Blog Post Archives

Trending Ransomware Attacks and How to Stop Infection Before Payment

June 1, 2023/in Blog Post/by Brittany Demendi

By: Brittany Demendi, Corporate Communications Manager

With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.

In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.

Trending Ransomware Attacks

The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.

LockBit:

LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.

It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.

LockBit attacks in three stages:

Exploit
Infiltrate
Attack

BlackCat:

BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.

After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.

One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.

Medusa:

Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.

Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.

How Ransomware Affects a System of Device

Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:

Social Engineering Attacks and Phishing Emails: Phishing emails entice employees and victims to download and run malicious attachments, which contain ransomware disguised as a link, PDF, Word document…etc. An attacker can access their system once that link or attachment is opened or downloaded. IBM recently reported that 45% of all ransomware attacks successfully infiltrate through a phishing email or a social engineering tactic.
Account Compromise: Cybercriminals buy authorized users’ credentials off the dark web or steal or obtain them via brute force. They then use the credentials to log into a computer or network to deploy ransomware directly. A widespread credential theft technique that cybercriminals use is the remote desktop protocol to access a victim’s computer remotely.
Software Vulnerabilities: It is common for cybercriminals to exploit software vulnerabilities by injecting malicious code into the network or device. Attackers know how common it is for organizations to not have everything patched, making known vulnerabilities the easiest point of entry or technique to plan their attack.

Detection Before Ransomware Execution

One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.

Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.

Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

How Automation Makes Cybersecurity Faster and Smarter: The Pros and Cons

May 25, 2023/in Blog Post/by Ellen Loughlin

By: Will Ledesma, MDR Cybersecurity Director

The world of automation is fully upon us. We as humans want things faster, quicker, and cleaner, with trust in actions taken by computers. All too often, we see in the movies lighting speed actions happening in real-time. Is this real? In essence, we can see automation everywhere, from ordering food at a kiosk to robots making food and beverages. So how has automation taken a foothold in cybersecurity?

The concept of automation often bleeds into the artificial intelligence (AI) world. Where AI makes decisions based on a number of technologies and learned variables. In principle, automation also makes these same types of decisions, but it’s based on rules and patterns. Nonetheless, in cybersecurity, automation is only as smart as we make it. The cyber-world is colossal, and different teams and operations can all use automation in different ways.

This blog concentrates on automation in a Security Operation Center (SOC) and the pros and cons of automation used in cybersecurity.

How is Automation Being Used in Cybersecurity?

In cybersecurity, specifically Adlumin, automation monitors, audits, detects, responds, and/or prevents malicious activities against multiple technologies. One of the main challenges in the cybersecurity world is burnout. By using automation, a Security Operations Center (SOC) team can quickly scale up their operations. For example, automation helps reduce analyst fatigue. Plus provides the tools to quickly identify, contain, and respond to malicious activity. It streamlines mundane, labor-intensive tasks that would’ve otherwise required manual effort. Automation reduces the time for threat detection and provides response capabilities across an organization’s technology set. In addition, automation helps reduce costs associated with manual processes and investigations; by detecting and containing threats such as malware, phishing emails, and malicious code.

Now that we’ve covered its use let’s look at the pros and cons.

The Pros of Cybersecurity Automation

Simply put, as mentioned above, automation reduces the time for threat detection and containment. Furthermore, automation can pinpoint threats that the human eye may miss. Within Adlumin’s Security Operations Center’s (SOC) team, automation is used by taking the mindset of a Tier 3 (expert SOC analyst) and scaling that into playbooks to where automation is then inserted to make machine time-to-machine time decisions. This way, an attack can be stopped in machine time, thus denying a threat of further spreading.

Use Case: Automation Block Ingested into Next-Generation Firewall Systems

For this use case, we will examine an automation playbook that is being utilized to create IP blocklists for next-generation firewall systems (NGFW). In the past, SOCs had to have subject matter experts (SME) that knew a slew of technologies. Using automation, we have removed the need for a dedicated SME that knows how to create network objects, apply that to a network policy, ensure that it has been set to memory, and, most importantly, we have reduced the risk surface area. No longer must a company open additional vectors into its network for SOC SMEs. In addition, a customer drops the risk of worrying about the account management headache that comes with having to give credentials to outside-the-organization users or even depending on a third-party company that requires change request nightmares. Adlumin’s automation can implement a blocklist inseconds versus minutes, hours, or even days.

