Energy
3,000 employees
United States
Providing critical insights and answering important questions enabled the security team to fully understand the origin and trajectory of the attack, and pinpoint affected users and endpoints.
- Scaled IRM with ease
- Protected users without disruption
- Expanded off-network visibility
- Focused teams on true risk
As attacks have become more sophisticated, traditional network firewalls and malware solutions are not enough to keep your data safe. The DTEX Platform works alongside perimeter solutions as part of a layered defense system. And in the case of a security incident or attack, the DTEX Platform provides insights that other security applications cannot.
Company profile
A large energy provider based in the United States with approximately 3,000 employees, operating a complex enterprise environment vulnerable to evolving phishing and insider-driven threats.
The need — phishing, an insider vulnerability
The enterprise security threat landscape is more complex than ever, with new risks and attack methods emerging faster than we can keep up with them. If there’s one established attack vector that shows no signs of slowing down, however, it’s phishing; a recent industry report notes it to be responsible for more than 90 percent of incidents and breaches driven by social engineering, with 66 percent of malware reportedly installed via malicious email attachments.
As phishing attacks have become more sophisticated, they’re increasingly focused on exploiting a key, but often overlooked, vulnerability: the users inside of your network. It is user behavior – the opening, the clicking, the downloading – that serves as the enabler, allowing malicious actors to gain entry to your network and find the valuable personal or company information they’re seeking.
At a large energy provider, a slew of invoice-themed malicious phishing emails was found to have penetrated a customer network – past a tried-and-true network defense system and straight into employee inboxes. A proxy service eventually detected and flagged that users had visited malicious URLs, but there was limited visibility into where and how the attackers entered the network, the number of users affected, and the extent of the potential damage.
The solution
Increasingly sophisticated attack methods are outsmarting traditional network defense systems and penetrating even the strongest perimeter security.
The success or failure of phishing attacks largely hinges on an attacker’s ability to forge legitimacy and camouflage their malicious intent. In addition to more polished and well-designed email messages, malicious actors are leveraging new obfuscation mechanisms that allow them to successfully evade the firewalls, gateways and perimeter solutions acting as the first line of defense.
In this case, basic network defense mechanisms failed to spot and block the phishing emails used in the attack, despite being fairly textbook in nature. DTEX was able to uncover evidence of these techniques commonly leveraged to avoid detection and successfully infiltrate employee inboxes.
One such technique was the use of polymorphism, including dynamic email subject lines, URLs, document names, and executed payloads. In the face of these unique and constantly changing elements, security approaches that rely on known, specific or consistent patterns to identify potential threats — such as traditional signature-based detection — are futile. It’s reported that nearly 94 percent of malware and potentially unwanted application executables identified last year were seen only once.
Additionally, the links contained within the phishing emails were found to be addresses of actual company sites that had been compromised and used as transient locations to host malicious documents. Because the URL names presented themselves as legitimate, they were not blacklisted or blocked by antivirus or firewall solutions, or recognized as dangerous by most affected users.
Malicious actors are studying and exploiting the routine, yet unpredictable, nature of user behavior.
Malicious actors understand that user behavior is often unpredictable, widely varied and can be used to their advantage. They know that all it takes is one vulnerable recipient to establish an initial foothold and compromise the entire network. An increased focus on user behavior profiling allows attackers to both better understand routine user activities, and find inconsistencies that represent potential gaps in a network.
The invoice-themed emails used in this particular attack represented a fairly standard and highly successful phishing tactic, with actors preying on what are typically mundane day-to-day activities for today’s employees: email communication, document review, and administrative task management. And leveraging a series of activities that are almost second nature to today’s employees — open email, download attachment, proceed to edit file — ultimately allowed malicious processes to ensue and endpoints to be compromised.
The stages of user behavior in this incident were noted to be particularly varied and wildly diverse, and it’s important to acknowledge that all users shared an equal part in the risk posed. Those who opened emails, and subsequently accessed links and downloaded files, posed an obvious direct threat to the company network. But others are not without blame: forwarding, replying to, or neglecting to report suspicious emails all represent actions that bring a risk of secondary compromise.
Elementary “Smash-and-Grabs” have evolved into targeted “low-and-slow” attacks — and traditional security approaches are struggling to match pace.
