Scribd Logo
Upload

Welcome to Scribd!

  • Executive Service Review

    Uploaded by

    Hatem Gharbi
    50 views14 pages
    The January 2023 Managed XDR Service Review for Contoso provides an overview of Netsurion's managed XDR service. It outlines various cybersecurity topics including trends observed in Power BI, updates and improvements to the service, risk management practices, and integrations. The document also shares critical observations from the Threat Hunting team regarding emerging malware variants and indicators of compromise collected and updated in Netsurion's threat intelligence list.

    Original Description:

    Original Title

    Executive-Service-Review

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The January 2023 Managed XDR Service Review for Contoso provides an overview of Netsurion's managed XDR service. It outlines various cybersecurity topics including trends observed in Power BI, updates and improvements to the service, risk management practices, and integrations. The document also shares critical observations from the Threat Hunting team regarding emerging malware variants and indicators of compromise collected and updated in Netsurion's threat intelligence list.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views14 pages

    Executive Service Review

    Uploaded by

    Hatem Gharbi
    The January 2023 Managed XDR Service Review for Contoso provides an overview of Netsurion's managed XDR service. It outlines various cybersecurity topics including trends observed in Power BI, updates and improvements to the service, risk management practices, and integrations. The document also shares critical observations from the Threat Hunting team regarding emerging malware variants and indicators of compromise collected and updated in Netsurion's threat intelligence list.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Managed XDR Service Review

    Contoso | January 2023

    © Copyri
    © Copyri
    ght Netsurion
    ght Netsurion
    | Al l Rights
    | Al l Rights
    Reserved
    Reserved
    | Confidential
    | Confidential
    ▪ Power BI Trends
    ▪ Updates and Improvements
    ▪ Risk Management
    ▪ Integrations
    ▪ Critical Observations

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Variants
    • Borat • Gelsemium • BlackBasta
    • Azovstal Cobalt Strike • Chromeloader • Formbook
    • Wiper Malware • Chinese Statesponsor • Magniber
    • Nerbian RAT • Mimikatz • Ransom.Royal
    • Bumblebee malware • OwlProxy • Iranian APT
    • JokerMalware • Gelsemium • SSH attack Indicators of compromises (IoC) and hash
    • KurayStealer • Chromeloader • CubaRansomware values of all these malicious file variants
    • PowerShell RAT • Chinese Statesponsor • POLONIUM and other emerging threats are collected
    • SYK Crypter • CVE-2017-0199-exploit • OWASSRF and updated in Netsurion’s Active Watch
    • Eternity Malware • MSIL TrojanDownloader
    list on a regular basis by your dedicated
    • Fileless Malware • SolidBit Ransomware
    • Tanki X Ransomware • WoodyRAT Threat Hunting team.
    • MSDT Follina • Yanluowang ransomware
    • VmwareExploit APT • Raccoon Ransomware
    • Karakurt group • CodeRAT
    • Atlassian RCE • Neshta Vice Society
    • Confluence webshell • Fargo Ransomware
    • Maui ransomware • Exchange0day
    • Mimikatz • Log4j
    • OwlProxy • Emotet

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Contact Your SOC: SOC@Netsurion.com 1 (877) 333-1433 Option 1, Option 1

    Emails received are acknowledged in 15 business minutes in accordance with the SLO of purchased Analysis Frequency Option: Weekly/Daily/24x7.

    Support requests are submitted via a ticket and are categorized as Urgent, High or Low by the Customer, SOC Manager or Team Leads depending on the nature of
    the issue being reported. The corresponding SLOs are:

    Your Service Level Severity Response SLO Resolution SLO

    Urgent 1 Business hour from receipt 1 Business day from receipt


    Weekly High 4 Business hours from receipt 5 Business days from receipt
    Low 8 Business hours from receipt 10 Business days from receipt

    Important:
    ✓ If you have any urgent request that you need our attention or assistance with – please mention “Urgent“ In the email subject line.
    ✓ If you need any immediate assistance during off-hours (2:30 PM EST – 5:30 AM EST) please call us and email us so that the available analyst can make sure
    your request is addressed on time.
    ✓ Customer environment monitoring is performed, and the top priority incidents will be reported daily.