In addition to automation serving as an additional defender alongside cyber defense warriors, it also helps reduce mean time to remediation (MTTR), thus reducing service level agreements (SLA). Automation will also grab key intel artifacts and inject those in machine time into Adlumin for an analyst to utilize on a single pane of glass. Thus, reducing time to clicks instead of needing to go to additional outside sources.

The Cons of Cybersecurity Automation

The cons of cybersecurity automation are that threat actors are now also using automation within their attack playbooks. The playing field has been reduced in terms of expertise from attackers. Now a team can have one lead that creates and distributes a malicious weapon set to where other attackers can point and click on what they want to attack. Even here at Adlumin, our red teams are using automation in their attacks to brute force their way into systems.

Due to attacks now moving at lightning speeds, defenses must be able to keep up, and automation clearly is the key. For those possibly thinking otherwise, consider this, a leader approaches you and states, “Why am I going to invest in an employee if they’re just going to leave,” where a great response would be, “But what if we don’t invest in them and they never leave?” The same is true for automation in the world of cybersecurity.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Podcasts

May 17, 2023/in Blog Post/by Ellen Loughlin

CNB Bank & Trust Seek New Cybersecurity Solution

May 16, 2023/in Blog Post/by Ellen Loughlin

CNB Bank & Trust sought a new cybersecurity solution and found Adlumin. Adlumin is a CBSC Preferred Service Provider that provides enterprise-grade security tailored to any budget. With Adlumin, community banks have everything they need to maintain a top-tier security posture and eliminate risk.

Download Now

How AI is Used to Detect Lateral Movement

May 11, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Zach Swartz, Senior Data Scientist

Adlumin recently flagged lateral movement incidents on a customer’s network. The detection was achieved via an AI algorithm designed to aggregate suspicious incidents until they collectively project a high-fidelity threat signal. This prevented further compromise of valuable resources, and Adlumin detection response teams advised the client on remedial action.

Lateral Movement

When a cybercriminal first gains access to a network, they often move laterally to different machines until they find what they’re looking for. This movement can usually be traced using Windows access-event logs. However, detecting this behavior automatically amongst the enormous corpus of access events can be extremely difficult, especially when it involves privileged users with network-wide access. This is where Adlumin AI comes into play.

Adlumin AI

A machine-learned algorithm assigns an anomaly score to each successful logon event that occurs on an Adlumin customer’s machine. Anomalous logon events are then aggregated to form access graphs, which are subsequently assessed for attack signatures. For example, many anomalous logon events from a single user on a single machine may indicate that an attacker is attempting to gain access to network share drives or performing scanning-like behavior to gain a foothold elsewhere on the network. Below is an example of a penetration test detected on a customer network where the user attempted to access 15 separate machines.

This “one-to-many” behavior is a common aggressive tactic that Adlumin AI targets explicitly and has been essential in discovering and mitigating network breaches.

Recent Incident

An Adlumin customer recently received multiple rule-based alerts concerning SSH and FTP connections to a foreign country, along with three lateral movement detections associated with an admin account exhibiting the above mentioned ” one-to-many ” behavior. The attacker accessed roughly 30 hosts across the network and copied several documents. It appears that data exfiltration was attempted but unsuccessful, and due to the quick response from the Adlumin MDR team and the customer, the situation was contained, and damage was minimized. The combination of rule-based and AI-powered detections allowed Adlumin and the customer to promptly characterize and address the issue to the fullest extent possible.

Adlumin Data Science continuously develops more robust and holistic solutions for automated defense against network intrusion and data exfiltration. The incident captured here highlights our core principle of combining AI, domain knowledge, and detection response expertise.

