Scary stories from the SOC

| By:
Drew Sanford

We’re about to close out National Cybersecurity Awareness Month, and in the spirit of October and all things Halloween, we’re here to share some real-life stories as experienced in our SOC.

In a recent episode of our ConnectWise Tech Talk podcast series, I sat down with Jay Ryerse to discuss a few incidents we’ve helped our partners solve.

We’re always happy to get involved and help our partners prevent and recover from cyber incidents, but we also want to take this opportunity to tell our partners to be proactive with cybersecurity. Take measures into your own hands to prevent scary issues from happening in the first place. Maybe we can laugh at an incident once it’s resolved and the business has survived, but cybersecurity is no joke.

Let’s think about what managed service providers (MSPs) can learn from these stories and how measures can be put in place to prevent similar cyber attacks from happening.

First, what do we know about cyberattacks?

In speaking with our partners, we know that ransomware and business email compromise (BEC) are the two biggest issues that our partner’s customers are facing. In fact, a study by Crowdstrike reported more ransomware attacks in the first half of 2020 than all of 2019.

The average BEC has a financial impact of $75,000 in losses to a business. Meanwhile, the average ransomware payment now sits around $178,000 per attack, which does not include any recovery efforts whatsoever. Just ONE attack can have devastating implications for a small business, potentially even shutting down a business for good.

We recently released our second annual cybersecurity report, Creating Opportunity From Adversity: The State of SMB Cybersecurity in 2020, which points out that 91% of SMBs would start using or change providers to get the right cybersecurity and would pay up to 30% more for those services. So, while cyber threats are indeed scary and very real, MSPs have an opportunity to ramp up their security efforts to protect their clients.

Knowing that the majority of attacks stem from human error, the opportunity to provide cybersecurity services is really limitless. That being said, let’s dive into some truly scary stories our partners have experienced.

The backups blunder

Did you know that the average attacker sits in a network for over half a year before being seen. Or, in the case of our partner - a major law firm - over 330 days. That’s practically an entire year of infiltration without being noticed.

This major law firm was hit with a huge attack that affected every single one of their systems, including their backups. During the 330 days that the attacker was in their network, they created multiple admin and user accounts, setting off an attack that had a financial impact in the millions.

What went wrong?

Essentially, the law firm’s backups were open for network share traffic. In other words, their RDP (remote desktop protocol) was open. Attackers were able to encrypt, get access to the backup system, find out exactly where backups were being placed, and stop backups from happening.

How to prevent this from happening

There are a few issues that came into play here that could be prevented with better cybersecurity practices.

First off, if more vigilant and constant network monitoring were put into practice, techs would have been alerted to the new accounts being created, which would have indicated that an intruder might be in the system.

Next, if IT ran frequent backup tests to ensure that everything was running properly, they may have stopped the attack before it happened.

Lastly, the networks were running with open RDPs. Had there been more visibility into that, the RDP could have been shut down, the logs could have been watched, and the law firm’s risk could have been mitigated.

Bottom line: test your backups!

The business email compromise fiasco

One of our partners was hired by their customer to bring their IT team on-site for a specified period of time as an on-site resource. While the partner’s IT team was on-site, one of the customer’s users was phished.

Through the phishy email, an attacker essentially installed a trojan to get back into the network and launched an attack by embedding a rootkit and a key logger into that user’s system.

The user asked an IT admin to come over to the computer to try to resolve the issue. Well, what do you think happened next? The admin logged into the system and just like that the attacker had access to the admin’s username and password. With elevated permissions, the attacker was able to launch a huge attack.

What went wrong?

Phishing attacks are incredibly common. All users everywhere need to be aware of the signs of an attack and be empowered to question suspicious activity before clicking on anything.

Secondly, it’s important for strict processes and protocols to be in place so that seemingly innocuous actions don’t result in catastrophic cyber events. For example, perhaps the admin’s first course of action should not have been to walk over to the user’s computer and immediately input their username and password.

MSPs are running so hard and so fast at all times that it’s difficult to remember to take a step back and put on a cybersecurity lens first, but doing so can prevent really big losses.

How to prevent this from happening

Make sure you’re looking at all possible layers of any scenario. Gain visibility into what’s truly happening in any and all machines, otherwise you can inadvertently expose yourself to bad actors.

Bottom line: visibility is key!

The overly exposed encounter

We tell our partners that when they’re onboarding a new customer, they need to be hyper-aware of how that customer is set up and they need to audit that set up periodically.

One of our partners reached out to us for help when their customer got hit with a problem. Our SOC discovered that the customer had an open LDAP port outside of their firewall. Through that open port, important information like usernames and processes was accessible.

One of our techs was able to infiltrate the customer’s system by finding a user account that had a password within the username, which is exactly how an attacker got into the system.

What went wrong?

It should go without saying, but password information should NEVER be stored in descriptions or anywhere other than a secure, private, encrypted place. Everyone everywhere should be armed with basic cybersecurity best practices as a starting point.

Also, it’s possible the customer wasn’t aware of their open ports and what the implications of those open ports were.

How to prevent this from happening

Again, make sure everyone is armed with basic cybersecurity knowledge, and go as deep as possible with that education!

It’s incredibly important to have a process for setting controls, watching those controls, and auditing regularly.

It’s a good practice to start with everything off by default, to limit any damage that may result. Reduce to a ‘zero trust’ state as quickly as possible just to make sure you’re starting off in the best possible place.

In conclusion

We know that cybersecurity is not a 9-5 job. The average time it takes an attacker to move from the first machine to the next is less than 19 minutes. If you don’t have eyes on your networks 24/7, then you are certainly at risk of compromise and devastating loss.

If you aren’t sure where to start with cybersecurity, check out You’ll find a ton of resources to help you at every stage of your cybersecurity journey.