StealthINTERCEPT POC Successes

They say some products sell themselves, and StealthINTERCEPT has certainly earned that reputation in not one, but two recent Proofs of Concept (POC) deployments. Designed to identify APTs and surface anomalous authentication-based activity often indicative of an attack, StealthINTERCEPT recently put the “proof” in the Proof of Concept in two production-environment deployments.

Midwest Hospital

The lead Information Security Architect at a large hospital in the US Midwest attended a StealthINTERCEPT webinar, and just 7 minutes into the presentation, asked to arrange a POC as quickly as possible.

In the first POC work session, STEALTHbits’ engineers deployed StealthINTERCEPT in the hospital’s production environment successfully. Shortly thereafter, at the start of the second work session, STEALTHbits activated one of the built-in real-time threat analytics: Horizontal Account Movement. Horizontal Account Movement is a classic “land-and-expand” technique used by hackers after they successfully compromise a legitimate set of account credentials. Looking to uncover elevated credentials that will provide them access to sensitive systems and data, attackers use the legitimate credentials to probe servers on the network hoping to find one that the stolen credential can access.

During the hospital POC, ten minutes into the second work session, and after the out-of-the-box StealthINTERCEPT analytic was turned on, an alert was generated surfacing suspicious activity which was quickly identified as a compromised Admin account moving horizontally across the network.

Global Energy Trading Company

A global energy company based in Europe recently got a bitter-sweet surprise during a POC of StealthINTERCEPT. Much like the Midwest US Hospital, STEALTHbits customer engineer, Mark Wilson, spent some time one morning installing StealthINTERCEPT in the company’s environment. Once the product was running smoothly, Mark felt comfortable flipping on the analytics switch, in a manner of speaking.

“After a very productive morning with the customer, I thought we may as well take a look at setting up the Authentication Analytics module,” described Mark. “Literally the second I clicked save, a Horizontal Movement attack was flagged emanating from one of the IT Support guys’ PCs.” In The details of the suspicious activity included:

  • All authentication attempts occurred in exactly 1 minute, on the minute
  • Both Kerberos & NTLM authentication protocols were used
  • There were 23 attempts total; 17 were successful. This suggested the user was logging in with an admin/privileged account
  • 2 Domain Controllers were contacted for authentication

Added Mark: “These were all classic signs of Horizontal movement and something the customer would never have spotted without StealthINTERCEPT.”

To be sure, Mark ran both of the other built-in StealthINTERCEPT attack analytics, Brute Force Attack and Account Hacking.

“They came up clean, all but ruling out analytic false positives caused by a problem with our software. No question, they had a problem.”

Mark advised the company to investigate the target machines identified in the StealthINTERCEPT alerts, and suggested they look for a Trojan Virus likely propagating horizontally on their network. When an authentication event is successful – 17 in this case – it’s likely the malware was able to deposit its payload on the target machine.

“That’s the beauty of StealthINTERCEPT. We can not only detect the attack as its happening, but we can pinpoint the affected machines right away, accelerating remediation and recovery efforts. All this capability comes out-of-the box, without installing agents on endpoints, or employing an army of analysts peeling through logs. It really is a terrific product, and perfect for today’s high threat environment.”


Highlights:

  • Large Midwest Hospital
    • Just 7 minutes into the presentation, asked to arrange a POC

    • Identified a compromised Admin account moving horizontally across the network

  • Global Energy Trading Company
    • Used StealthINTERCEPT’s real-time threat analytics to identify suspicious activity

Quotes:

  • “Literally the second I clicked save, a Horizontal Movement attack was flagged emanating from one of the IT Support guys’ PCs“

  • “These were all classic signs of Horizontal movement and something the customer would never have spotted without StealthINTERCEPT.”

  • “They came up clean, all but ruling out analytic false positives caused by a problem with our software. No question, they had a problem.”

  • “That’s the beauty of StealthINTERCEPT. We can not only detect the attack as its happening, but we can pinpoint the affected machines right away, accelerating remediation and recovery efforts. All this capability comes out-of-the box, without installing agents on endpoints, or employing an army of analysts peeling through logs. It really is a terrific product, and perfect for today’s high threat environment.”