Illuminate Threats and Eliminate Risks

RSA Conference 2023: Review from Adlumin's VP, Chief of Strategy Mark Sangster

May 4, 2023/in Blog Post Mark Sangster/by Shannon Flaherty

Opinion Article by Mark Sangster, VP, Chief of Strategy

RSA Conference 2023 returned to its pre-pandemic pandemonium. Attendance seemed to have returned to around 50-60,000 attendees, streets were packed, and restaurants were all but sold out or booked for corporate functions. Walking the exhibit hall floor, the show seemed business as usual. Here are a few general observations from my time at the event.

Post-Pandemic Return

Things that seemed unaffected by the pandemic hiatus. First, many vendors and attendees returned. Second, the market, which I am happy to report, seemed more inquisitive, informed, and ready to engage with vendors on a deeper level. In general, we appear to be moving from first-generation to next-gen buyers with the wisdom to better qualify potential vendors against their requirements.

Cautious Optimism

I also had the chance to meet with numerous investors across venture and equity capital. With concerns about a commercial real estate collapse, the banks left holding most of downtown San Francisco buildings, and there was optimism. Like the Gen-2 attendees, the investors have evolved from a hedge in hyped companies to realistic investments based on proven growth, responsible spending, and experienced leadership. The money is there, as is the appetite. It’s about responsible investment rather than gambling. That’s not bad for an industrial full of fast (and not so fast) followers who desperately need consolidation across various security categories.

Community Spirit

It was again my pleasure to work with Bob Darling, Lt.Col. Marine Corps (retired), during our packed learning lab, leveraging his experiences in the White House during the attacks on 9/11 and our collective work helping business executives lead through a crisis. As a two-hour scrum, our participants did most of the work. We covered crisis information gathering, providing the what and not the how, and lessons learned from cyber incidents. For two hours, groups focused on specific functions (leaders, legal advisors, technical experts, crisis communicators, etc.) through the various stages of a cyber incident.

What came out was an enthusiasm to share and to collaborate. Participants shared their experiences, frustrations, and solutions to face nation-state attacks and ransomware outages. Everyone was enthusiastic and committed to finding solutions rather than faults. While the lessons were there to guide, the reality is that the participants were able leaders.

It is always an honor to bring together experts to mix ideas and find new ways of approaching common problems. Bob and I hope to be back next year. Our post-event debrief (over a few cold beers) led to new ideas and ways to improve this session.

Adlumin Debut

The RSA conference is a gateway through which all growing cybersecurity companies will pass. How long it takes to get there, how long they stay, and how far they grow varies. But a booth at RSA is a coming of age event. Adlumin joined these alumni in a glowing booth, playing on the theme of illumination in the dark. The marketing team knocked it out of the park for year one, jumping to a main floor location with robust foot traffic. It was a pleasure to meet new people, host investors and patterns alike, and feel proud about the company at which we all work. I look forward to RSA2024 and the next steps in the evolution of Adlumin.

RSA Resource Recap

Cyber Tide Podcast: RSA Edition

Cyber Tide Episode 4:

LIVE from RSAC 2023: Mark Sangster & Robert Darling Recap their Experiences in the Field

The Cyber Tide series dives beneath the surface of infamous cybersecurity attacks, exploring the means and motives of cyber adversaries. In episode 4, Mark Sangster and Robert Darling discuss how their experiences in the field have helped shape their abilities to deal with cyber crises, the scope of the problem of cybercrime, and more. Listen now.

Cyber Tide Episode 5:

LIVE from RSAC 2023: Mark Sangster & Alex Jinivizian Recap their Experiences from the Event

In this episode of Cyber Tide, Mark Sangster and Alex Jinivizian recap their experiences from RSAC 2023, sharing insight into changes in the security landscape, buyers’ experiences, and more. Tune in to hear their expert analysis of the state of the security industry. Listen now.

In The News

Adlumin Wins Global InfoSec Award at RSA Conference 2023

For the eleventh year, Cyber Defense Magazine honors infosec innovators from around the globe and Adlumin has been listed as a 2023 winner for Managed Detection and Response. Winners are based on three major features: understanding tomorrow’s threats, today, providing a cost-effective solution and innovating in unexpecting ways. Read the full press release here.

