Tales from the Security Operations Center

Three real-world cybersecurity breaches reveal the need for comprehensive XDR coverage.

Extended Detection and Response

With the frequency and variety of cyberattacks increasing daily, the need for comprehensive security measures has never been more critical. For analysts staffing a security operations center (SOC) for a global extended detection and response (XDR) service, each day brings dozens or even hundreds of alarms and events. How do these security experts piece together the barrage of potential threats across a vast and diverse attack surface?

Below, I have outlined three real-life examples of cyberattacks witnessed by Barracuda XDR’s SOC teams that highlight how cybersecurity blind spots can affect the outcomes of these attacks.

Scenario 1: IT Company Ransomware Attack and Data Breach

One customer subscribed to Barracuda XDR Managed Endpoint Security, but only for devices for which they already had visibility. This revealed a security gap that was eventually exploited. In this case, the initial breach was facilitated by a compromise of a firewall’s SSL VPN that did not enable multi-factor authentication (MFA), allowing the attacker to exploit a zero-day vulnerability to establish a foothold. The attacker then moved laterally across the network, compromising servers, escalating privileges, manipulating admin accounts and groups, and setting up unauthorized communication channels with a malicious command-and-control (C&C) server.

The lack of robust security measures across multiple layers of the network infrastructure allowed the attacker to exploit various vulnerabilities, resulting in significant damage and compromise to the network.

During the attack, the threat actor leveraged various tools to exploit the security blind spots, compromise the system, execute malicious activities, and evade detection. These included tools for remote control, establishing a persistent network connection, facilitating lateral movement, or supporting data exfiltration.

Like many other threat actors, the attacker turned to commercially available IT tools that, if detected in isolation, would not immediately arouse suspicion. In an attacker’s hands, these tools are used for activities such as remotely downloading malicious payloads or scripts or scanning networks to identify open ports, running services, and other network attributes that could be used for further exploitation or to find additional targets.

The ransomware attack, which also included data exfiltration, resulted in operational disruption, leading to a halt in services and the likelihood of significant financial losses. The data theft compounded the damage with the loss of intellectual property, customer data, and compliance violations.

This incident highlights the need for a comprehensive security strategy encompassing a holistic approach, extending beyond endpoint protection to network, server, cloud, and email security.

Scenario 2: Ransomware Attack on a Manufacturer

In this attack, the threat actor exploited compromised credentials to gain unauthorized entry into a remote desktop protocol (RDP) server, using a common tool to brute force a VPN account.

The attackers took full advantage of security misconfigurations, such as improperly excluding essential system directories. These critical oversights resulted in over 100 devices being compromised, disrupting the victim’s ERP system. The threat actor also deleted the organization’s backup data.

As in the first incident, the attackers employed a variety of tools to compromise the system, perform brute-force attacks, extract passwords, check for security vulnerabilities, and assist in lateral movement and remote code execution.

The security breach significantly disrupted the company’s operations, leading to major financial losses. The network compromise halted production activities, derailing the manufacturing schedules. Further, the loss of backup data prolonged the downtime and recovery process. It took the company more than two months to resume full operations.

The partial deployment of security solutions left this customer vulnerable to these types of attacks.

Scenario 3: Ransomware Attack on a Retailer

In our third example, exposed assets, weak authentication, and a lack of connected security visibility left a critical server with its remote desktop protocol (RDP) exposed to the public internet. The threat actor seized upon the open RDP channel to infiltrate the network, targeting the domain controllers (DCs), where they created and subsequently deleted accounts to obscure their tracks.

This level of access enabled the threat actor to compromise the integrity and confidentiality of the network. The threat actor extracted sensitive data from the file servers and sold the stolen information on the dark web.

The attackers leveraged a common threat emulation tool that can be used to maintain persistence, escalate privileges, move laterally, and steal data. This was supplemented with password-cracking tools and tools that would have helped the attackers better understand and map the victim’s environment for further exploitation.

The fallout from the breach centered on the theft and exposure of sensitive data on the dark web. The critical file servers compromised during the attack contained valuable intellectual property and sensitive customer information, the unauthorized disclosure of which led to reputational damage and undermined client trust.

As with the first two examples, this breach underscored the need for a holistic cybersecurity strategy.

The Value of Comprehensive Cybersecurity Coverage

All three of these attacks are a stark reminder that incomplete security measures can leave organizations vulnerable to attacks that could have far-reaching consequences, both financially and reputationally. Further, a lack of security visibility across the environment means that suspicious activity is harder to spot and correlate with other activity, which can delay or impede a fast, comprehensive response to the attack. Remember, all three of these organizations had some security solutions in place; because they had not invested in a holistic suite of cybersecurity systems that protected their entire IT ecosystem (cloud, servers, networks, applications, etc.), critical gaps were easily exploited.

Integrating network, endpoint, server, cloud, and email security through XDR enables unprecedented threat detection and response capability. This is because of the data. With a comprehensive XDR solution, every corner of the IT infrastructure, from emails to cloud applications, is monitored and protected with advanced security measures and a full spectrum of defensive tools combined with proactive threat-hunting and response strategies. This allows for swift action and minimizes the window of opportunity for threat actors.


Adam Khan

Adam Khan is the VP, Global Security Operations at Barracuda MSP. He currently leads a Global Security Team which consists of highly skilled Blue, Purple, and Red Team members. He previously worked over 20 years for companies such as Priceline.com, BarnesandNoble.com, and Scholastic. Adam’s experience is focused on application/infrastructure automation and security. He is passionate about protecting SMBs from cyberattacks, which is the heart of American innovation.