Your Covalence Service
A network's threat surface is what attackers target to gain access to systems or data. It is loosely represented by the shaded circles in the diagram here and includes the hardware and software that are in use on your network. Outside it, are the cloud services used by your team which, along with your network, make up your IT environment and its Threat Surface.
It is essential to have visibility into these attackable points to spot threats, and to help you reduce what attackers can reach. Your Covalence service provides a broad set of capabilities to support your cyber security.
Page | 4 CONFIDENTIAL
Active Features
The following capabilities are available with your service. Enabled features are indicated as appropriate.
On Premise Network Monitoring
Monitors office environments for threats and vulnerabilities
42 Active Agents
DNS Firewall
Actively blocks connections to known-bad Internet sites
Endpoint Agent Monitoring
Complements antivirus to identify threats and vulnerabilities on devices
Cloud Monitoring
Monitors for account and security breaches with your cloud services
External Risk Monitoring
Identifies assets visible to external attackers and DNS configuration issues
SEAS (Suspicious Email Analysis Service)
On demand analysis of suspicious emails and attachments
Page | 5 CONFIDENTIAL
Your Network
Most Resolved Domains
Covalence has observed 42 devices (+7 from last month) , by name and hardware address, active on your network. This number includes any visiting devices that your network use policy may allow which are also observed by Covalence. A summary of these systems’ connections can be provided upon request. You can also use your Covalence Observer Role to explore the devices on your network in detail.
The graph below provides a list of the top 20 most resolved domains by systems in your environment. This information should align with your expectation of network behavior.
You can learn more about the activity on your network including the services in use any time using your Covalence Observer Role.
Figure 1: Top Most Resolved Domains
Page | 6 CONFIDENTIAL
Active Users
The following heatmap is based on your cloud service activity and indicates the geographic regions from which your users are actively accessing the services that Covalence is monitoring. This map should generally align with where you expect your users to be.
Covalence cloud monitoring leverages device profiles, ISP types, app usage and geolocation data to model expected user activity.
VPN Usage
Users that connect to your cloud services through publicly available virtual private network (VPN) products are identified by Covalence. VPN services are popular with users who connect to the Internet through untrusted networks, such as coffee shop Wi-Fi. However, these products are also popular with cyber criminals who are attempting to obscure their true location when accessing compromised accounts.
The table below provides information about VPN users in your organization identified by Covalence. This list should be reviewed to ensure only expected VPN use, inline with your corporate policies, is taking place.
Figure 2: Valid User Logins to your Domain
Page | 7 CONFIDENTIAL
Please let us know whether VPN use is expected, and we will tune our monitoring accordingly.
Monitoring Threats to Your Environment
The sections that follow provide an overview of some of the key data events that drive your service and which your Covalence Team use everyday to help you reduce your threat surface. Events that warrant your attention or awareness are always delivered to you as an ARO so you never have to worry about missing something that matters.
Your Network
Assessed Security Events: 459 (+196 from last month)
The number of security events assessed captures the total output from a range of continuously evolving analytics and detections, including everything from suspicious connections, to anomaly detection and user behavioral analytics (UBA).
Threat Intelligence
Covalence employs industry standard IOCs along with our own threat intelligence to identify malicious systems, domains, botnets, ransomware operators and other known threats to your environment.
1 Event (+1 from last month)
4547 IOC Lists / 40589 IOCs 1
User ID VPN Name Last Observed christian@capitaltek.com Infatica Proxy, Touch VPN 23 February 2024 ellen@capitaltek.com Bigmama Proxy, Namecheap VPN 23 February 2024 rica@capitaltek.ca Namecheap VPN 28 February 2024
Figure 3: Users Using VPN Services
Page | 8 CONFIDENTIAL
Threat Hunting
120 Events
(-58 from last month)
0 PCAPs analyzed (Same as last month)
In addition to automated and machine-learning-driven analytics monitoring your network, the Covalence Threat Hunting Team is continuously scouring your environment for emerging threats, signs of undiscovered threat actors and never-before-seen malware.
Beacon Detection
0 Events (Same as last month)
Covalence monitors your network for devices emitting beacons, which are periodic communications from your network to systems on the Internet. Beacons are commonly used by software to manage updates and maintain connections. Unfortunately, malware and other types of unwanted attack activity often use beacons as a method of command and control, and data exfiltration. Your network is being monitored for signs of malicious beaconing activity.