Adlumin Debuts its Security Operations Platform on Upcoming Episode of Inside the Blueprint

Adlumin appeared on the award-winning television series Inside the Blueprint as independently produced branded content. Adlumin’s leadership team discussed how their services give unparalleled visibility into an organization’s security posture with access to real-time alerts, threat intelligence, and compliance reporting. Watch Adlumin’s segment here.

Adlumin Enhances its Managed Detection and Response Platform Delivering Enterprise-Grade Security to Mid-Market Organizations and the Service Providers Protecting Them

Adlumin powered up its platform with new enhancements. New capabilities, including honeypots, lateral movement alert upgrades, malicious scheduled task detection, and malicious script block add to a platform that is feature-rich enough for organizations to operate on their own, yet built specifically to amplify the skills and capabilities of managed service providers. Read the full press release here.

Learn More

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Early Detection of Ransomware Attacks for Financial Institutions

May 3, 2023/by Adlumin Staff

By: Brittany Holmes, Corporate Communications Manager

Ransomware attacks continue to pose a serious and persistent threat, causing widespread disruption to organizations of all sizes. This underscores the critical need for proactive cybersecurity measures to stay ahead of cybercriminals.

A recent high-profile incident involving approximately 60 Credit Unions highlighted the ongoing impact of these attacks. Many of the credit unions affected lacked adequate backup coverage and dedicated security, which serves as an example of the importance of early detection and a multi-layered defense strategy to protect valuable data from ransomware threats.

This blog explores top methods for detecting ransomware, response strategies, and the importance of a multi-layer protection approach.

Detecting Ransomware and The Need for Early Detection

Ransomware protection strategies commonly focus on various stages of attack detection, as outlined by MITRE. From blocking known variants to detecting signs of compromise before execution and identifying malicious activities during the execution phase, each step plays a crucial role in preventing file encryption and data loss. Here are some top ways ransomware is detected:

Blocking Ransomware Variants: Blocking known ransomware variants is common in cybersecurity defense. Organizations can proactively block known ransomware strains from executing on their systems by leveraging threat intelligence feeds and signature-based detection tools.
Detecting Signs of Compromise: Detecting signs of compromise before ransomware execution is another crucial strategy in ransomware detection. Organizations can identify a ransomware attack in its early stages by monitoring for indicators of compromise (IoCs), such as unusual network traffic patterns, unauthorized access attempts, or anomalous file modifications.
Detecting Ransomware at Execution Stage: Detecting ransomware at the execution stage is a critical step in mitigating the impact of an attack. Behavior-based detection techniques can monitor system activities in real-time to detect and respond to malicious behavior, including ransomware encryption processes. Organizations can identify and contain ransomware before it causes extensive damage by analyzing the behavior of processes and file system activities.

Additionally, leveraging frameworks such as MITRE ATT&CK can provide organizations with a standardized approach to understanding ransomware tactics, techniques, and procedures (TTPs). By mapping ransomware behaviors to the MITRE ATT&CK framework from left to right, organizations can identify gaps in their detection and response capabilities and implement targeted security measures to enhance their ransomware defense strategy.

However, cybercriminals continually evolve their tactics, and ransomware strains emerge, hindering some security approaches. To address the shortcomings of each detection method, organizations can adopt a strategy that combines multiple layers of defense. Ransomware detection capabilities can be enhanced by integrating threat intelligence feeds with advanced behavioral analytics and proactive threat hunting, improving their overall cybersecurity posture.

Adlumin’s Innovative Ransomware Protection Feature

Adlumin’s Managed Detection and Response (MDR) now includes a ransomware prevention feature focused on file system preservation to combat the evolving ransomware landscape. This new capability safeguards and preserves most files by killing the process at the earliest detection sign.

One crucial aspect of ransomware protection is proactive testing and preparedness. It is important to understand how secure your organization’s security tools are against ransomware by prioritizing testing defenses and response protocols to ensure readiness in the face of potential threats.

