What do identity theft, WhatsApp, and a maliciously crafted Microsoft Word document have in common? To answer that, allow me to rewind a bit.
We’re almost a full year into the COVID-19 pandemic, and pharmaceutical companies have been under considerable pressure to secure their data as healthcare becomes a prime target for organized cybercrime. The concurrent pivot to remote work and collaboration has spurred the rapid adoption of cloud services across all industries, especially for healthcare organizations where there has been an increase in telemedicine and new remote work requirements.
With all eyes on healthcare, we’ve seen cyberattackers become even more creative when infiltrating organizations under the radar.
Enter: an attacker posing as a recruiter leveraging a fraudulent LinkedIn profile based off an actual person with an extensive background in recruiting. This threat actor contacts people with the lure of a lucrative job offer, establishing rapport with their target via WhatsApp over several days. Finally, the target receives an infected Word document that, upon opening, would provide the attacker with access to an organization’s system. This social engineering allowed hackers to target and compromise company staff, just like the unsuspecting Employee Zero at Sanofi, a multinational pharmaceutical company. This is where our story starts.
I had the privilege of sitting down with Jean-Yves Poichotte, Group Head of Cybersecurity at Sanofi, and Richard Webster, Head of Cyber Security Operations Center at Sanofi, to discuss how this attack unfolded and why partnering with Vectra was critical to preventing a data breach.
"We have many vendors,” Jean-Yves said. “Rare are those which dedicate a certain level of partnership. Vectra and its team are bringing a partnership mindset.”
Adding value with Vectra
What happens when accounts are compromised, and an attacker infiltrates your organization through completely legitimate tools and processes? The malicious behavior of the attacker is hidden amongst the “normal” noise and doesn’t stand out with endpoint scans. In cases like this, endpoint detection and response (EDR) solutions have already been infected and can no longer combat the threat. This is precisely the problem that Sanofi solved with Vectra.
We filled a specific gap in Sanofi’s security journey, giving them full visibility and coverage between their enterprise and cloud deployments including their AWS infrastructure. During red team testing, Sanofi required a solution that would detect attacks that bypass existing tools such as EDR and would be impossible to find in security information and event management (SIEM) systems.
The Cognito Network Detection and Response (NDR) Platform from Vectra applies AI-derived machine learning algorithms to automatically detect, prioritize, and respond to in-progress cyberattack behaviors. Cognito provides high-fidelity visibility into the entire network and cloud, as well as all applications, operating systems, and devices, including bring your own device (BYOD) and Internet of Things (IoT).
Cognito’s ability to continuously monitor all network and cloud traffic plus the addition of AWS VPC Traffic Mirror data, makes it impossible for attackers to circumvent. Prioritizing the highest-risk threats with a high degree of certainty enables a confident approach to automating threat surveillance. According to Richard, the Cognito technology is what allowed their organization to detect and shut down the attack.
NDR augments the SOC
Even though Sanofi’s security architecture is built to handle complex operations, this particular attack managed to evade the tools already in place. Richard disclosed, “I'm always telling my team that we need to build new detection nets all the time. We're adding layer after layer of detection nets, but only two of them worked for this attack." The two in question? Endpoint detection and response (EDR) and NDR.
When I asked Jean-Yves and Richard to choose between EDR and NDR, Richard said that both are critical to maintaining a secure environment. "For me, it isn't one or the other – I need both. I want as much visibility as possible, and I want to do deep forensics with EDR and NDR.” He shared how adversaries could compromise the endpoint device and disable the EDR solution, whereas attackers can’t do the same for NDR. “It's harder to defeat NDR,” he said.
While EDR is important is important for endpoints, NDR is critical to the network. Sanofi used Detect and Recall in tandem to detect threats and trace the attack progression. While Detect assisted in real time, Recall assisted the Sanofi team afterwards to conduct forensics. Richard noted, “In this particular attack, we could go into Recall and we could see line by line exactly what the share enumeration was. We could see the file opens, the file read, what the names of files were, we could see the bytes count.” Such complete visibility of the attack progression then educated and informed the team as they created detection frameworks to prevent similar tactics in the future.
Sanofi and Vectra: Better together
Jean-Yves, Richard, and I closed out by reinforcing the strength of the partnership between our organizations. This attack has demonstrated that when an attacker manages to steal credentials and bypass traditional endpoint solutions, NDR effectively bridges the gap.
Thwarting this attack also exemplifies the collaborative benefits derived from enthusiastic cooperation among our teams. Vectra offers the platform while Sanofi brings their unique use cases, which allows us to innovate together, solve problems, and exchange technical expertise.
As Sanofi continues to adapt to the cloud and build out their enterprise security, Jean-Yves and Richard shared that they’re looking forward to an ongoing partnership with us at Vectra. Jean-Yves commented, “Vectra brings their innovation and deep technical value. My team at Sanofi is bringing the solution feedback. And the combination is the path of progress and maturity.”
We wrapped up our conversation with an excellent Q&A session featuring questions submitted by the audience. Though we couldn’t respond to all the submissions live, we’ve answered all of them in them in this document, featuring Jean-Yves and Richard’s unedited comments.
Get the full story on the methods used by cybercriminals to carry out the attack—leveraging LinkedIn, WhatsApp, and Microsoft Word—and how Sanofi used Detect and Recall from Vectra to stop the attack in its tracks.