Page | 9 CONFIDENTIAL
The map below illustrates the geographic destinations of beacon traffic coming from your network.
Top Beacon Destinations
The chart below shows the destination domain and communication frequency of the five most active beacons on your network
Figure 4: Geographic Beacon Destinations
Page | 10 CONFIDENTIAL
Scan Detection
0 Events
(Same as last month)
Note: Your Covalence appliance may be positioned inside the firewall perimeter of your organization. As a result, scanning events will not be detected by Covalence analytics.
Covalence monitors your network for online scanners which are automated tools that seek to identify systems on the Internet and gather information about them. Most scanning activity is benign; however, it is also a common precursor to an attack. Covalence leverages advanced analytic profiling techniques to identify and alert on suspicious scans that could indicate a potential threat as well as those of Internet researchers and security firms.
Cloud Services
60 Accounts
(+4 from last month)
Figure 5: Top five Beacon Destination Domains
Page | 11 CONFIDENTIAL
Between 1 February 2024 and 29 February 2024, we detected 15 failed login attempts for user accounts in your organization. This is a low number number of attempts for an organization of your size and includes normal user failed logins along with attempts to brute force access to accounts using techniques like password guessing and spraying. Techniques like these are common and in general do not represent a serious security threat in and of themselves, however appropriate security measures such as enabling multi-factor authentication and disabling legacy authentication methods are important ways to reduce your risk.
Key Observations
• The attacks against your domain are targeted to specific users, suggesting a higher than expected level of research into your organization by an attacker, or previous compromises.
• We have noted that there are a small number of different types of device accessing your cloud domain.
◦ The integrity of these devices is critical to the security of your domain.
◦ We strongly recommend your organization ensures all devices are upgraded to their most recent available operating system and patches.
Protecting Your Accounts
During the observation period, there were brute force attempts against existing users. Users with high numbers of failed login attempts may be of particular interest or value to attackers.
• Watch for members of your team in key leadership or financial roles appearing here and take preventative action to protect them like ensuring strong passwords are in place and never reused, and multi-factor authentication is active. This list will also include any invalid accounts that would-be attackers may have tried to access.
• Multi-Factor Authentication (MFA) is a great way to improve account protection. Over the past this month we have observed 46 (out of 60 total observed users) logging in with MFA. This number excludes users who have remained logged in since the last report.
Page | 12 CONFIDENTIAL
We have observed 60 unique usernames in your domain. The top 9 affected usernames are:
We determine account validity by whether we have observed successful logins from an account. Therefore, these accounts may exist in your cloud domain but may be disabled or inactive. We also label an account as invalid if it is an email alias as opposed to a login username.
The users targeted in any given organization vary through time. Attackers use automated systems, leveraging global infrastructure to conduct their operations. They harvest publicly available information and use leaked account credentials from data breaches independent of your organization to continually update and refine their targeting and attacks. This information is used to identify high value targets (executives, financial administrators, IT administrators, etc.) and for developing phishing strategies to implement financial redirection and other attacks. Phishing attacks are the most common way an account is compromised and have evolved to even bypass some MFA controls making on-going user awareness an important part of your overall threat surface management.
Who is targeting your users?
The following heat map provides a high-level geographic representation of the sources of malicious or unauthorized attempts to access CapitalTek cloud accounts.
User ID Valid Account Attempt Count globaladmin_adrian@capitaltek.onmicrosoft. com Yes 4 diannedonoga@capitaltek.ca Yes 2 globaladmin_christian@capitaltek.onmicroso ft.com Yes 2 trisha@capitaltek.ca Yes 2 christian@capitaltek.com Yes 1 frederick@capitaltek.com Yes 1 info@capitaltek.ca Yes 1 masteradmin@capitaltek.onmicrosoft.com Yes 1 stepan@capitaltek.com Yes 1
Figure 6: Top Targeted Accounts
Page | 13 CONFIDENTIAL
Top Attacker Source Network Countries
Most attackers use globally distributed infrastructure, with attackers often relying on botnet infrastructure 2, supplemented with a small amount of bulletproof hosting 3 infrastructure to conduct their operations.
