Microsoft’s Detection and Response Team (DART), in an effort to encourage the use of better security practices, is planning on sharing its experiences wit customers to let others know the methods of hackers. One particular customer story just shows how some organizations are still lax when it comes to security as they had 6 different groups hacking their network in the same time period.
In the first report that they gave, there was details of an advanced persistent threat (APT) that was able to steal administrator credentials to steal sensitive data. This attack persisted for 243 days, this was when DART was called in to help the customer.
One thing to note, this attack could have been prevented if a multi-factor authentication (MFA) was in place. Microsoft says that almost 99.9% of compromised accounts do not use MFA, and only 11% of enterprise accounts use MFA.
When DART was in the process of removing the attacker on the system, that was when it discovered the other 5 intruders within the network. The attackers were not coordinating the attack together, the main attacker used a password-spraying attack to get the credentials of the Office 365 admin. They then searched the mailboxes for confidential emails that contained intellectual property in certain markets.
The company tried its best to resolve the attack in the first month, but then needed to call in an incident-response vendor to help. It proved to become a lengthy investigation and after 7 months, Microsoft’s DART was called to help with the investigation. They were able to eject the threat on the day they were assigned the task.
Below are a few Microsoft recommended ways in which to avoid the risk of APT attacks:
- Enabling MFA
- Removing legacy authentication
- Giving enough training to first responders
- Logging events properly with a security, information and event management product
- Recognizing attackers use legitimate administrative and security tools to probe targets
To learn more about how you can keep your systems safe from APT attacks or other major attacks like ransomware, you can contact us at 8893 9515 or email us at sales@ctlink.com.ph and we would be happy to help you!
One Response