Something Phishy This Way Comes: How the SonicWall SOC Proactively Defended Partners Against a New Attack

Same threats, different days? Not necessarily. Threat actors are forever innovating, looking for better and more effective ways to achieve their goals. While tactics like phishing are often in the news, even these attacks can have more beneath the surface - tactics are often combined as part of an overall attack. For example, an attack may start with phishing for initial access but ultimately lead to adversary-in-the-middle as a means of credential theft, which could then lead to account access removal, data exfiltration or other nefarious ends. To stay ahead of these threats, it's crucial to stay on top of security alerts at all hours of the day and night, but for many managed service providers (MSPs), that simply isn't possible. Many MSPs don't have 24/7 staff who are knowledgeable about cyber attacks and equipped to respond.

The SonicWall Security Operations Center (SOC) works to defend our MSP partners as part of our Managed Security Services. As we discussed in our recent post exploring the lifecycle of a threat, much of the work of the SOC is monitoring and responding to security alerts being thrown by security tools. The SOC triages the alerts and takes immediate action to stop any critical threats in their tracks and mitigate any damage, essentially putting out the fire before it spreads. And the SOC brings even more value - the SOC is staffed by experts, who recognize patterns in alerts and conduct proactive research to better secure all of our partners. This research is often triggered by alerts coming into the SOC, and what the SOC learns from one partner can benefit all of SonicWall's partners. Here's a recent example.

Can You Get to Phoenix from New York in 20 Minutes?

The SOC received an alert about an authentication failure in Microsoft 365 due to the user not usually being in the location where the attempt was coming from. The activity was flagged as risky by security tools because the user typically logged in from New York, and this authentication failure came from Phoenix, Arizona. By itself, this alert might not be malicious - people travel for business or go on vacation which could lead to a similar alert. Upon further investigation, the SOC found there was only about 20 minutes between login attempts: one in New York, and the suspicious attempt in Arizona. Because it's impossible to get from New York to Arizona in 20 minutes, this alert was particularly suspicious, and an authentication failure alert does not necessarily mean the login failed. The SOC upgraded the alert to critical, and contacted our MSP partner, who confirmed that this was a compromise as the user was in fact in New York. The SOC locked down the affected account, and our MSP partner worked with the user to reset their login credentials.

Not long after, an alert came in for a user from a different partner. On its face, it was similar: Security tools flagged an authentication failure from Phoenix, when the user was not typically in Arizona. The SOC contacted the partner and was told the user was actually vacationing in Arizona. In many cases, this confirmation from the partner would cause the SOC to close out the alert as a false positive. However, because of the previous issue, the SOC analyst took a closer look and found that the authentication failure came from the same IP address that the previous, now known to be malicious alert came from, which was so coincidental that it strongly suggested malicious activity. The SOC analyst contacted the partner again, this time by phone, to inform them that this might still be malicious, despite the user being on vacation near the IP address location. After the conversation, the partner reset the account as a precaution.

Digging Deeper

After these two alerts, it was clear to the SOC team that something more was going on. They began researching, leveraging other security researchers and open-source intelligence around the latest threat actor campaigns. The team learned that a fresh adversary-in-the-middle campaign had begun over the Independence Day (July 4) holiday in the United States, using phishing emails claiming that a secured document had been shared with the user and prompting the user to click a link to log in. Upon clicking the link in the email, the users were presented with a fake Microsoft login screen, where the two users from our partners entered their credentials, including MFA codes. The threat actors used automated infrastructure to then take these credentials and automatically attempt to log in to the account.

Now armed with this information and a list of indicators of compromise including IP addresses, the SOC team was able to build a new security rule to automatically respond to access attempts that include these indicators. Not even a day later, the rule triggered for a third partner, stopping the compromise in its tracks.

Defending the Defenders, Proactively

Small- to medium-sized businesses (SMBs) typically depend on MSPs for all of their cybersecurity needs, and the reality is that attacks against SMBs are increasing, making MSPs even more crucial. However, most MSPs don't have their own 24/7 SOC, and because they are also handling all of their clients' IT needs (not just security), they often don't have the deep cyber knowledge to recognize patterns in alerts or the time to conduct research when a new anomaly pops up in a security tool. That's where partnering with a SOC can make a huge difference.

The SonicWall SOC is focused on defending all of our partners against threats every day, with expert humans both responding to alerts and conducting proactive research. Their work to put out the fire of a critical security incident and minimize damage is crucial to keeping SMBs up and running, but what they learn from the security incidents they address and their ongoing research has cascading benefits for the larger SonicWall partner community. By partnering with the SonicWall SOC, you're not just getting cyber firefighters - you're getting the backing of an MSP-focused team of experts working to proactively make the entire community more secure in the face of cyber threats.

Ready to learn how SonicWall's Managed Security Services can bring the power (and peace of mind) of a 24/7 SOC to your clients? Contact us today!