Client Case Studies
Your Company is Unique, So Your Managed Detection and Response Solution Should Be Too
Ankura InterXeptor™ isn’t a scaled-down, large enterprise monitoring solution; we built it specifically for middle market companies based on our decades of experience working with them and understanding their risk profiles and business objectives. We assess your unique security posture, analyze a range of potential threats, and design a custom solution with your company’s needs—and resource constraints—in mind.
How We’ve Helped Clients
Failed log-in attempts lead to threat detection and incident response action by Ankura InterXeptor
While monitoring a client in the financial industry, our analysts were alerted to an unusual pattern of failed attempts to log into a system. Failed log-ins are common and not usually indicative of malicious activity. Users often forget their passwords, particularly in the summer months after coming back from an extended vacation.
However, upon further inspection and analysis, one of our Ankura InterXeptor analysts recognized that the username being entered for one of the accounts did not follow the company’s usual naming convention. Forgetting a password is one thing, but forgetting your username is more unusual. Furthermore, the analyst noticed the originating and destination IP addresses had not previously been seen connecting. The analyst quickly conferred with the client and determined this activity was part of a password spraying attack. Ankura immediately blocked traffic to and from the observed IP addresses and advised the client to require a password change for the targeted user accounts.
Ankura InterXeptor’s continuously updated detection rules help spot threats, leading to rapid containment and remediation
Ankura was engaged to conduct threat hunting activities for a financial services client experiencing unusual network activity. Our analysts implemented custom detection rules to spot tactics, techniques, and procedures (TTP) known to be used by the types of sophisticated threat actors who would likely target this client. The custom detection rules alerted on a small number of anomalous Powershell (PS) executions.
The use of PS by itself is not unusual in Microsoft Windows environments. However, the manner in which the PS commands were executed was unusual, and triggered further scrutiny. Upon inspection, our analysts determined the suspect PS command execution occurred only on a small number of machines and was in fact a covert “beacon” (a communication method) set up by a threat actor to maintain persistent access to the victim network and enable ongoing communication with the attacker’s command and control server. The destination sites used by the threat actor were named to resemble the client’s legitimate sites so as to evade network traffic detection. Furthermore, our analysts determined the PS commands were designed to appear like routine software upgrades.
Based on the above findings, our Ankura InterXeptor analysts reached out to the client to confirm. Upon further checking by the client, it was ultimately determined that an attacker had gained initial access through a successful spear phishing campaign. Ankura’s incident responders rapidly responded to fully investigate, contain, and remediate the attack before there was any impact to business operations or data integrity.
Ankura InterXeptor’s behavioral anomaly detection rules stop threat actors’ reconnaissance activities
While monitoring a client in the manufacturing industry, our analysts received an alert that a netscan program execution was attempting to run but was denied by our custom preventive rules. Netscan tools are often used legitimately by IT staff to discover new devices connecting to the network, and and therefore such activity is often ignored by inexperienced analysts.
However, knowing that network scanning tools are also used by threat actors for reconnaissance purposes, the Ankura team launched an investigation and discovered the scanning was executed from an unusual location on the network. Because of this, our Ankura InterXeptor analysts carried out an additional investigation and discovered more suspicious artifacts in the same location. We reported this to the client, who confirmed the activity was not authorized.
In the end, it was determined this was the work of a cyber threat actor who was conducting reconnaissance on the client’s network to prepare for additional attack/penetration into the client’s environment. The threat actors’ reconnaissance activities were disrupted and stopped due to our analysts’ findings.
Not All MDR Partners Are Created Equal
Choosing the right Managed Detection and Response (MDR) provider is critical for staying ahead of today’s cybersecurity threats. Download our eBook to learn 10 essential questions you should ask before selecting an MDR partner who can provide the highest level of protection and service for your organization.
GET THE eBOOK