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Primary Contact Danny Ocean d.ocean@contoso.com 555.555.5550
    Senior Manager, Cybersecurity
    Additional Contact 1 Linus Caldwell l.caldwell@contoso.com 555.555.5555
    Cybersecurity Analyst
    Additional Contact 2 Basher Tarr b.tarr@contoso.com 555.555.5556
    IT Systems Manager

    For any pending critical issues, please contact:


    Escalation Contact Saul Bloom s.bloom@contoso.com 555.555.5551
    CIO

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    By Type By Severity
    400 372
    350 76.13%
    Urgent
    300 369
    250 23.66%
    200 Low
    113
    150
    96
    100 0.21%
    High
    50 15 1
    0
    0 100 200 300 400
    Service Request System Diagnostics Incident P1

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Date Ticket Subject Description Priority Status

    Alert from OPS25.CTSO-Workstation SOC has observed suspicious command on system


    2023-01-15
    36654654 Alert Name: Netsurion: Suspicious exploit attempt detected - OPS25.CTSO-Workstation in US East Region LT123 by user Urgent Closed
    00:23:15
    Incident No: 202210000011391 RRyan. Detailed logs are attached for reference.

    Alert from RED.CTSO-Workstation


    2023-01-18 A suspicious command, powershell -NoProfile -Command
    36654655 Alert Name: PowerShell running suspicious commands - Urgent Closed
    01:19:56 was executed by PowerShell through powershell.exe.
    Incident No: 202301000010348

    True Positive False Positive

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Total Alerts Triggered Most Triggered Alerts:
    And Priorities 1. PowerShell running suspicious commands
    Low,99
    Note:
    1. All alerts are checked and verified by the Netsurion SOC team
    2. Concerning incidents will be escalated to the Client
    Urgent, 369 Low Urgent

    Alert Flow
    60
    46 49
    50
    40
    30 25 19 20
    20 11 11 14
    85 7 8 9 8 9 9
    10 5 4333
    1 3111231123321126515 222125233111652 6213424 2 2 41312251116 11351 52114463212347
    0

    12-Jan-23
    14-Jan-23

    22-Jan-23
    24-Jan-23
    26-Jan-23
    10-Jan-23

    16-Jan-23
    18-Jan-23
    20-Jan-23
    9-Nov-22
    1-Nov-22
    3-Nov-22
    7-Nov-22

    1-Dec-22
    3-Dec-22
    5-Dec-22
    7-Dec-22
    9-Dec-22
    12-Nov-22
    14-Nov-22
    17-Nov-22
    19-Nov-22
    21-Nov-22
    23-Nov-22
    25-Nov-22
    27-Nov-22
    29-Nov-22

    15-Dec-22
    17-Dec-22

    29-Dec-22
    31-Dec-22
    11-Dec-22
    13-Dec-22

    19-Dec-22
    21-Dec-22
    23-Dec-22
    25-Dec-22

    2-Jan-23
    6-Jan-23
    8-Jan-23
    14-Oct-22
    16-Oct-22

    24-Oct-22
    26-Oct-22
    18-Oct-22
    20-Oct-22
    22-Oct-22

    30-Oct-22

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Currently Integrated Suggested Integration
    Cisco ASA with FirePOWER ESET Anti-Virus
    AWS
    Microsoft 365
    Deep Instinct
    Tenable
    Linux
    MacOS

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Recommended Controls
    Risk Description Key Risk Drivers Consequence
    Likelihood Impact Recommendation

    Multiple systems are For Windows Machines,


    Non-Reporting Will be missing events as the systems are not sending data to
    not reporting to Serious Serious please follow the
    Systems Netsurion XDR platform.
    Netsurion instructions on the guide.

