Monthly Service Report

Page 1

Covalence Monthly Service Report February 2024 CapitalTek Reporting Period: 1 February 2024 - 29 February 2024

Health Check: At Risk

Issues that put your IT environment at risk have been identified and require your attention. See Actions, Recommendations, and Observations below.

Monthly
Report.
Contents 3 Introduction 3 Intended Audience 3 How to use this report 3 Where to get help 3 Emergencies 4 Your Covalence Service 5 Active Features 6 Your Network 6 Most Resolved Domains 7 Active Users 7 VPN Usage 8 Monitoring Threats to Your Environment 8 Your Network 11 Cloud Services 12 Key Observations 12 Protecting Your Accounts 13 Who is targeting your users? 15 Threat Surface Reduction 15 Actions, Recommendations and Observations 23 Protecting Your Cloud Services 24 External Network Information 24 Resources 24 Industry Best Practices Page | 2 CONFIDENTIAL

Introduction

This monthly report provides you with information about your Covalence service as well as key details related to your IT environment and its security. Based on this information, Threat Surface Reduction information is provided, which offers key steps that can be taken to improve your security.

Intended Audience

This report should be reviewed by CIOs, CISOs, IT administrators, network administrators, and office managers as well as Managed Service Providers who support these functions. It is written in a way that is intended to help anyone who has responsibility for network operation and security to be able to improve the security posture of their network.

How to use this report

Your Covalence service is a comprehensive approach to help identify threats to your network and importantly, to reduce the likelihood of success by a threat actor. This report provides details about your service that you should use to:

• Ensure that the service is operating as you expect it to

• Identify additional Covalence services that you can make use of

• Spot issues that have been identified but not yet resolved

• Develop a plan or steps to take to make your network more secure and resilient to cyber threats

Where to get help

If you have any questions about this report, your service, or have questions about cyber security, you can reach out to your Cyber Security Concierge at support@fieldeffect.com at any time.

Emergencies

In the event of an incident, please contact forensics@fieldeffect.com or call our support number at the following numbers and indicate you require immediate support:

Canada and the United States

United Kingdom

Australia

+1.800.299.8986

+44.800.0869176

+61.1800.431418

Page | 3 CONFIDENTIAL

Your Covalence Service

A network's threat surface is what attackers target to gain access to systems or data. It is loosely represented by the shaded circles in the diagram here and includes the hardware and software that are in use on your network. Outside it, are the cloud services used by your team which, along with your network, make up your IT environment and its Threat Surface.

It is essential to have visibility into these attackable points to spot threats, and to help you reduce what attackers can reach. Your Covalence service provides a broad set of capabilities to support your cyber security.

Page | 4 CONFIDENTIAL

Active Features

The following capabilities are available with your service. Enabled features are indicated as appropriate.

On Premise Network Monitoring

Monitors office environments for threats and vulnerabilities

42 Active Agents

DNS Firewall

Actively blocks connections to known-bad Internet sites

Endpoint Agent Monitoring

Complements antivirus to identify threats and vulnerabilities on devices

Cloud Monitoring

Monitors for account and security breaches with your cloud services

External Risk Monitoring

Identifies assets visible to external attackers and DNS configuration issues

SEAS (Suspicious Email Analysis Service)

On demand analysis of suspicious emails and attachments

Page | 5 CONFIDENTIAL

Your Network

Most Resolved Domains

Covalence has observed 42 devices (+7 from last month) , by name and hardware address, active on your network. This number includes any visiting devices that your network use policy may allow which are also observed by Covalence. A summary of these systems’ connections can be provided upon request. You can also use your Covalence Observer Role to explore the devices on your network in detail.

The graph below provides a list of the top 20 most resolved domains by systems in your environment. This information should align with your expectation of network behavior.

You can learn more about the activity on your network including the services in use any time using your Covalence Observer Role.