Top Networks Used by Attackers
Most modern attackers use public Internet Service Providers (ISPs) and other services like VPNs to launch their attacks and conduct operations to access their victim systems.
The top 5 networks used to attack your domain were as follows.
Figure 7: Heatmap of Source Networks Attacking your Domain
Top 3 Countries Attempt Count Philippines 7 Canada 6 Sweden 2
Figure 8: Top Attacker Source Network Countries
Page | 14 CONFIDENTIAL
Threat Surface Reduction
Managing your organization’s threat surface is a continuous process and Covalence helps make it easier.
Actions, Recommendations and Observations
AROs (Actions, Recommendations and Observations) are the core deliverable from your Covalence service and are specific to your security context. They either require your immediate attention to address an issue (Action), provide advice for reducing your threat surface (Recommendation) or offer insight you can use to improve your security posture (Observation).
Our objective is to provide Managed Service clients with AROs only in cases where action is required, or awareness is important. After inspecting the details of the devices involved, the nature of the communications, and often multiple other data points, a Covalence ARO is generated. In some cases, an ARO is generated for you automatically, and in other cases a human analyst has reviewed or generated the ARO directly.
Top 5 Networks Attempt Count Globe Telecom Inc 5 Rogers Communications Canada Inc. 5 Converge ICT Net Blocks 2 Hern Labs AB 2 Telus Mobility 1
Figure 9: Top Networks Used by Attackers
Page | 15 CONFIDENTIAL
Endpoint Risk - Malware Detected (ARO-141)
Action (Resolved)
Remediation:
• Validate the Microsoft Defender alerts for the identified endpoint.
• Ensure you have the latest virus and threat protection updates, via the Windows Security menu options.
• Run a full scan of the affected endpoint with Microsoft Defender.
• If the identified activity is associated with a confirmed breach, we recommend re-imaging the system.
Account Risk - Potential Credential Compromise (ARO-154)
Endpoint Risk - Malware Detected (ARO-143)
Action (Unresolved)
Remediation:
• Contact the identified user to verify that this activity is expected.
• If this activity is unexpected, reset the account credentials immediately.
• Please leverage comments on this ARO to report any suspicious changes or activity that may be observed with this account.
Action (Resolved)
Remediation:
• Validate the Microsoft Defender alerts for the identified endpoint.
• Ensure you have the latest virus and threat protection updates, via the Windows Security menu options.
• Run a full scan of the affected endpoint with Microsoft Defender.
• If the identified activity is associated with a confirmed breach, we recommend re-imaging the system.
ARO Status and Remediation
Page | 16 CONFIDENTIAL
ARO Status and Remediation
Endpoint Risk - Vulnerable Software Detected - Chrome and Chromium-based Browsers (ARO-133)
Recommendation (Dismissed)
Remediation:
• We recommend that Windows, Mac, and Linux desktop users manually upgrade now to the latest Chrome version by going to Settings -> Help -> About Google Chrome.
• We recommend that Windows desktop users manually upgrade now to the last Edge version by going to Settings -> About Microsoft Edge.
• Administrators can configure updates to be deployed automatically using group policy. Further guidance and templates are provided by the respective vendors. [Chrome](https:// support.google.com/chrome/a/answer/ 6350036?hl=en), [Edge](https:// learn.microsoft.com/en-us/deployedge/ configure-microsoft-edge), and [Brave] (https://support.brave.com/hc/en-us/articles/ 360039248271-Group-Policy) support automatic updates whereas Opera and Vivaldi do not.
• For Chromium-based browsers, refer to the vendor's release notes below and to the documentation for instructions on how to update to the latest version.
Endpoint Risk - Unpatched Microsoft Products (ARO-138)
Endpoint Risk - Vulnerable Software Detected - Windows (ARO-126)
Recommendation (Dismissed)
Remediation:
• Update the software on the affected endpoints using the provided CVE links and associated references.
Page | 17 CONFIDENTIAL
ARO
Endpoint Risk - Hosts Observed Without Covalence Agent Installed (ARO-134)
Network Risk - Internal Network Scanning Detected (ARO-135)
Endpoint Risk - Vulnerable Software Detected - Windows (ARO-128)
Endpoint Risk - Vulnerable Operating System Detected (ARO-132)
Status and Remediation
Recommendation (Resolved)
Remediation:
• Upgrade the software listed above to the latest version and remove any unused or outdated software.
