special? The impacted financial institution did not subscribe to this service through COCC.
Yes, COCC does provide a hosted Security Operations Center (SOC) and can serve as the client’s Managed Security Provider (MSP), offering continuous security monitoring 24x7x365. However, this particular client did not leverage COCC as its MSP. Still, COCC’s security team was the first to notice the issue and bring it to the attention of the financial institution, then aided in proving the issue to the institution’s MSP.
Through these actions, COCC’s SOC assisted in the critical steps throughout the incident response process. The first step is preparation, in which an institution and its MSP implement security controls designed to stop threats before they start. If a threat gets past the preventative controls, it is key to identify and contain the attack from manifesting further. In this instance, this is where COCC stepped in. Identifying the malware threat and shining a light on the issue allowed for the financial institution’s IT staff and MSP to begin containment efforts and roll into the next steps of incident response.
Response
COCC remained hands-on for the steps of eradication and recovery, sending specialized technicians to assist the client in the efforts to clean the systems of any existing or suspected threats, verifying that the threats had been eradicated successfully, and getting the financial institution operating safely once again. Throughout this process, the COCC SOC continued monitoring this incident for signs of malicious activity. This continued support from COCC improved the speed and efficiency of remediation, enabling full recovery within several days.
Lessons Learned
The final step in the incident response process is to realize the lessons learned. While there are multiple takeaways from this case, one lesson is clear. COCC’s SOC added value to a client even though the client was not enrolled in the service. Despite limited visibility of security traffic, COCC identified the threat more quickly than their MSP, escalated it quickly, and was engaged as a partner every step along the way to help this client return to a normal state.
Had the attack persisted unchecked, the client would have been at an increased risk that the attacker could leverage their systems maliciously or access sensitive customer information. Thanks to SOC, it did not go any further. Providing this level of additional service is indicative of the partnership COCC maintains with its clients, taking the extra step to ensure those institutions remain safe and secure. With service like that on a limited basis, imagine the scope COCC’s SOC can add with full security monitoring!
What is Emotet?
In this instance, the malware was identified as Emotet. According to an alert from the National Cybersecurity and Communications Integration Center (NCCIC), Emotet is “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.” As stated in the alert, the malware is polymorphic and can evade typical signature-based detection and can even evolve and update itself. Identifying, containing and eradicating such a malware threat is critical in maintaining a financial institution’s security.
Click here to learn more about the banking Trojan Emotet.
For more information, email StrategicProducts@cocc.com.
