MSP Says He Was Blown Away by Overwatch Support and Expertise
Partner Profile: Managed Services Provider (MSP) in Chicago, Illinois
End Customer: Manufacturing Client
Incident:
Early Tuesday morning, October 31, 2023, an Overwatch MSP partner reported a Lockbit 3.0 ransomware attack on one of its manufacturing clients. The client had Overwatch Managed Endpoint Detection and Response (EDR) deployed on its VM servers. When their network attached storage (NAS) and storage area network (SAN) hardware technology were hit with ransomware, it led to the encryption of Lockbit 3.0 on all VM datastore volumes. The attacker was precise to deploy ransomware on machines without Overwatch MEDR deployed. The client did not have any security monitoring on the NAS and SAN storage units or the Hypervisor ESO hosts. The quick Overwatch response outlined below details extra measures Overwatch took, outside of its service level agreement with the partner and client, to ensure the threat was resolved quickly.
Solutions:
- Overwatch U.S. based Security Operations Center (SOC) responded immediately and deployed its incident response process.
- The Overwatch Director of Security Engineering deployed an IR tool and set up a virtual machine into the client’s environment – a network collector to run instant network analysis.
- Meantime, Overwatch SOC monitored the IR tool for any potential data exfiltration.
- Overwatch monitored Lockbit forums to monitor data leakage.
- Overwatch SOC simultaneously deployed Overwatch Vulnerability Management scans to identify any other exploits in the network.
- Overwatch checked to see if patches were needed for NAS and SAN servers.
- A week prior, Overwatch SOC identified and ticketed a potential bad actor/vector that had installed commercial spyware which led the MSP partner to kill/quarantine the threat.
- Overwatch SOC audited endpoints for remote access software and blacklisted all non-approved executables and isolated the endpoint.
- Overwatch team consulted with MSP partner and client after resolution for IR follow-up.
- The Client had offsite data backups and was able to run business as usual.
Recommendations:
The client should consider adding Overwatch Managed Extended Detection and Response (MXDR) and Overwatch OT/IoT Security to its security stack. The addition of MXDR would have caught the attack quicker since the Network Traffic Analysis (NTA) detections can pick up anomalous traffic sooner and as a result, identify the threat as ransomware. In this scenario, Overwatch SOC would have contacted the partner within minutes to cut access to the network or pull the plug. Overwatch OT/IoT Security would have secondarily helped micro-segment or airgap the devices from leading to a ransomware, along with its inherent detections to catch ransomware attacks.
Partner Testimonial:
“I reached out to the High Wire SOC and was blown away by the support that the team was able to provide. Multiple people were pulled in to provide support, products, scanning, monitoring, and additional information.” (IT Service Delivery Manager, MSP Partner)
Get more information on Overwatch Managed Cybersecurity and the Overwatch Partner Program at highwirenetworks.com or email: overwatchsales@highwirenetworks.com.