Recommendation (Dismissed)
Remediation:
• We recommend that you review the list of hosts identified and install the Covalence endpoint agent wherever possible.
Recommendation (Dismissed)
Remediation:
• Validate with the last user if this activity is expected.
• If the activity is unexpected, disconnect this endpoint from your network and contact us for further assistance.
Recommendation (Resolved)
Remediation:
• Upgrade the software listed above to the latest version and remove any unused or outdated software.
Recommendation (Dismissed)
Remediation:
• Run Windows Update on the system(s) listed above, which can be found via Windows Update Settings.
Page | 18 CONFIDENTIAL
ARO Status and Remediation
Network Risk - Internal Network Scanning Detected (ARO-149)
Recommendation (Resolved)
Remediation:
• Validate with the last user if this activity is expected.
• If the activity is unexpected, disconnect this endpoint from your network and contact us for further assistance.
Account Risk - Account Added to Microsoft 365 Administrative Group (ARO-140)
Endpoint Risk - At Risk Software Observed - AnyDesk (ARO-145)
Recommendation (Resolved)
Remediation:
• Reset user credentials for both accounts, and revoke all active user sessions.
• Where possible, enforce the use of MFA for administrative accounts.
Recommendation (Resolved)
Remediation:
• Refer to the AnyDesk security advisory referenced below; change AnyDesk user passwords and apply the latest update as soon as possible.
• We recommend enabling Multi-Factor Authentication (MFA) for all AnyDesk accounts, especially for users with elevated privileges.
Endpoint Risk - Unpatched Microsoft Products (ARO-150)
Endpoint Risk - At Risk Software Observed - AnyDesk (ARO-142)
Recommendation (Resolved)
Remediation:
• Update the software on the affected endpoints using the provided CVE links and associated references.
Page | 19 CONFIDENTIAL
ARO
Endpoint Risk - Vulnerable Software Detected - Windows (ARO-130)
Endpoint Risk - Vulnerable Software Detected - Windows (ARO-129)
Account Risk - Account Added to Microsoft 365 Administrative Group (ARO-146)
Endpoint Risk - Vulnerable Operating System Detected (ARO-125)
Status and Remediation
Recommendation (Resolved)
Remediation:
• Refer to the AnyDesk security advisory referenced below; change AnyDesk user passwords and apply the latest update as soon as possible.
• We recommend enabling Multi-Factor Authentication (MFA) for all AnyDesk accounts, especially for users with elevated privileges.
Recommendation (Dismissed)
Remediation:
• Upgrade the software listed above to the latest version and remove any unused or outdated software.
Recommendation (Resolved)
Remediation:
• Upgrade the software listed above to the latest version and remove any unused or outdated software.
Recommendation (Resolved)
Remediation:
• Reset user credentials for both accounts, and revoke all active user sessions.
• Where possible, enforce the use of MFA for administrative accounts.
Page | 20 CONFIDENTIAL
ARO
Endpoint Risk - Hosts Observed Without Covalence Agent Installed (ARO-127)
Endpoint Risk - Vulnerable Software Detected - WinRAR (ARO-131)
Security Alert - Microsoft Defender for Cloud (ARO-139)
Endpoint Risk - Potentially Unwanted Applications Detected (ARO-148)
Security Alert - Microsoft Defender for Cloud (ARO-136)
Status and Remediation
Recommendation (Resolved)
Remediation:
• Run Windows Update on the system(s) listed above, which can be found via Windows Update Settings.
Recommendation (Resolved)
Remediation:
• We recommend that you review the list of hosts identified and install the Covalence endpoint agent wherever possible.
Recommendation (Dismissed)
Remediation:
• We recommend updating the affected software to the latest version as soon as possible.
Observation (Dismissed)
Remediation:
• Investigate and address the Microsoft Defender for Cloud Alert.
• Follow the recommended configuration steps provided by Microsoft.
Observation (Dismissed)
Remediation:
• Validate the presence of PUAs on the affected endpoint(s). If their presence is unexpected, we recommend uninstalling them.
Page | 21 CONFIDENTIAL
ARO Status and Remediation
Observation (Dismissed)
Remediation:
• Investigate and address the Microsoft Defender for Cloud Alert.