Figure 1: Top Most Resolved Domains
Page | 6 CONFIDENTIAL

Active Users

The following heatmap is based on your cloud service activity and indicates the geographic regions from which your users are actively accessing the services that Covalence is monitoring. This map should generally align with where you expect your users to be.

Covalence cloud monitoring leverages device profiles, ISP types, app usage and geolocation data to model expected user activity.

VPN Usage

Users that connect to your cloud services through publicly available virtual private network (VPN) products are identified by Covalence. VPN services are popular with users who connect to the Internet through untrusted networks, such as coffee shop Wi-Fi. However, these products are also popular with cyber criminals who are attempting to obscure their true location when accessing compromised accounts.

The table below provides information about VPN users in your organization identified by Covalence. This list should be reviewed to ensure only expected VPN use, inline with your corporate policies, is taking place.

Figure 2: Valid User Logins to your Domain
Page | 7 CONFIDENTIAL

Please let us know whether VPN use is expected, and we will tune our monitoring accordingly.

Monitoring Threats to Your Environment

The sections that follow provide an overview of some of the key data events that drive your service and which your Covalence Team use everyday to help you reduce your threat surface. Events that warrant your attention or awareness are always delivered to you as an ARO so you never have to worry about missing something that matters.

Your Network

Assessed Security Events: 459 (+196 from last month)

The number of security events assessed captures the total output from a range of continuously evolving analytics and detections, including everything from suspicious connections, to anomaly detection and user behavioral analytics (UBA).

Threat Intelligence

Covalence employs industry standard IOCs along with our own threat intelligence to identify malicious systems, domains, botnets, ransomware operators and other known threats to your environment.

1 Event (+1 from last month)

4547 IOC Lists / 40589 IOCs 1

User ID VPN Name Last Observed christian@capitaltek.com Infatica Proxy, Touch VPN 23 February 2024 ellen@capitaltek.com Bigmama Proxy, Namecheap VPN 23 February 2024 rica@capitaltek.ca Namecheap VPN 28 February 2024
Figure 3: Users Using VPN Services
Page | 8 CONFIDENTIAL

Threat Hunting

120 Events

(-58 from last month)

0 PCAPs analyzed (Same as last month)

In addition to automated and machine-learning-driven analytics monitoring your network, the Covalence Threat Hunting Team is continuously scouring your environment for emerging threats, signs of undiscovered threat actors and never-before-seen malware.

Beacon Detection

0 Events (Same as last month)

Covalence monitors your network for devices emitting beacons, which are periodic communications from your network to systems on the Internet. Beacons are commonly used by software to manage updates and maintain connections. Unfortunately, malware and other types of unwanted attack activity often use beacons as a method of command and control, and data exfiltration. Your network is being monitored for signs of malicious beaconing activity.

Page | 9 CONFIDENTIAL

The map below illustrates the geographic destinations of beacon traffic coming from your network.

Top Beacon Destinations

The chart below shows the destination domain and communication frequency of the five most active beacons on your network

Figure 4: Geographic Beacon Destinations
Page | 10 CONFIDENTIAL

Scan Detection

0 Events

(Same as last month)

Note: Your Covalence appliance may be positioned inside the firewall perimeter of your organization. As a result, scanning events will not be detected by Covalence analytics.

Covalence monitors your network for online scanners which are automated tools that seek to identify systems on the Internet and gather information about them. Most scanning activity is benign; however, it is also a common precursor to an attack. Covalence leverages advanced analytic profiling techniques to identify and alert on suspicious scans that could indicate a potential threat as well as those of Internet researchers and security firms.

Cloud Services

60 Accounts

(+4 from last month)

Figure 5: Top five Beacon Destination Domains
Page | 11 CONFIDENTIAL

Between 1 February 2024 and 29 February 2024, we detected 15 failed login attempts for user accounts in your organization. This is a low number number of attempts for an organization of your size and includes normal user failed logins along with attempts to brute force access to accounts using techniques like password guessing and spraying. Techniques like these are common and in general do not represent a serious security threat in and of themselves, however appropriate security measures such as enabling multi-factor authentication and disabling legacy authentication methods are important ways to reduce your risk.