Once the customer received notification of malicious URLs being visited and a potential attack underway, a scan for potentially affected endpoints came up clean — despite no remedial action being taken. This is not uncommon: as threats evolve faster than anti-malware solutions can keep pace with, it’s become nearly impossible for every single piece of malicious code to be recognized and stopped. In fact, it’s recorded that legacy antivirus solutions missed nearly half of the malware delivered in Q2 of this year alone.
While traditional defense systems are equipped to monitor north-south traffic, or spot key events such as initial infiltration or data exfiltration, few are capable of detecting an attack in the middle phase — the ‘dwell time’ that malicious actors use for surveillance, data collection, and peer-to-peer propagation. Leveraging lateral movement, actors use this period to expand their foothold and amplify their attack with the ability to move throughout the network undetected (for up to 99 days, on average).
It’s only the security approaches that look beyond known threat patterns and attributes, and work to develop a contextual understanding of potential threats continually and in real time, that can find and stop the dangers associated with lateral movement. As this customer recognized, with the ability to retrace steps of user behavior, it becomes possible — and far less overwhelming — to find and secure all compromised endpoints instead of pursuing manual, time-consuming remediation efforts or relying on the strategy of ‘hoping for the best’.
Incident timeline
| Timeline | What took place |
|---|---|
| DAY 1 — DELIVERY | Invoice-themed phishing emails bypass gateway security and penetrate network, reaching employee inboxes. |
| EXPLOITATION | Users interact with the phishing emails: – Some open the email, take no further action – Some open the email, then forward or reply – Some open the email, follow instructions to visit malicious URL and download the file |
| INFECTION | Users who visited malicious URL follow prompts, granting read/write/macro permissions and enabling malicious processes to run, infecting the endpoint. |
| DETECTION | Web security gateway flags malicious URLs. Security team runs endpoint scan to detect malicious payloads or malicious executables; scan comes back clean. |
| DAY 3 — SOURCE OF URLS IDENTIFIED | DTEX identifies source of malicious URL(s); retraces user behavior to develop attack timeline and pinpoint affected users and potentially compromised endpoints. |
The results
DTEX recommends a comprehensive investigation of security incidents, including a forensic analysis of compromised endpoints, to fully understand the attack and better defend against similar threats in the future.
As evidenced by vast inconsistencies in user behavior, the critical opportunity was to conduct additional user education focused on how to spot, and flag, potential phishing-related activity. No amount of filtering or fire-walling will stop every malicious email or file from entering the network, so it’s imperative to invest in comprehensive training and processes related to identifying, and responsibly handling, phishing-related threats.
At the same time, the incident underscores the importance of having real-time visibility into user behavior. As organizations come to the stark realization that it’s impossible to close every loophole, the focus has shifted from prevention to threat detection and response. but with more and more malware bypassing perimeter defenses and slipping through undetected, there’s a critical need to quickly find and stop threats before they have a change to infiltrate. This becomes possible only with comprehensive visibility and a contextual understanding of user behavior, proven critical in this particular case for both uncovering gaps and identifying all potentially compromised endpoints.
No perimeter solution is impenetrable. It is the user that stands as the last line of defense, with their actions determining if a potential threat becomes a disruptive and devastating attack. Protecting your enterprise — including your network, critical business systems, and deeply understanding users and their uniquely human behaviors.
After a phishing attack, DTEX provides critical answers:
- Which users opened the malicious email?
- Which users clicked on the malicious link or downloaded the attachment? What about forwarding or responding to the email?
- When did the malicious email enter the organization?
- Which endpoints are potentially compromised?
Benefits
- Scaled insider risk management without added complexity: DTEX provided the behavioral depth and enterprise scalability needed to mature the organization’s IRM program beyond internal tools, while still fitting into its existing security operations stack. This helped the team advance from early program development to a more sustainable, enterprise-wide approach.
- Protected a global workforce without disrupting productivity: With lightweight data collection and no perceptible endpoint performance impact, DTEX helped the company expand visibility across a large, distributed user base while preserving the performance and privacy expectations of a global enterprise.
- Improved confidence in off-network risk detection: DTEX provided visibility both on and off the corporate network, giving the security team better context into user behavior wherever work happens. This strengthened the organization’s ability to detect intent-based threats before they escalated.
- Strengthened the business value of the IRM program: By helping analysts distinguish between normal, negligent, and malicious behavior, DTEX enabled the team to focus attention on the risks that mattered most. This supported a more confident, risk-based approach to protecting operational integrity and sensitive data at scale.
Related Case Studies
Ready to Learn More?
For further insights on how the DTEX Platform secures critical infrastructure, request a demo.