Case Studies

We will detect threats, errors and misconfigurations in your business, that have been missed by your other security systems.

Malware infected systems

Saved at least $15k in remediation activities and a business outage. That’s close to the annual license of ThreatDefence.

ThreatDefence found: 

A user connected to a malware-serving site and a few seconds later several other systems followed.

Missed by:   

Dell, Cisco firepower.

Method: 

ThreatDefence has built-in Google’s SafeBrowsing threat intel which identified this 1-day old emerging threat. Safe browsing Intel is saved locally to maintain wire-speed performance and minimize online lookups. The client was informed, unnecessary outage prevented.

Network:        

A public company, 2000+ devices in the network.

Successful Office 365 logons from Nepal

The risk was identified before the account was abused. The client was saved from UNKNOWN online embarrassment, effortlessly.

ThreatDefence found:

A user logged in successfully from Nepal and Australia within 10 minutes. The client was informed, the investigation revealed compromised Office 365 account.

Missed by:

Azure and Office 365 algorithms

Method:

The alert was triggered because the user logged in to the account from Nepal and Australia within 10-minute time interval. Our client does not have employees in Nepal.

Network:

A publicly listed company, 2000+ devices in the network.

The “old” IT provider story

Without such a tool, IT departments are virtually blind when it comes to network activity.

ThreatDefence found:         

Previous IT provider still maintains a VPN session to the client corporate network, with active connections to business-critical systems.

Missed by:

Everyone.  ThreatDefence is unique because it can detect risks without any indicators.

Method:

Customer IT discovered this incident by simply “browsing” through the Netflow live dashboards. Using active channels, ThreatDefence automatically labels network numbers to organization names and this labelling provided quick identification of the rogue IT provider.

Network:

A large manufacturing company, 1000+ devices in the network.

A lazy hacker with poor English

How can your business detect specially crafted malicious applications?

ThreatDefence found:         

A non-client contacted ThreatDefence for a breach response service. After deploying our workstation agents, several desktops with misspelt accounting software were detected.

Missed by:   

Cisco firepower, Sophos enterprise.

Method: 

The network has been compromised for a few weeks, servers were rebuilt, then reinfected, then rebuild again – we were told. The workstation agent tracks file execution and alerts on anomalies, such as improper use of English in this case. ThreatDefence team stopped the breach within two hours, the previous provider spent 2 weeks without progress.

Network:        

An international company, 4000+ devices in the network.

IT deployed malicious backup software

Pirated software often carries malware, but how can you detect them?

ThreatDefence found:        

“Someone” from the IT department downloaded and installed a pirated version of the StorageCraft backup software on the most critical business systems.

Missed by: 

Sophos enterprise, Windows defender.

Method: 

The event was detected by correlating the software hash values with a database of known malicious indicators.

Network: 

A financial trading company, 300+ devices in the network.

ICMP Tunnels

Software should be downloaded from reputable sites unless you have a tool like ThreatDefence to alert on malware-ridden software.

ThreatDefence found:           

Several SSH servers compromised and the attacker successfully established ICMP tunnel to command and control servers. The ICMP tunnels were facilitated using a free tool from GitHub.

Missed by:   

CISCO firewalls, McAfee.

Method: 

Detecting ICMP tunnels is not easy to do. ThreatDefence utilizes dynamic protocol detection technology to determine if network protocols are used according to their design specifications.

Network: 

SME, 200+ devices in the network.

Phishing Sites

Software should be downloaded from reputable sites unless you have a tool like ThreatDefence to alert on malware-ridden software.

ThreatDefence found:           

Several inside assets connecting to phishing sites that pretend to sell movies. No matter which movie you click to download, a script is being executed attempting to reverse shell over https.

Missed by: 

Juniper firewalls, Crowd Strike.

Method: 

Manual threat hunting by ThreatDefence security analysts can identify threats that are missed by everyone else. TD security analysts proactively search through the collected data, aided by visualisation and automation.

Network:

Public company, 1000+ devices in the network.

Other findings

  •  misconfigured firewalls
  • credentials sent in plain text
  • connection to ransomware hosts
  • TOR activity
  • persistent backdoor access
  • Windows critical errors
  • CryptoCurrency mining
  • easy to exploit systems
  • phishing site access
  • exploitation in progress
  • misconfigured firewalls
  • unexpected login time