Key Observations

• The attacks against your domain are targeted to specific users, suggesting a higher than expected level of research into your organization by an attacker, or previous compromises.

• We have noted that there are a small number of different types of device accessing your cloud domain.

◦ The integrity of these devices is critical to the security of your domain.

◦ We strongly recommend your organization ensures all devices are upgraded to their most recent available operating system and patches.

Protecting Your Accounts

During the observation period, there were brute force attempts against existing users. Users with high numbers of failed login attempts may be of particular interest or value to attackers.

• Watch for members of your team in key leadership or financial roles appearing here and take preventative action to protect them like ensuring strong passwords are in place and never reused, and multi-factor authentication is active. This list will also include any invalid accounts that would-be attackers may have tried to access.

• Multi-Factor Authentication (MFA) is a great way to improve account protection. Over the past this month we have observed 46 (out of 60 total observed users) logging in with MFA. This number excludes users who have remained logged in since the last report.

Page | 12 CONFIDENTIAL

We have observed 60 unique usernames in your domain. The top 9 affected usernames are:

We determine account validity by whether we have observed successful logins from an account. Therefore, these accounts may exist in your cloud domain but may be disabled or inactive. We also label an account as invalid if it is an email alias as opposed to a login username.

The users targeted in any given organization vary through time. Attackers use automated systems, leveraging global infrastructure to conduct their operations. They harvest publicly available information and use leaked account credentials from data breaches independent of your organization to continually update and refine their targeting and attacks. This information is used to identify high value targets (executives, financial administrators, IT administrators, etc.) and for developing phishing strategies to implement financial redirection and other attacks. Phishing attacks are the most common way an account is compromised and have evolved to even bypass some MFA controls making on-going user awareness an important part of your overall threat surface management.

Who is targeting your users?

The following heat map provides a high-level geographic representation of the sources of malicious or unauthorized attempts to access CapitalTek cloud accounts.

User ID Valid Account Attempt Count globaladmin_adrian@capitaltek.onmicrosoft. com Yes 4 diannedonoga@capitaltek.ca Yes 2 globaladmin_christian@capitaltek.onmicroso ft.com Yes 2 trisha@capitaltek.ca Yes 2 christian@capitaltek.com Yes 1 frederick@capitaltek.com Yes 1 info@capitaltek.ca Yes 1 masteradmin@capitaltek.onmicrosoft.com Yes 1 stepan@capitaltek.com Yes 1
Figure 6: Top Targeted Accounts
Page | 13 CONFIDENTIAL

Top Attacker Source Network Countries

Most attackers use globally distributed infrastructure, with attackers often relying on botnet infrastructure 2, supplemented with a small amount of bulletproof hosting 3 infrastructure to conduct their operations.

Top Networks Used by Attackers

Most modern attackers use public Internet Service Providers (ISPs) and other services like VPNs to launch their attacks and conduct operations to access their victim systems.

The top 5 networks used to attack your domain were as follows.

Figure 7: Heatmap of Source Networks Attacking your Domain
Top 3 Countries Attempt Count Philippines 7 Canada 6 Sweden 2
Figure 8: Top Attacker Source Network Countries
Page | 14 CONFIDENTIAL

Threat Surface Reduction

Managing your organization’s threat surface is a continuous process and Covalence helps make it easier.

Actions, Recommendations and Observations

AROs (Actions, Recommendations and Observations) are the core deliverable from your Covalence service and are specific to your security context. They either require your immediate attention to address an issue (Action), provide advice for reducing your threat surface (Recommendation) or offer insight you can use to improve your security posture (Observation).

Our objective is to provide Managed Service clients with AROs only in cases where action is required, or awareness is important. After inspecting the details of the devices involved, the nature of the communications, and often multiple other data points, a Covalence ARO is generated. In some cases, an ARO is generated for you automatically, and in other cases a human analyst has reviewed or generated the ARO directly.

