Uncovering Unknown Cyber Threats
Tyler Detect uncovers risky network activity for a Tennessee Intercounty Agency
The cyber threat environment is dynamic and evolving and new vulnerabilities are emerging daily. Attacks are becoming more sophisticated and are flying under the radar of traditional detection technologies. It’s nearly impossible to single-handedly keep on top of the current threat environment and cybersecurity best practices, especially when many information technology teams are juggling competing priorities and limited resources.
This is a common challenge for government entities. So, it was no surprise when asked what kept him up at night, Mike Caffrey an IT executive for East Tennessee Governments, said, “We don’t know what we don’t know.”
Caffrey adds, “Detecting cyber threats is a full-time job, and we just didn’t have the resources to dedicate to it. The task is time consuming. There is a huge amount of data that needs to be sifted through. Plus, attacks don’t always happen during normal business hours. I began looking for a partner who would alleviate this burden and keep a watch on my network 24 / 7.”
Caffrey’s team selected Tyler Detect, a managed threat detection and response (MDR) service from Tyler Technologies. From its 24 / 7 security operations center (SOC), Tyler Detect security experts analyze event logs from the Agency’s network, including end point activity, to uncover suspicious behavior. Any potential compromise is investigated and confirmed by the analyst, and Mike’s team is notified immediately.
“With Tyler Detect, I feel like I have a team working around the clock to uncover all those things I didn’t know before.”
In fact, Tyler Detect analysts uncovered a variety of network behaviors that presented significant risk to the Agency in the first few days. Here’s a sample of what they found:
1. Tech Support Scams
Analysis of firewall logs uncovered many instances of users visiting malicious websites containing ‘Tech Support Scams’. Users are often redirected to these sites during normal browsing and enter the malicious site unknowingly. These fake ‘Tech Support’ sites are anything but supportive as they encourage users to provide personal data, install programs giving hackers control of their system and network, or worse, allowing them to install an actual virus giving them access to the system without the user’s consent.
2. Fraudulent Programs
Tyler Detect found a fraudulent Adobe Flash player installed on the Agency’s network. A common online scam tricks the person browsing into downloading a fake version of a popular software. While it looks legitimate, the fraudulent program tries to infect the victim with malware or collect personal information.
3. BitTorrent (BT)
Tyler Detect found traffic that pointed to peer-to-peer file sharing known as BitTorrenting. BT is a common protocol for transferring large files and is often used to download illegal and / or copywritten material. This poses a risk because if an illegal file is successfully download, the Agency could be held liable.
BT is difficult to block by standard cybersecurity methods because many firewalls cannot identify the traffic. Instead they allow this seemingly innocuous peer-to-peer traffic because it can’t categorize it as BT, but Tyler Detect’s contextual analysis pinpoints this type of aberrant traffic.
4. Potentially Unwanted Program (PUP)
Analysts found multiple instances of PUPs. These programs are not necessarily malicious, but their unintended use may compromise the privacy of the user, weaken network security, or degrade system performance. At the Agency, investigation of a suspicious persistence mechanism led Tyler Detect to discover an application that automatically installed new wallpaper which greatly increased the attack surface of the network because it was calling out to different sites that could potentially be malicious.
5. Advanced Persistent Adware (APA)
When reviewing the Agency’s endpoint activity, Tyler Detect found an APA installed on one of their devices. According to Booz Allen Hamilton, an APA “leverages advanced techniques, typically only seen in attacks attributed to Nation-State-level Advanced Persistent Threats (APTs), to evade detection, maintain persistence, and connect to a Command and Control (C2) server to facilitate the second stage of the attack.” If left undetected, this activity posed a significant threat to the Agency.
“So far the investment in Tyler Detect is paying off,” said Caffrey. “The initial installation was quick and easy. Now Tyler alerts us to the vulnerabilities on our system. It’s much less expensive than hiring full-time employees to find threats. And it’s saving my team time because we don’t have to chase down false positives anymore.”
With Tyler Detect defending their network, Tennessee’s Intercounty Agency no longer needs to fear what they don’t know.