TrapX DeceptionGrid Platform for National Government
Categories
Description
Multiple Attackers Penetrate National Agency
Project Background - a Technology Evaluation
Our case study focuses on a large national government agency. This agency has hundreds of employees and has multiple facilities disbursed over a large geographic area. This agency wanted to learn more about deception technology as part of their regular evaluation of cyber security vendors.
Massive Penetration by Attackers Detected in Multiple Areas
DeceptionGrid was placed into operation. Starting almost immediately and over the course of several weeks the government security operations command (SOC) team received multiple High Priority Alerts. This was one of the most massive attacks we have ever discovered. We identified multiple attackers in several areas to include over five (5+) attackers using malware servers, over five (5+) attackers linking back data flow to botnet c&c servers and over fifty (50+) remote attackers using TOR anonymous proxy to hide source IP addresses. In some cases the malware was automatically trapped and injected into the sandbox for continued analysis. Multiple attackers had established command and control and had bypassed the complete array of existing intrusion detection, firewall, endpoint and perimeter cyber software defense.
Malware found included Cryptowall, P2P Malware, Trojan-Banker, TrojanRansome, Mobogenie.B and WS.Reputation.1.
Exfiltration of Data Discovered - Broadscale Remediation Required
It is clear that multiple attackers have successfully exfiltrated data from this government agency. The attack vectors varied substantially and compromised workstations and servers across multiple departments. Required remediation was done on a broad scale and included reprovisioning of both workstations and servers. The government involved has been forced to either re-provision on a large scale, or, to perform more time intensive memory dump analysis to better understand the extent of the penetration by this varied mix of attackers. Source attacker IP adresses as known are confidential at this time and part of an ongoing criminal investigation.
Details
Business tasks
Ensure Security and Business Continuity
Problems
Risk of attacks by hackers
Risk of data loss or damage
Risk of lost access to data and IT systems