Nurturing Security In Finance Through Digital Forensics

Client Overview

Our client, a pioneering force in the financial sector, operates as a licensed Payment System Operator (PSO) and Payment Service Provider (PSP) with nearly two decades of impactful innovation. As a leading payment gateway and switch system, our client collaborates with numerous member banks and billers, playing a crucial role in shaping banking transactions.

Why the Client Chose Us

The client opted for Ebryx due to its specialized security services. Our team’s expertise in financial systems, crucial to the client’s infrastructure, coupled with a deep understanding of state regulations and security compliances, made us the ideal choice for building a robust and compliant cybersecurity framework.

Project Overview

Our client, a key player in the financial sector, sought our expertise to enhance its cybersecurity posture. This comprehensive engagement covered SOC L2 Analysis, Incident Response and DFIR services.

How Ebryx Responded

Ebryx demonstrated its proficiency in handling multiple security breach incidents on the client’s platform, ensuring prompt and thorough resolution without compromising the client’s infrastructure. Noteworthy instances include:

Malicious IP Communication

The Ebryx Security Team swiftly addressed a security concern involving a client employee’s computer, flagged for malicious IP communications. Through meticulous L2 investigation, it was revealed that the EDR alert had been triggered due to the host machine communicating with a suspicious domain. Further scrutiny uncovered that the Google Sync feature had been attempting to sync or download potentially malicious extensions from this domain. Specifically, two Chrome extension IDs were identified: one associated with the “Chrome Remote Desktop” extension, offering remote access capabilities, and the other linked to the “Adobe Acrobat” extension for Chrome, facilitating various PDF functions. Importantly, despite the detection of these extensions, the system registry remained unchanged, with no evidence of DLL sideloading, and the host file remained unaltered. The Ebryx Digital Forensics and Incident Response (DFIR) team conducted a comprehensive investigation, ensuring a thorough analysis and resolution of the incident.

Network Content Inspection and C&C Callbacks

The Ebryx security team responded to a TrendMicro alert indicating potential security issues, specifically “Network Content Inspection and C&C Callbacks,” on an employee’s workstation of the client. The alert highlighted scanning attempts on the client’s network, targeting its public IP address from external malicious IPs at various intervals. Although these attempts were inbound, all connections were successfully blocked.

In reaction to this alert, an exhaustive investigation was initiated using advanced tools, focusing on the alert period to identify any unusual process or network activity on the affected machine. This scrutiny uncovered that the IIS web service had been inadvertently made accessible on the client’s public IP.

Upon these findings, the Ebryx Security team recommended an immediate halt to the IIS web service on the host machine, provided it wasn’t essential for operations. Additionally, new detection and prevention mechanisms were implemented by the Ebryx security team to mitigate the risk of similar suspicious behavior in the future.

The Results

Our comprehensive security measures not only involved the establishment of a robust security framework for the client from scratch but also ensured a flawless track record with zero successful breach incidents on the client’s infrastructure. This achievement was accomplished seamlessly, preserving the performance of their architecture and maintaining uninterrupted business processes throughout the security improvement period.

Share the article with your friends

Related Posts

Posted by Editorial Staff Cloud technology has revolutionized business. In the age of lightning fast connectivity and communication, productivity and innovation have soared. Unfortunately, cloud environments are vulnerable to attack
May 22, 2023
3 Min Read
Posted by Editorial Staff In mid 2021, an organization in the telecommunication sector suffered a breach in their cybersecurity. Hackers compromised the company’s online services to target their end-users– putting
May 22, 2023
3 Min Read
Posted by Editorial Staff In late 2018 cybercriminals conducted a multimillion-dollar raid on a mid-sized bank. In the chaotic aftermath of the breach, one of the country’s largest banking consortium
May 22, 2023
3 Min Read

Have questions?
Let's talk.

Ebryx experts are ready to answer
your questions.

Contact us