Visions of Cyber Attacks: The SonicSentry SOC In Action On Christmas Morning

Even at 3 a.m. on Christmas morning, the SonicSentry SOC protects the protectors.

As we’ve described before, cyber-attacks don’t wait for you to be ready at your computer to defend against them. Threat actors actively seek out times you’re likely not paying attention to attempt to break into your network, deploy malware or steal data. They know you’re almost certainly not looking at alerts from your security tools in the middle of the night. While your security tools may send alerts, you probably won’t see them until you’re awake and back in the office. We call this gap the 3 AM Problem.

The SonicSentry Security Operations Center (SOC) works around the clock to defend our managed service provider (MSP) partners and their customers from cyber threats, effectively solving the 3 AM Problem. The SOC triages alerts for our partners, determining what’s critical and requires immediate remediation versus what can be investigated by the partner later. Their expert monitoring and response protects you and your customers 24 hours a day, every single day of the year, including major holidays like Christmas.

No One Wants a Brute Force Attack for Christmas

If you’re not paying attention to your security alerts at 3 a.m. on a normal day, they’re even further from your mind at 3 a.m. on Christmas morning. You’re sleeping peacefully, with visions of sugarplums dancing in your head, not visions of a cyberattack. Thankfully, the SonicSentry SOC is just like Santa Claus: always watching.

That brings us to this past Christmas morning, when the SonicSentry SOC detected anomalous admin activity on a firewall being monitored as part of our MDR for Network service. This was a failed admin login attempt. By itself, a failed login attempt may not be a big deal—people mistype passwords all the time. However, multiple failed admin login attempts in a short period of time are a strong indicator of a brute-force attack and always draw the attention of SonicSentry SOC analysts. These failed attempts were also being logged at, you guessed it, 3 a.m. on Christmas Day, making them even more suspicious.

The Response

The SOC began an investigation to determine where these attempts were coming from. By researching the source IP address, they determined that the attempts were coming from Germany. The company whose firewall was under attack was French and conducts business exclusively in France, which provided the final confirmation that this was malicious activity. 

The SOC took action to notify the partner serving this customer. Because there was no evidence that any credentials had actually been compromised, this was done via email to allow our partner to follow up at their convenience. The partner was then able, with some guidance from the SOC, to strengthen the security posture of the firewall by updating firewall policies to restrict administrative access to a known and approved IP address list, including blocking Germany. Early detection from the SOC helped the partner to avoid a successful compromise, allowing them to provide proactive security for their customer. 

24/7 SOC Monitoring Isn’t Optional

Small- and medium-sized businesses (SMBs) depend on their MSP partners for a range of business and information technology needs, including cybersecurity. Attacks against SMBs are increasing, but many MSPs are small businesses themselves, and providing the 24/7 active monitoring and response of a SOC can be beyond their reach. Partnering with an expert SOC provides both expert security and solves the 3 AM Problem, helping to stop attackers in their tracks.

Ready to get started with SonicSentry? Contact us today!