New SOC Talk Webinar: Optimizing Threat Intelligence to Maximize Incident Response - 12/9 at 2:00 PM EST. Register Now ➞
Proactive detection and response with MDR

SOC Talk Recap: Proactive Detection and Response with MDR

Vontier is a global industrial technology company focused on smarter transportation and mobility.  With 150+ global locations serving a growing connected world, cybersecurity is a high priority.  Chief among these concerns are phishing, ransomware, and supply chain attacks, according to Ryan Strohman, Vontier’s Global IT Security Lead – Client Protection.

As part of our webinar series where we speak with cybersecurity practitioners, I recently sat down with Ryan, and Senior Security Analyst Liam Walsh, and Detection Architect Marken Teder, both from ReliaQuest, to discuss these issues, and get into the details of how to tackle them.

Watch this episode of SOC Talk on-demand ➞

Approach to phishing

When it comes to phishing, Strohman acknowledges the key role that tools play in detection, but says training is also important: “People are our top asset, and ensuring they know how to address suspicious emails, recognize warning signs and red flags, know when it’s safe to click on links or open attachments, and when to forward it on to IT or infosec to investigate—those are the first steps to protecting our environment.”

Of course, not all employees are as tech-savvy as others. As a result, Vontier has to be ready for anything.

Here’s how Vontier typically runs the response process:

  1. An employee forwards a suspicious email or ReliaQuest sends an alert.
  2. Vontier analyzes the level of end user interaction with the email. If a user did become compromised, Vontier implements password changes, isolates endpoints, or launches a full investigation.
  3. In the event of an investigation, they bring in ReliaQuest to help with a corresponding threat hunt.
  4. ReliaQuest then moves the investigation forward.

 

Phishing attack overview

 

When ReliaQuest takes over, we first attempt to understand the initial attack vector. Is it attachment based? Is it a link to a fake O365 for example? Or does it drop malware?

We’ll then tailor our recommendations based on our findings. If it’s credential harvesting, we’ll look for unusual logins.

There are a couple of ways ReliaQuest moves on from there, according to Marken. If our security tools show that an end user interacted with a phishing campaign, we need to do further investigation. We’ll look at who was targeted as well as the link that was sent out to help determine what type of attack it was.

The next step is to examine further correlation: “So let’s say if a user received a phishing alert or a phishing email and it contained a URL, we can then correlate proxy traffic to look at, did that user send any post requests to a URL within a short period of time after receiving or clicking on the email? That would be an indicator that they potentially entered some credentials and sent them to the server that’s potentially hosted by the attacker.”

Getting ahead of ransomware attacks

Strohman acknowledges that ReliaQuest has been a key partner in helping Vontier identify and assess users affected by phishing attempts. If something does happen, Strohman’s team will get an alert from ReliaQuest flagging a suspicious process or an installation in a suspicious directory. But that’s not all—the ReliaQuest team always does some analysis and makes recommendations on next steps even before sending the alert. Vontier’s team then takes what the ReliaQuest SOC analysts have provided and begin mitigation or incident response.

“We’ve been fortunate in that we haven’t been impacted by a ransomware attack, and we can thank ReliaQuest for that.” — Ryan Strohman, Global IT Security Lead, Vontier

If Vontier were to fall victim to ransomware, it would be an “all-hands-on-deck” situation. The highest internal priority would be to identify compromised assets and stop the attack. They would also lean on ReliaQuest to provide visibility into the attack to help mitigate the effects.

How ReliaQuest uses the MITRE ATT&CK framework for ransomware threat management

 

The first step is to check your EDR and other tools for known malware strains or to analyze the binaries to determine whether this is malware. Of course, that’s not all there is to it, according to Teder.

Because a lot of attack methods are included under ransomware, that means we don’t just have to rely on the signatures of the malware, but we can also look into the attack methods common among these ransomware strains.

For example, the Conti ransomware gang follows a certain set of techniques, which we’ve mapped against the MITRE framework. So even if we can’t detect the signature directly, we know how Conti has operated in the past and what we need to cover against, so we can warn our clients if we see potential Conti activity.

Supply chain botnet attacks

With an extensive network of third-party contractors and consultants, endpoint security is a major concern for Vontier. Add to the vendor sprawl the possibility that a tool might malfunction or be accidentally disabled, and botnets are a very real possibility.

“We keep a very close eye on our environment, but it’s always possible to get a botnet-infected machine,” Stohman says.

To combat this, Vontier relies on a cloud firewall solution plus ReliaQuest detection alerts to identify IP addresses and host names to mitigate the situation.

How ReliaQuest extends the Vontier SecOps team

How ReliaQuest GreyMatter works

Even though the Vontier team is highly experienced and professional, it is relatively small compared to their peers. They just don’t have the manpower to monitor their SIEM 24/7/365, build out alerts, and respond to incidents all at the same time.

That’s where ReliaQuest comes in: “ReliaQuest is helping our information security team mature by giving our team members time to focus on security architecture and engineering products strengthening our incident response processes and business resiliency plans,” Strohman explains.

In addition, the Vontier team can have peace of mind knowing that ReliaQuest is constantly monitoring things in the background.

To do this, ReliaQuest uses its cloud-native platform, GreyMatter, to ingest data from multiple sources, aggregate and parse it, and present relevant information to the ReliaQuest analysts. The analysts then investigate using the data provided by GreyMatter and make a recommendation to the customer, who then take action and provide feedback.

This combination of automation and expert help saves under-resourced security teams from low-brain activities and allows them to focus on what really matters.

Learn more about GreyMatter ➞

SOC Talk: Leveraging Managed Services for Proactive Detection and Response

More Articles

A Defense Approach to Mitigating Phishing Attacks

Purpose-built security tools are designed to solve for the ever-evolving threat landscape led by APTs, Nation-States, and Hacktivists, but is your organization accounting for the internal threats posed by your authorized users? Most phishing attacks require help from the end user to be successful Source: Peter Broelman The latest Verizon Annual Data Breach Investigations Report […]