    Application-Level
    We won’t have visibility into events related to Web attacks or
    Penetration testing, Web Integration of Web server
    Apache Web Server Application-level PT. Chances of missing out on important High High
    Server Threats and logs with Netsurion.
    observations due to this.
    attacks

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Date Observation

    Jan 15, 2023 SOC observed suspicious Network logon failures from the multiple internal source IP address on the below mentioned systems due to Unknown username from
    username sahhuser1.

    Jan 13, 2023 Netsurion SOC has observed suspicious logon failures on multiple systems due to Bad Password, Unknown username, and An Error occurred during Logon reasons.

    Jan 8, 2023 Inbound connection from multiple suspicious IP addresses were recorded while communicating with executable process nginx.exe on multiple systems

    Jan 3, 2023 SOC has observed a new process TINYTAKE BY MANGOAPPS.EXE communicating to an external IP address 142.250.187.206, on system DO-LAPTOP76~CTSOHQ.

    Jan 1, 2023 SOC has observed Suspicious Unknown process with bad hash value.
    • MD5 Hash: 3fab1bcdd7dd8b99783b9c0d2ca8dd7e
    • File Name: Lively.Watchdog.exe
    • System Name: BSKI-JB-MD-2JTHRO-LE-0N
    • Parent Process Name: Lively.exe
    • Username: tesso
    • Image File Path: C:\Program Files\WindowsApps\1203efitzgerald.LivelyWallpaper_1.0.130.0_x86__97hta09mmv6hy\Build\Plugins\Watchdog\Lively.Watchdog.exe

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Date Admin Member System Group Name Operation Group Type
    Jan 23, 2023 CTSO-9099 CN=Frank Catton,OU=Accounting,OU=DMI NSPVMDFHEN19288 CTSO Bellagio Added Global
    Employees,OU=Domain \DMISRV5~CTSO_SE Application Admin
    Users,DC=docean,DC=com RVERS
    Jan 21, 2023 CTSO-8088 CN=Frank Catton,OU=Accounting,OU=DMI NSPVMDFHEN19288 CTSO Mirage Backend Added Global
    Employees,OU=Domain \DMISRV5~CTSO_SE Tools Admin
    Users,DC=docean,DC=com RVERS
    Jan 4, 2023 TBENEDICT CN=Virgil Malloy,OU=Technical Support,OU=DMI NSPVMDFHEN19288 CTSO Bellagio Removed Global
    Employees,OU=Domain \DMISRV5~CTSO_SE Application Admin
    Users,DC=tmalloy,DC=com RVERS
    Jan 2, 2023 TBENEDICT CN=Virgil Malloy,OU=Technical Support,OU=DMI NSPVMDFHEN19288 CTSO Mirage Backend Removed Global
    Employees,OU=Domain \DMISRV5~CTSO_SE Tools Admin
    Users,DC=tmalloy,DC=com RVERS

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Action Responsible Status

    Cisco WSA - Proxy Allowed Traffic: SOC Completed


    Validate and ensure that the Cryptocurrency category connections are blocked

    Software Install & uninstall Activity: SOC Completed


    SOC to share software install and uninstall activity by non-system accounts.

    OpenDNS Integration: SOC Completed


    SOC to share the integration guide for OpenDNS.

    Informational: SOC Completed


    Validate the Top Exploited vendor list and compare it with vulnerability report and ensure that no top exploited vendors exist on the infrastructure.

    Informational: SOC Completed


    Update Contoso team on Deep Instinct upgrade window

    Windows Login Failure: CTSO In Progress


    Check reason for high login failure of following accounts and update passwords

    - Tmalloy

    - Vmalloy

    - Yen

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential


    Thank You

    © Copyri ght Netsurion | Al l Rights Reserved | Confidential © Copyri ght Netsurion | Al l Rights Reserved | Confidential

    You might also like