How Our SOC Responded to a Real Life Cybersecurity Incident
We spend a lot of time talking about various cybersecurity solutions and how they can protect your business. Hypotheticals can be effective, but there’s no substitute for the real thing. This stuff is very real and can happen to any business.
We have removed names to protect the identities of those involved. This was a real cybersecurity incident that happened recently. We’ll also note that we don’t intend to share this information as a scare tactic. While cyber threats are scary, the real takeaway here is that every business should remain diligent in their IT approach and take every measure they can to prevent something like this.
How the Cyber Attackers Got In
Two people, whom we will refer to as Clark and Lois, received a malicious email on a Friday morning. Clark opened the malicious email at 8:50 a.m., which contained a link to a phony invoice. In an attempt to open the invoice, Clark entered their credentials.
Minutes later, a two-factor authentication (2FA) prompt intended for Clark was sent and approved from an IP address in a foreign country. Microsoft Entra’s logs then confirmed a login from that same IP address. The bad actors had attained Clark’s login credentials.
Incident Response
At 11:17 a.m., our third-party Security Operations Center (SOC) generated an alert indicating that Clark’s account had been accessed via a new VPN and IP address- a big red flag. Microsoft Entra’s logs corroborated the successful login attempt, and at 11:30 a.m., our SOC blocked Clark’s account and contacted Innovative by phone.
From there, our team logged out all of Clark’s active Microsoft 365 sessions, forced a password change for their account and scanned their device to ensure it was free of malware or other malicious content, which it was.
Our team also verified that no unauthorized Outlook rules were created and checked M365’s sign-in logs, which showed no additional suspicious login attempts on Clark’s account.
Due to our SOC’s approach— respond and remediate first, then contact Innovative—they were able to initiate remediation steps quickly, removing the bad actor less than 20 minutes after they gained access.
Handling a Malicious Email
Lois took a different approach to the situation. When they saw the email, they identified that it was suspicious-looking and deleted it without opening it, essentially slamming the door shut in the face of the cyber threat.
Wondering how to spot a malicious email? Check out our article here.
After investigation, our team determined that the suspicious email sent to Clark and Lois was an isolated incident that was responded to quickly and appropriately.
Preventing Cyber Threats in Your Business
Stories like this highlight the need for a well-rounded approach to cybersecurity and IT as a whole: people, processes, and technology working together to mitigate threats and avoid downtime. Without swift action from the SOC, clear processes from our team, and Lois’ keen eye, there’s no telling what the attackers could have gained access to or influenced.
If your business is looking to shore up its cybersecurity approach, or if you’re unsure where you currently stand, be sure to check out our free cybersecurity assessment and see a real-life example of how hackers could gain access to your business network.