*Note; due to the sensitive nature of the information, all identifying information related to cyber security audits is redacted.
After noticing some suspicious activity on their network [Company Redacted] contacted Shinobi IT for their intrusion mitigation services, hoping to assess the root cause. Shinobi IT was able to find a successful intrusion attempt, shut it down, and prevent further damage.
[Company Redacted] is a small office providing business services based in [City Redacted] with about 10 people on staff. There is no in-house IT team, and they rely entirely on third party IT support.
The customer noticed that a user account which should not have been in use had been left logged in to a workstation. They asked Shinobi IT to investigate how and why this happened. The customer had minimal network logging enabled, and was making use of consumer-grade equipment. Exacerbating things further, user accounts were routinely being shared between users, including accounts for people no longer with the company.
How we helped:
Shinobi IT immediately began combing through available logs while simultaneously increasing the amount of logging that was taking place on their network. We were able to find a series of login events that occurred while all users were off-site. We compared these logs to the very minimal logs that were available on the firewall, and were able to find connections to the network from outside which took place at a corresponding time.
A successful attack on the client network had in fact taken place. A previous IT consulting firm had enabled internal access to Microsoft Remote Desktop from the private internet. This service is a common target of attackers as it is both vulnerable and not well monitored. That attacker was able to log into the company’s Domain Controller, escalate their privileges, and gain administrator level access to the network.
Shinobi IT immediately shut down access for the intruder. We worked with the client to reset all passwords including bank accounts and partner portals. Shinobi IT then combed through workstations, the domain controller, and the company’s consumer-grade firewall to verify that the attacker hadn’t left behind a way to regain access. In addition to this audit, Shinobi IT enabled more robust logging on all network equipment and upgraded the client’s firewall to a more robust enterprise-class solution with best in class Network Intrusion Detection and Network Intrusion Prevention services and continued to monitor for additional activity. Finally, we provided basic end-user training on cyber security and a how-to on keeping up with account maintenance.