Top 5 Networks Attempt Count Globe Telecom Inc 5 Rogers Communications Canada Inc. 5 Converge ICT Net Blocks 2 Hern Labs AB 2 Telus Mobility 1
Figure 9: Top Networks Used by Attackers
Page | 15 CONFIDENTIAL

Endpoint Risk - Malware Detected (ARO-141)

Action (Resolved)

Remediation:

• Validate the Microsoft Defender alerts for the identified endpoint.

• Ensure you have the latest virus and threat protection updates, via the Windows Security menu options.

• Run a full scan of the affected endpoint with Microsoft Defender.

• If the identified activity is associated with a confirmed breach, we recommend re-imaging the system.

Account Risk - Potential Credential Compromise (ARO-154)

Endpoint Risk - Malware Detected (ARO-143)

Action (Unresolved)

Remediation:

• Contact the identified user to verify that this activity is expected.

• If this activity is unexpected, reset the account credentials immediately.

• Please leverage comments on this ARO to report any suspicious changes or activity that may be observed with this account.

Action (Resolved)

Remediation:

• Validate the Microsoft Defender alerts for the identified endpoint.

• Ensure you have the latest virus and threat protection updates, via the Windows Security menu options.

• Run a full scan of the affected endpoint with Microsoft Defender.

• If the identified activity is associated with a confirmed breach, we recommend re-imaging the system.

ARO Status and Remediation
Page | 16 CONFIDENTIAL

ARO Status and Remediation

Endpoint Risk - Vulnerable Software Detected - Chrome and Chromium-based Browsers (ARO-133)

Recommendation (Dismissed)

Remediation:

• We recommend that Windows, Mac, and Linux desktop users manually upgrade now to the latest Chrome version by going to Settings -> Help -> About Google Chrome.

• We recommend that Windows desktop users manually upgrade now to the last Edge version by going to Settings -> About Microsoft Edge.

• Administrators can configure updates to be deployed automatically using group policy. Further guidance and templates are provided by the respective vendors. [Chrome](https:// support.google.com/chrome/a/answer/ 6350036?hl=en), [Edge](https:// learn.microsoft.com/en-us/deployedge/ configure-microsoft-edge), and [Brave] (https://support.brave.com/hc/en-us/articles/ 360039248271-Group-Policy) support automatic updates whereas Opera and Vivaldi do not.

• For Chromium-based browsers, refer to the vendor's release notes below and to the documentation for instructions on how to update to the latest version.

Endpoint Risk - Unpatched Microsoft Products (ARO-138)

Endpoint Risk - Vulnerable Software Detected - Windows (ARO-126)

Recommendation (Dismissed)

Remediation:

• Update the software on the affected endpoints using the provided CVE links and associated references.

Page | 17 CONFIDENTIAL

ARO

Endpoint Risk - Hosts Observed Without Covalence Agent Installed (ARO-134)

Network Risk - Internal Network Scanning Detected (ARO-135)

Endpoint Risk - Vulnerable Software Detected - Windows (ARO-128)

Endpoint Risk - Vulnerable Operating System Detected (ARO-132)

Status and Remediation

Recommendation (Resolved)

Remediation:

• Upgrade the software listed above to the latest version and remove any unused or outdated software.

Recommendation (Dismissed)

Remediation:

• We recommend that you review the list of hosts identified and install the Covalence endpoint agent wherever possible.

Recommendation (Dismissed)

Remediation:

• Validate with the last user if this activity is expected.

• If the activity is unexpected, disconnect this endpoint from your network and contact us for further assistance.

Recommendation (Resolved)

Remediation:

• Upgrade the software listed above to the latest version and remove any unused or outdated software.

Recommendation (Dismissed)

Remediation:

• Run Windows Update on the system(s) listed above, which can be found via Windows Update Settings.

