Tech Tidbit – While you were sleeping

October 1st, 2024
Tech Tidbit – While you were sleeping

It is Tuesday at 12:29 a.m., at the end of Labor Day weekend. I am driving back from Westchester County Airport, having just flown in from Charlotte, NC.

A message comes through. It is our friends at the Blackpoint Cyber SOC. One of our client's legitimate users detected initiated a first-time VPN connection to M365 in the cloud. It was from a foreign country. The SOC's red flags went off:

  • 12:29 am First-time VPN connection
  • A legitimate user logging in from Latin America.
  • Impossible travel situation as the local user cannot be both local and thousands of miles away
  • A server-side mail forwarding rule was setup

The connection was killed, and the SOC disabled the account, ending the threat just as it was being launched.

We were notified of the result.

All of this happened while none of us were paying any attention to our networks. Most of you were probably sleeping. I was not paying attention and was out of position to do anything quickly.

Once again, that validates my ongoing commentary that 80% of the bad things happen on holidays.

Hacker hours are nights, weekends, and holidays. In K-12, none of us pay attention during those times.

A 24x7x365 proactive SOC is always paying attention. They are monitoring, alerting, and protecting as needed.

Last month I heard that 90% of the previous month's SOC incidents were from cloud-based and business email compromise style attacks!

Some may think, "That is great, but I don't have the budget for all that right now." The good news is that we can very inexpensively protect this type of "cloud-based attacks" for Google Workspace and/or Microsoft 365 named users.

As you work towards a complete SOC solution, you can add this 24x7x365 proactive SOC protection to your named users in Google Workspace or M365, starting with those dealing with personally identifiable information, confidential information, and money.

If cost were not a huge factor, why would you not protect those in your organization most at risk of these real-style attacks?

Please contact Lisa if you want to explore how to provide this higher level of protection to your most important users.

-Scott Quimby, CISSP