Identifying infected machines and stopping future infections
As a West Monroe team worked with the client to clean up its environment and design future IT infrastructure requirements, it recognized new indicators of compromise. Users were still receiving and clicking on malicious links or attachments in emails, thus infecting more machines. An assessment found that the client’s spam filter was failing to block these emails. Additionally, due to users’ lack of security education, some users were “giving away” their credentials to bad actors through fake Office 365 sign-in pages.
Next-generation antivirus and Office 365 security best practices
West Monroe worked with the client to introduce several new solutions and practices that strengthened its security posture. This included implementing Carbon Black along with other best practices to protect end users from the ever-evolving threat landscape. The Carbon Black tool inspects applications and processes running on user machines. It can report or block suspicious or malicious activity based on both global threat intelligence, as well as client-specific configurations. In addition to deploying this tool for preventative purposes, the team used it to identify 10 infected servers and 1,100 infected workstations that required cleaning or decommissioning. The process identified 47 unique malware instances belonging to various families, including IcedID, Nymaim, Kryptik, and GrandCrab.
Other steps included:
- Moving from a third-party mail hygiene solution to Exchange Online Protection with Advanced Threat Protection (ATP), stopping most malicious emails before they ever make it inside the organization.
- Recommending a phishing testing system to test and educate users on email security.
- Using Office 365 Conditional Access and MFA to identify specific compromised accounts and infected endpoints.
Issues resolved; infrastructure strengthened for the future
With West Monroe’s support, the client now has cleaned and hardened both its server and workstation infrastructure, as well as its Office 365 environment, stopping the spread of malware.