ENVIRONMENT: 4000+ employees global corporation.

BUSINESS EXPECTATION: Corporate email systems are secured with content filtering.

INDICATOR: Corporate office increased rate of sent emails by over %300 in 10 minutes.

THE FIND: Employee home computer infected with malware. Analysis showed malware using employee’s email client to send 1000’s of emails, causing regional mail server to reroute all email via Australia, where it was detected by the sensors. Email contained links to compromised sites.

LESSON: Implement effective network monitoring in regional offices also. Cybercriminals target smaller, regional and partner offices.

ENVIRONMENT: A nationwide financial advisor, with network of local accounting firms.

BUSINESS EXPECTATION: Exchanges of confidential data and credentials is to be secured.

INDICATOR: TD alerted on employees in local accounting accessing secure portal with weak password encryption. We were able to decrypt the password using single google search.

THE FIND: The potential danger to the financial service provider is that reputation and financial loss for being unable to properly secure credentials. Mandatory breach disclosure laws(check) require provider to inform affected customers. Our client, the local accounting firm was assuming these credentials are for top secret portal, therefore using their top secret passwords, for the provider to convert them to plain text.

LESSON: Properly secure credential transmission, simple $50 per year https implementation would have removed this risk.

ENVIRONMENT: Financial institution

BUSINESS EXPECTATION: Brand new vendor appliances will not be infected by malware!

INDICATOR: TD detected TOR communications inside customer network, using TOR exit nodes in Turkey. Closer investigation revealed office music broadcast system streaming continuous amount of data over TOR.

THE FIND: TO BE UPDATED Passwords are set to expire every 90 days; user gets reminded on the desktop and changes the password but neglects to update the smartphone which then tries repeatedly to logon, fails and causes an account lockout.

LESSON: User education is a good investment.

ENVIRONMENT: Financial Consultancy with 70+ employees;

BUSINESS EXPECTATION: Major business partner’s email systems are secure.

INDICATOR: Very large corporate partner’s network infected with Crypto virus, emails sent out with malicious attachment to our customer site running TD.

THE FIND: Our service desk received a call from our customer with reports of email outage to certain email domain. Our service desk team quickly established that emails are being administratively blocked on TD’s SMTP content filter, and the reason was that the corporate partner was caught to be sending emails with crypto malware attachments to our customer. The auto block remained in place to protect our customer from the 10000+ employee business partner. TD team informed the corporate partner which confirmed major crypto infection, including most of their servers. TD auto detected, auto blocked and ensured the customer is crypto-free – effortlessly.

LESSON: Do not assume that a large corporate partner have better security! Sometimes larger organisations can be more vulnerable due to more complex network.

Environment: 150+ employees services company.

Business expectation: Employees will comply with corporate standards

Indicator: Threatdefence detected communications with certain .tk domain name;

The Find: Employee was involved with downloading and sharing of media content using business PC. TD generated two alerts: one was for communication to .tk domain and the second alert was exit TOR node. This op was run by a third employee secretly using colleague PC.

Lesson: Implement no administrative privileges on local endpoints, application whitelisting and/or web content filtering to prevent running of non business apps.

Environment: 40+ employees financial company.

Business expectation: Ensure data integrity

Indicator: Threatdefence simply generated alert against hits from small Europeran country we have never seen before.

The Find: Prospect asks TD to help with some internet slowness issues. TD was deployed in “robot auditor” mode, which quickly generated visualization of network flow and exposed major security control issues. TD discovered large file transfer in progress, data type was various financial applications. The transfer was stopped, customer firewalls were upgraded to TD. later we were informed that former business partner hired a hacker to “spy”. The former partner was involved with managing IT.

Lesson: When significant person leaves the business, perform perimeter security review.

Environment: 100+ employees transport company

Business expectation: User accounts access is controlled

Indicator: Threatdefence detected username simultaneously logging from different continents.

The Find: TD matched a preconfigured correlation rule where same username logged in from two different geographical locations simultaneously. The employee logged in from his office at 0940, 2 hours later same employee logged in from Turkey using VPN. The employee VPN account was found to be compromised.

Lesson: Protect user accounts with controls, enforcement and monitoring.

Environment: 1000+ employees logistics company 
Business expectation: Use of firewall to help secure corporate internet permiter.

Indicator: Threatdefence detected misconfigured firewall access lists, by analyzing netflow data delivered from single SPAN port.

The Find: TD constantly detects hits on outside firewall interface from services it should not have been open. These detections reduce major risks and allow prompt remediations.

Lesson: Firewall misconfiguration is very common and results in unneeded risk exposures.