Embracing a Multi-Layered Defense Approach

Ransomware protection is a complex and challenging threat that demands a multi-layered defense approach. Early detection, proactive response strategies, secure backups, and innovative technologies like Adlumin MDR Ransomware Prevention are essential to a comprehensive defense posture against attacks. By understanding the importance of early detection and implementing a multi-layered defense strategy, organizations can significantly enhance their resilience to evolving cyber threats.

The threat of ransomware is large, but by staying informed and leveraging advanced security solutions, the risks can be mitigated, and data assets can be safeguarded. Remember, there is no single answer to ransomware protection – it requires a holistic and dynamic approach to stay ahead of cyber adversaries. With 24×7 coverage and innovative technologies, you can protect your organization against the threat of ransomware and ensure organization continuity in the face of evolving cyber risks.

Download the Tool

3 Benefits of a Mobile-Friendly Security Operations Platform

April 20, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

In today’s increasingly mobile world, organizations must be able to access their security operations platform anywhere, anytime. Having 24/7 visibility into your environment on the go is a game changer. Specifically, Adlumin’s Security Operations Platform allows users to see the exact same view from any device as they would on their computer. This is essential to ensure everyone has complete visibility and is on the same page, keeping organizations secure and up to date with the latest threats regardless of where they’re located.

Having access to a security operations platform from a mobile device can provide several benefits:

24×7 Visibility to Your Environment:
- First, when cybersecurity professionals are on the go, they can easily access their organization’s security operations platform from their mobile device to view their environment, giving them visibility to potential security incidents while they are still happening. It can provide real-time updates on the latest security threats, allowing organizations to identify potential issues proactively.
- The Adlumin mobile-friendly Security Operations Platform tracks cybercriminal behavior. It can quickly identify when there is an attacker within an organization’s environment—ultimately learning what goes on within every phase of an attack.
Take on a Proactive Security Strategy and Reduce Dwell Time:
- Second, accessing a security operations platform from a mobile device can help organizations stay ahead of the curve. This can drastically reduce the time it takes to mitigate potential threats, minimize the risk of compromised data, and take steps to prevent threats from becoming issues.
- Adlumin’s Security Orchestration, Automation, and Response (SOAR) capability analyzes gathered data and deploys automated responses for each specific threat brought to light. When cybersecurity professionals can access their security operations platform on the go, they can see any alert produced from the SOAR capability come through.
Provide Flexibility and Agility:
- Finally, accessing a security operations platform from a mobile device can provide organizations with the flexibility and agility to respond quickly to any changes in the security environment. It can also provide organizations access to the latest security and compliance tools and technologies, allowing them to stay on top of the latest developments in the security space.
- Adlumin’s Security Operations Platform provides one-touch compliance reporting and monitoring from your mobile or tablet device for instant access. Security teams are being asked to use data-driven processes to improve their cybersecurity posture, so Adlumin’s reporting module produces reports based on live, accurate, and contextualized data.

One Platform, Multiple Views

Adlumin is launching a new user interface (UI) that enables users to view the same platform as its security analysts from any device, anytime. The streamlined design has improved navigation allowing users to quickly access the information they need to make informed decisions and act promptly against potential threats. What’s new?

Mobile-Friendly Design: The new UI is fully responsive so that you can access your cybersecurity data anywhere, on any device.
Improved Search Functionality: Search capabilities are updated, so you can quickly get answers to large and complex searches.
Enhanced Reporting Capabilities: Reports include a new look and provide more insights and details.
Simplified Navigation: The platform is reorganized to make it easier to find features.

With the rise of mobile devices, organizations need to have the ability to access their security operations platform from their mobile device while on the go. Doing so can provide organizations with the tools and information they need to identify, investigate, and respond to security threats quickly and effectively while staying up to date with the latest developments in the security space.

In the Blueprint: Security Operations at a Whole New Level

April 17, 2023/in Blog Post/by Ellen Loughlin

Schools are Prime Targets for Cybercriminals: What Can They Do?

