Back to overview

Managed Security Services

Saving the Weekend: How the SonicSentry SOC Stopped a Saturday Night Cyberattack

by Sarah Wilkinson

The phrase “Have a great weekend” means something different to threat actors.

 

When You Clock Out, Threat Actors Clock In

What are you doing Saturday night? Maybe you’re having pizza with family, going to a party with friends or seeing a movie? We love that for you. Unfortunately, so do threat actors. They specifically wait for times you’re less likely to be paying attention to make their moves. Holidays, weekends and the middle of the night are not only fair game—for threat actors, that’s prime time. If you’re not paying attention, the threat actor can get the time they need to do all sorts of things, from learning more about your environment to setting an attack in motion. 

That’s why having a security operations center (SOC) is so crucial: attacks can’t wait. Unfortunately, the vast majority of small- and medium-sized businesses (SMBs) and the managed service providers (MSPs) who support them can’t simply build a SOC for themselves. Building a SOC from scratch costs upwards of $1 million, which is out of reach for many, to say nothing of the expertise required to set up critical SOC processes. That’s where the SonicSentry SOC comes in. Here’s an example of how the SonicSentry team stopped an attack in progress on a Saturday evening.

A Real-World Saturday Night Incident

Our story begins with ScreenConnect. By itself, ScreenConnect isn’t an inherently bad or malicious program. In fact, it has many good uses: by allowing remote access to a system, it enables direct customer support and makes it easy to solve common IT issues. Many MSPs and other companies use ScreenConnect for these legitimate purposes every day. Because of this, antivirus does not quarantine ScreenConnect, and while EDR tracks ScreenConnect logs, most default configurations do not alert on ScreenConnect activities. 

In the wrong hands, ScreenConnect can also become a powerful tool for lateral movement. Simple compromised credentials via phishing or credential stuffing can give bad actors enough access to use ScreenConnect to easily take over machines, deploy malware and more. Time is of the essence in stopping these attacks in their tracks.

In our case, the SonicSentry SOC observed ScreenConnect running on a machine at 7:20 p.m. on a Saturday, local time. As noted above, ScreenConnect by itself isn’t malicious and isn’t the kind of thing security tools would catch by default. However, two things caught the eyes of the SOC analyst: first, the fact that it was running well outside of normal business hours (around 7 p.m. on a Saturday evening), and second, that the ScreenConnect session was connected to a .TOP domain. Either one of those factors would have been suspicious, but both together made it glaringly obvious that this was malicious behavior.

The SOC took immediate action to mitigate the threat by disconnecting the affected machine from the network. They called the partner by phone to let them know what was going on and continued to monitor for any other suspicious or anomalous activity. If a second machine in that environment had shown a ScreenConnect session starting, the SOC would have pulled the entire network offline in the interest of protecting the business quickly. 

The SonicSentry SOC’s quick action here kept this from becoming a major cyber incident. If the activity had not been noticed until Monday morning, that would have been far too late to prevent the chaos that a threat actor with free rein in a network can cause. However, the expertise of the SOC mattered here too, just as much as the rapid response. Thanks to the SonicSentry SOC’s years of experience, they had special EDR rules to ensure suspicious ScreenConnect sessions were flagged. These rules are above and beyond standard configurations and ensured that this clearly malicious session was shut down quickly.

Response Time Changes Everything

Would you rather spend your Saturday night doing literally anything other than worrying about rogue ScreenConnect sessions? Most people would. Partnering with a SOC-as-a-Service (SOCaaS) provider gives you the protection and response you and your customers need, while still letting you maintain control of your customer relationships…and your Saturday nights. 

Want to learn more about why response time matters? Check out our webinar The 3 AM Problem: The Trouble With Dwell Time.  

 

Share This Article

An Article By

Sarah Wilkinson

Senior Product Marketing Manager
Sarah Wilkinson is a Senior Product Marketing Manager at SonicWall, primarily responsible for SonicWall’s MXDR services and enabling MSP partners. She is a seasoned cybersecurity marketer, with many years of experience marketing enterprise cybersecurity solutions, primarily in the cyber threat intelligence and threat-informed defense spaces. She’s passionate about making cyber threat intelligence and other proactive cybersecurity tools accessible to small businesses and the MSPs defending them. Sarah is a graduate of West Virginia Wesleyan College.

Related Articles

  • The 3 AM Problem You Can’t Ignore
    Read More
  • Visions of Cyber Attacks: The SonicSentry SOC In Action On Christmas Morning
    Read More