Blumira’s security, support, product and sales team members helped a customer recently by detecting a pattern of malicious activity related to the newly disclosed Microsoft Exchange vulnerabilities over the span of a few days.
Initially, Blumira detected threat-like behavior in the environment, or security events, through the customer’s Sophos Central antivirus integration. As the detections continued, the customer engaged with Blumira’s Security Operations (SecOps) team to review and ensure the appropriate incident response steps were taken.
This prompted Blumira’s Incident Detection Engineer Nick Brigmon to investigate and categorize the not-yet-unqualified incident. He then tagged in Blumira’s TAM (Technical Account Manager) Dave Begley, who proactively contacted the affected customer and assisted in configuring many additional log sources to feed back into Blumira. This delivered the additional visibility to properly scope the security incident.
A series of attacker behavior was detected by Blumira’s platform, including an attempt at privilege escalation through PowerShell execution policy bypass.
Blumira also detected a policy violation caused by the clearing of Windows security event logs. This is a very rare finding that attackers perform to eliminate evidence and avoid any investigative trail leading back to their activity. As noted in the MITRE ATT&CK framework, this attacker tactic is a form of defense evasion (T1070.001).
This suspicious pattern of behavior, once correlated with the presence of a vulnerable Exchange server, represented a new level of incident criticality for Blumira’s team and their client.
Working With MSPs to Respond Quickly
Members of Blumira’s security, product and sales teams quickly mobilized the client and their managed service provider (MSP) to coordinate on their next incident response steps, specifically containment and remediation.
Once advised by Blumira’s team, the customer’s MSP was able to take the impacted Exchange machine offline and start the system rebuilding process.
This is a great example of the combination of Blumira’s automated detection and response platform, plus responsive and observant Blumira security analysts. Working with the customer’s MSP, our security analysts advised them on incident response best practices and helped them avoid an enterprise-wise breach.