Discovering uninvited guests from overseas have invaded your system is a shock no one wants to experience, especially when it comes to cybersecurity risk to businesses. These kinds of attacks can lead to serious consequences, from compromised sensitive data to overworked IT teams and costly downtime.
It's a dangerous world out there - just ask anyone protecting a healthcare network. Not only are they fending off the unrelenting barrage of scanners and phishing attempts, they are the preferred targets of ransomware gangs. Lately, they have even become the target of state-sponsored attacks and Advanced Persistent Threats (APTs). The tricky part of defending against APTs is that they are relatively well funded. They don't rely on off-the-shelf exploits and can invest significant resources into extremely thorough reconnaissance. In most cases, a determined APT will ultimately get into your network.
Recently, a ThreatSTOP customer in the US was the recipient of one of these attacks, likely targeted as part of an on-going state-sponsored campaign against pro-Ukraine countries. This is how the incident played out:
The large healthcare provider - let's call them MedOne - is an extremely sophisticated organization from a security standpoint. They have network monitoring and endpoint protection. They have the latest and greatest firewalls, and are using ThreatSTOP protective DNS service to filter DNS queries for their 20,000 employees spread across 20 locations. MedOne also has a well-trained and experienced team of security professionals keeping an eye on things.
The first sign of trouble came through a daily ThreatSTOP report. An internal database server was trying to communicate to a domain that resolves to Russian IP address space. The MedOne security team recognized this as extremely suspicious activity, and began to dig in. Eventually they were able to track the activity to one of their employee's stolen credentials. The credentials allowed the hackers to establish remote access to the database server, whereupon they attempted to download tools from a server in Russia. That download required a DNS lookup, which was blocked by ThreatSTOP's DNS Defense service and reported to the security team.
ThreatSTOP's DNS Defense strikes at the weakness of 92% of threats used in modern attacks: their reliance on DNS to work for an attack to succeed. By comparing real-time DNS requests to ThreatSTOP's extensive threat intelligence database, malicious and unwanted DNS requests are blocked on the spot, and the devices involved are reported on for further action. This means prevention and visibility across every device on the network.
APT attackers will usually find a way into the network they are targeting, whether it's through social engineering or through use of a 0-day exploit. After gaining access, they will often try to download tools or exfiltrate data. This is where ThreatSTOP DNS Defense trips them up, by denying them access to their tools and storage sites, rendering them powerless.
Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network, or how it can effectively grow your MSP services?