• Follow the recommended configuration steps provided by Microsoft.
Account Risk - VPN Authentication Detected (ARO-151)
Suspicious Login Detected (ARO-153)
Observation (Resolved)
Remediation:
• If this activity is unexpected, reset the account credentials and revoke all user sessions immediately.
• Enable Multi-Factor Authentication (MFA) for all accounts within your organization as an additional security control, if not already implemented.
Observation (Dismissed)
Remediation:
• Contact the identified user to verify that this activity is expected.
• If this activity is unexpected, reset the account credentials immediately.
• Please leverage comments on this ARO to report any suspicious changes or activity that may be observed with this account.
Account Risk - VPN Authentication Detected (ARO-152)
Observation (Dismissed)
Remediation:
• If this activity is unexpected, reset the account credentials and revoke all user sessions immediately.
• Enable Multi-Factor Authentication (MFA) for all accounts within your organization as an
Page | 22 CONFIDENTIAL
ARO
Security Alert - Microsoft Defender for Cloud (ARO-137)
Status and Remediation
additional security control, if not already implemented.
Observation (Dismissed)
Remediation:
• Investigate and address the Microsoft Defender for Cloud Alert.
• Follow the recommended configuration steps provided by Microsoft.
Security Alert - Microsoft Defender for Cloud (ARO-144)
Account Risk - VPN Authentication Detected (ARO-147)
Observation (Dismissed)
Remediation:
• Investigate and address the Microsoft Defender for Cloud Alert.
• Follow the recommended configuration steps provided by Microsoft.
Observation (Dismissed)
Remediation:
• If this activity is unexpected, reset the account credentials and revoke all user sessions immediately.
• Enable Multi-Factor Authentication (MFA) for all accounts within your organization as an additional security control, if not already implemented.
Protecting Your Cloud Services
User awareness is one of the best methods of protecting a network and preventing an incident. The list of targeted users and accounts should be reviewed, and their owners made aware of the threat. These “most targeted” users should also be prioritized for the implementation of technological protections such as strong passwords and MFA.
Figure 10: Outstanding and Closed AROs
Page | 23 CONFIDENTIAL
Note: You can tell us about your users like whether they travel, what devices they use, etc. in order to help further tune our compromise-detection analytics.
Improve Account Security
The most effective ways to further improve your email security are to enable MFA and increase user-awareness. MFA is not a silver bullet but can significantly increase your organization’s security posture by preventing an attacker from guessing passwords or trying passwords harvested from other websites.
• 46 of 60 observed users have used MFA to log in this month.
External Network Information
Knowledge about large networks on the Internet, sometimes referred to as ASN or “Autonomous Systems” provide some level of insight into the types of users or systems that are interacting with your business network. This annex provides details on some of these ASNs which appear in this report.
Resources
The following resources are recommended by Field Effect as helpful guides or documentation to use when implementing cyber security measures and plans for your network.
Industry Best Practices
Baseline Cyber Security Controls for Small and Medium Organizations
Published by the Canadian Centre for Cyber Security
https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-mediumorganizations
The Essential Eight
Published by the Australian Cyber Security Centre
https://www.cyber.gov.au/publications/essential-eight-explained
National Cyber Security Center (United Kingdom)
https://www.ncsc.gov.uk/section/advice-guidance/all-topics
Page | 24 CONFIDENTIAL
Cyber Security Framework
Published by the National Institute of Standards and Technology (United States)
https://www.nist.gov/cyberframework
FES Glossary of Terms
Published by Field Effect Software
https://my.fieldeffect.net/Portal.html?locale=en_CA#/support/glossary:
1 Indicators of compromise take the form of IP addresses, domain names, file hashes, URLs, signatures and other discrete markers of suspicious or malicious activity.
2 Botnets refer to large collections of compromised systems centrally controlled by an attacker.
3 Bulletproof hosting is a type of online hosting service known to provide incredible leniency to its customers in terms of the content allowed on the platforms. Bulletproof hosts also specialize in customer anonymity and therefore attract significant use by cybercriminals and hackers seeking to remain hidden while still operating infrastructure online.
4 https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Page | 25 CONFIDENTIAL
support@capitaltek.com https://capitaltek.ca +18779708324 www.fieldeffect.com