Page | 18 CONFIDENTIAL

ARO Status and Remediation

Network Risk - Internal Network Scanning Detected (ARO-149)

Recommendation (Resolved)

Remediation:

• Validate with the last user if this activity is expected.

• If the activity is unexpected, disconnect this endpoint from your network and contact us for further assistance.

Account Risk - Account Added to Microsoft 365 Administrative Group (ARO-140)

Endpoint Risk - At Risk Software Observed - AnyDesk (ARO-145)

Recommendation (Resolved)

Remediation:

• Reset user credentials for both accounts, and revoke all active user sessions.

• Where possible, enforce the use of MFA for administrative accounts.

Recommendation (Resolved)

Remediation:

• Refer to the AnyDesk security advisory referenced below; change AnyDesk user passwords and apply the latest update as soon as possible.

• We recommend enabling Multi-Factor Authentication (MFA) for all AnyDesk accounts, especially for users with elevated privileges.

Endpoint Risk - Unpatched Microsoft Products (ARO-150)

Endpoint Risk - At Risk Software Observed - AnyDesk (ARO-142)

Recommendation (Resolved)

Remediation:

• Update the software on the affected endpoints using the provided CVE links and associated references.

Page | 19 CONFIDENTIAL

ARO

Endpoint Risk - Vulnerable Software Detected - Windows (ARO-130)

Endpoint Risk - Vulnerable Software Detected - Windows (ARO-129)

Account Risk - Account Added to Microsoft 365 Administrative Group (ARO-146)

Endpoint Risk - Vulnerable Operating System Detected (ARO-125)

Status and Remediation

Recommendation (Resolved)

Remediation:

• Refer to the AnyDesk security advisory referenced below; change AnyDesk user passwords and apply the latest update as soon as possible.

• We recommend enabling Multi-Factor Authentication (MFA) for all AnyDesk accounts, especially for users with elevated privileges.

Recommendation (Dismissed)

Remediation:

• Upgrade the software listed above to the latest version and remove any unused or outdated software.

Recommendation (Resolved)

Remediation:

• Upgrade the software listed above to the latest version and remove any unused or outdated software.

Recommendation (Resolved)

Remediation:

• Reset user credentials for both accounts, and revoke all active user sessions.

• Where possible, enforce the use of MFA for administrative accounts.

Page | 20 CONFIDENTIAL

ARO

Endpoint Risk - Hosts Observed Without Covalence Agent Installed (ARO-127)

Endpoint Risk - Vulnerable Software Detected - WinRAR (ARO-131)

Security Alert - Microsoft Defender for Cloud (ARO-139)

Endpoint Risk - Potentially Unwanted Applications Detected (ARO-148)

Security Alert - Microsoft Defender for Cloud (ARO-136)

Status and Remediation

Recommendation (Resolved)

Remediation:

• Run Windows Update on the system(s) listed above, which can be found via Windows Update Settings.

Recommendation (Resolved)

Remediation:

• We recommend that you review the list of hosts identified and install the Covalence endpoint agent wherever possible.

Recommendation (Dismissed)

Remediation:

• We recommend updating the affected software to the latest version as soon as possible.

Observation (Dismissed)

Remediation:

• Investigate and address the Microsoft Defender for Cloud Alert.

• Follow the recommended configuration steps provided by Microsoft.

Observation (Dismissed)

Remediation:

• Validate the presence of PUAs on the affected endpoint(s). If their presence is unexpected, we recommend uninstalling them.

Page | 21 CONFIDENTIAL

ARO Status and Remediation

Observation (Dismissed)

Remediation:

• Investigate and address the Microsoft Defender for Cloud Alert.

• Follow the recommended configuration steps provided by Microsoft.

Account Risk - VPN Authentication Detected (ARO-151)

Suspicious Login Detected (ARO-153)

Observation (Resolved)

Remediation:

• If this activity is unexpected, reset the account credentials and revoke all user sessions immediately.