April 13, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

The U.S Government Accountability Office has warned K-12 and higher education school districts that they are considered an increasingly popular target for cybercriminals. The industry remains a prime target for reasons that range from the wealth of student and employee personal data to lagging cybersecurity processes and measures.

Last year, Infrastructure Investment and Jobs Act allocated $1 billion in federal grants to improve state and local government security between 2022 and 2025. States must match a certain amount of grants. Still, to secure funds, they must submit their plan to the Cybersecurity and Infrastructure Security Agency (CISA) with a statewide planning committee. This level of government involvement shows the risks the education industry is under while cyber attacks are still increasing.

Just last month, Alabama’s third-largest school system’s network was shut down after a ransomware attack, and as of recently, there is no sure timeline for when normalcy is returning. Teachers are back to grading with pen and paper, and the school has no internet. This recent attack is not an isolated incident. Adlumin’s Managed Detection and Response (MDR) Team also sees multiple attacks within the education industry and has remediated any threats and intrusions to get schools back to normal.

Recent Cyberattacks on the Education Industry

Adlumin’s Managed Detection and Response Team received three high-severity alerts for logins from a foreign country. The detections were immediately escalated for an investigation to determine why one of the three accounts was experiencing a high volume of failed access events. This could’ve indicated a brute-force attack, authentication malfunctions, or an account malfunction.

Additionally, the other two accounts were accessed from a first-try logon. Within one minute after successful access, lateral movement began. This means that the attacker already had access to the accounts. Adlumin’s Managed Detection and Response Team implemented a network block on the IP address and isolated the known compromised host. To further their investigation, the team conducted a 30-day search for the techniques and indicators of compromise (IOCs).

This was not seen as an isolated incident as the education industry is being targeted nationally, hence why there is government involvement in enhanced cybersecurity plans.

Trending Lateral Movement in the Education Industry

The most alarming aspect of the recent attack was that the cybercriminal already had account access and could log in within one try. The cybercriminal began lateral movement within one minute of access, a trend the team has been seeing within this industry.

To further understand the severity of this attack, we are breaking down lateral movement:

What is Lateral Movement?

Lateral movement is a technique adversaries use after compromising an account or endpoint. It extends access to other applications or hosts in an organization. This technique helps cybercriminals maintain persistence within a network, moving closer to the golden nuggets they are truly after. In severe cases, it can also allow cyber criminals to gain control of an administrator’s account and its associated data and privileges.

A cybercriminal’s main goal is to remain undetected within an environment for as long as possible while moving toward sensitive or valuable data to exfiltrate or destroy it. After the initial break-in, the cybercriminal can easily learn the network anatomy, move laterally by accessing sensitive data through different systems and steal credentials.

Lateral movement is ideal for cybercriminals who want to stay under the radar, which is why this technique is chosen over malware or other exploits that will trigger an alarm. Detecting lateral movement is extremely difficult via prevention controls to block automatically. The more time passes, the more damage is done, resulting in greater recovery costs and investigation.

Stopping Attacks with Managed Detection and Response Services

Managed Detection and Response Services paired with a Security Operations Platform are uniquely designed to identify attackers accurately and quickly as they move through an organization’s compromised network. With these services, detections developed by threat research and data science spot emerging attacker tactics, with machine learning, it catches anomalous behavior unique to any environment.

In this particular incident, Adlumin’s Managed Detection and Response team blocked the threats on the education organizations quickly due to escalated alerts. In addition, working with the organization, they documented and provided step-by-step investigation details, offering 100% visibility.

Stopping Lateral Movement with Adlumin’s Managed Detection and Response Services

Adlumin’s Managed Detection and Response Services provide the premier command center for security operations to stop cyber threats, eliminate vulnerabilities and take command of sprawling IT operations. The education industry relies on Adlumin for solutions before cybercriminals disrupt classrooms and academic programs shutting down operations for weeks. Adlumin enables you to extend defensive capabilities beyond firewalls and security devices while gaining comprehensive visibility into your network.