USE CASE #3
LACK OF CONTROL OVER AUTHORIZATIONS LEADING
TO PARALYSIS OF THE ACCOUNTING OFFICE

SOURCES OF VULNERABILITY TO ATTACKS

• ESET software was installed on the computers, but there was no central management system and no protection against unauthorized uninstallation.
• The infrastructure was based on a simple router without network segmentation, which allowed for free traffic flow between all devices.
  
• The biggest risk was that all users worked on accounts with administrator privileges, and each workstation had a technical account with the same credentials.

INCIDENT

WHY WAS THE ATTACK SUCCESSFUL?

• No AV protection: the antivirus software did not have tamper protection, which allowed hackers to easily disable it.
  
• Ignoring the principle of least privilege: working on administrator accounts opened the door for attackers to penetrate deep into the system.
  
• Lack of segmentation and monitoring: simple network architecture and lack of constant log monitoring allowed attackers to move freely between computers without being detected.
  

EFFECTS OF THE INCIDENT

• Office work was completely halted, and access to key financial data was lost for the duration of the system recovery.
• Restoring functionality required manual intervention on multiple workstations simultaneously.
• There was a real threat of a breach of customer data confidentiality, which in the financial industry entails enormous responsibility and damage to reputation.

THE ROLE OF SOC ADQ: WHAT WOULD CHANGE?

• Detection of protection uninstallation: our analysts would immediately receive an alert about the antivirus software being disabled on the first workstation.
• Response to abuse of privileges: SOC monitoring systems would detect unusual administrator logins and attempts to spread the attack across the network.
  
• Limiting the scale: thanks to rapid intervention, the infected device would be isolated before the ransomware had time to encrypt data on other computers.

KEY CONCLUSIONS:

• Without central management and protection against uninstallation, AV software becomes an easy target for hackers.
• Sharing administrator accounts is unacceptable. Restricting permissions is the basis of protection.
  
• Constant monitoring reduces incident detection time from days to minutes, which drastically reduces losses and allows the business owner to sleep peacefully.