• Enable Multi-Factor Authentication (MFA) for all accounts within your organization as an additional security control, if not already implemented.

Observation (Dismissed)

Remediation:

• Contact the identified user to verify that this activity is expected.

• If this activity is unexpected, reset the account credentials immediately.

• Please leverage comments on this ARO to report any suspicious changes or activity that may be observed with this account.

Account Risk - VPN Authentication Detected (ARO-152)

Observation (Dismissed)

Remediation:

• If this activity is unexpected, reset the account credentials and revoke all user sessions immediately.

• Enable Multi-Factor Authentication (MFA) for all accounts within your organization as an

Page | 22 CONFIDENTIAL

ARO

Security Alert - Microsoft Defender for Cloud (ARO-137)

Status and Remediation

additional security control, if not already implemented.

Observation (Dismissed)

Remediation:

• Investigate and address the Microsoft Defender for Cloud Alert.

• Follow the recommended configuration steps provided by Microsoft.

Security Alert - Microsoft Defender for Cloud (ARO-144)

Account Risk - VPN Authentication Detected (ARO-147)

Observation (Dismissed)

Remediation:

• Investigate and address the Microsoft Defender for Cloud Alert.

• Follow the recommended configuration steps provided by Microsoft.

Observation (Dismissed)

Remediation:

• If this activity is unexpected, reset the account credentials and revoke all user sessions immediately.

• Enable Multi-Factor Authentication (MFA) for all accounts within your organization as an additional security control, if not already implemented.

Protecting Your Cloud Services

User awareness is one of the best methods of protecting a network and preventing an incident. The list of targeted users and accounts should be reviewed, and their owners made aware of the threat. These “most targeted” users should also be prioritized for the implementation of technological protections such as strong passwords and MFA.

Figure 10: Outstanding and Closed AROs
Page | 23 CONFIDENTIAL

Note: You can tell us about your users like whether they travel, what devices they use, etc. in order to help further tune our compromise-detection analytics.

Improve Account Security

The most effective ways to further improve your email security are to enable MFA and increase user-awareness. MFA is not a silver bullet but can significantly increase your organization’s security posture by preventing an attacker from guessing passwords or trying passwords harvested from other websites.

• 46 of 60 observed users have used MFA to log in this month.

External Network Information

Knowledge about large networks on the Internet, sometimes referred to as ASN or “Autonomous Systems” provide some level of insight into the types of users or systems that are interacting with your business network. This annex provides details on some of these ASNs which appear in this report.

Resources

The following resources are recommended by Field Effect as helpful guides or documentation to use when implementing cyber security measures and plans for your network.

Industry Best Practices

Baseline Cyber Security Controls for Small and Medium Organizations

Published by the Canadian Centre for Cyber Security

https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-mediumorganizations

The Essential Eight

Published by the Australian Cyber Security Centre

https://www.cyber.gov.au/publications/essential-eight-explained

National Cyber Security Center (United Kingdom)

https://www.ncsc.gov.uk/section/advice-guidance/all-topics

Page | 24 CONFIDENTIAL

Cyber Security Framework

Published by the National Institute of Standards and Technology (United States)

https://www.nist.gov/cyberframework

FES Glossary of Terms

Published by Field Effect Software

https://my.fieldeffect.net/Portal.html?locale=en_CA#/support/glossary:

1 Indicators of compromise take the form of IP addresses, domain names, file hashes, URLs, signatures and other discrete markers of suspicious or malicious activity.

2 Botnets refer to large collections of compromised systems centrally controlled by an attacker.

3 Bulletproof hosting is a type of online hosting service known to provide incredible leniency to its customers in terms of the content allowed on the platforms. Bulletproof hosts also specialize in customer anonymity and therefore attract significant use by cybercriminals and hackers seeking to remain hidden while still operating infrastructure online.

4 https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Page | 25 CONFIDENTIAL
support@capitaltek.com https://capitaltek.ca +18779708324 www.fieldeffect.com

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.