Emotet Caught in a City

The Network: A municipal government serviced by an MSP had requested that the Netsurion SIEM sensor be installed on hundreds of monitored endpoints.
The Expectation: Netsurion’s Managed Threat Protection with advanced endpoint protection, and behavior analytics would deliver added protection for the government agency.
The Catch: Over a weekend, and within hours of onboarding, the municipal government serviced by an MSP was found to be infected by Emotet malware which had mutated and propagated throughout the network. The threat was discovered and contained following two email exchanges with remediation advice from Netsurion’s Security Operations Center (SOC), providing the MSP time to deal with the problem in an orderly manner during normal business hours the following business day, knowing that the threat had been neutralized.
The Find: Just two hours after installation, Netsurion’s security analyst alerted the MSP of suspicious activity in the network. In the meantime, Netsurion’s security analysts started a deep-dive investigation including:

  1. Assessing the extent of infection in the customer environment
  2. Collecting incidents of compromise (IOCs) which could later be used by Netsurion’s advanced features like suspicious process termination and behavior analytics  

The Fix: After a second notification from Netsurion, the MSP authorized the automatic shutdown of bad processes and IP communication, neutralizing the threat, and providing the MSP and the municipality time to remediate and recover from the cybersecurity infection. This was made possible due to the collaboration afforded by Co-Managed SIEM services and the SIEM platform’s machine learning (ML) and automated response capabilities.
Our SOC responded to the customer with all investigation findings and informed them that all Netsurion sensors at the infected customer premise were updated with Netsurion’s advanced suspicious process learning and process lockdown options, which contained further malware propagation.
The Lesson: Our observation and investigation found that the below best practices could have limited the spread of incident:

  • Firewall best practices, like an implicit deny-all-service rule would have terminated all unknown ports communicating outside the customer infrastructure
  • Role-base-access-control (RBAC) and least privilege policies
  • Avoid usage of generic user IDs
  • Stringent DNS access policies
  • User awareness and training on phishing emails
  • Content filtering web traffic
  • Defense-in-depth strategies