Genuine Technology Group is a leading MSP and trusted advisor to clients across industries, including local governments and critical infrastructure where security is mission critical.

Ernest Murry, Genuine’s Chief Technology Officer with over 20 years of experience managing MSPs, recently led the company’s efforts to implement an enhanced security stack. Genuine already relied on Todyl’s Secure Access Service Edge (SASE) to connect and protect its clients working remotely and in-office. Recognizing the need to further optimize security postures, Ernest evaluated different solutions and vendors before making the strategic decision to implement three modules from the recently launched Todyl Security Platform, including:

• Endpoint Security that combines Endpoint Detection & Response (EDR) and Next-Generation Anti-Virus (NGAV) with Ransomware, Malware, Malicious Behavior, and Memory Threat Protection.
• Security Information and Event Management (SIEM) that ingests and analyzes logs from any data source, helping partners identify breaches, hunt for threats and vulnerabilities, and investigate alerts through a single-pane-of-glass.
• Managed Extended Detection & Response (MXDR) that provides a unique, personalized service focused on prevention, detection, and response.

Following the implementation, one of its clients requested a penetration test to assess the effectiveness of Genuine’s security stack and system configuration. The goals of the test included:

• Documenting and demonstrating attack vectors
• Quantifying the impact of successful attacks through active exploitation
• Identifying specific vulnerabilities to remedy and improve security
• Recommending ways to improve Genuine’s overall security posture

Penetration Test Play-by-Play

Ernest and the penetration tester designed the test as an assumed breach. They decided the tester would attempt to spread laterally across Todyl’s Secure Global Network^TM (SGN) Cloud Platform, the backbone of Todyl’s SASE module, to a hosted server in the client’s data center.

The SGN features Zero Trust Network Access (ZTNA). This capability enables organizations to securely access resources from everywhere over fast, secure, and reliable connections. In this case, Genuine configured SASE with ZTNA, so the client can only access the data center over the SGN, helping to greatly reduce the attack surface area by eliminating public-facing access to the datacenter.

For this testing scenario, it is assumed that the threat actor gained access to the client’s network. The goal is to determine what data they can exfiltrate, where they can move laterally, and what payloads and executables they could run on the device. Assumed breaches give Genuine a comprehensive assessment of any internal network vulnerabilities from the perspective of a threat actor.

To start the assumed breach, Ernest shipped a laptop and user log-in directly to the tester, who started executing multiple payloads and executables to bypass Todyl’s Endpoint Security and gain persistent access. The Malware Prevention in Todyl’s NGAV module blocked the first payload, and within 10 minutes, the Managed Extended Detection & Response (MXDR) team alerted Ernest in Slack, unaware that a penetration test was taking place.

The MXDR team gave Ernest a play-by-play of the tester’s attempts, including the host’s name, path, and parent process. During their investigation, the team uncovered an unknown hash for the binary “Windows_Update.exe.” This file was not signed by Microsoft and was not recognizable by any reputation-based hash lookup services.

Unrecognizable hashes can be associated with custom payloads and are frequently leveraged to avoid detection by traditional anti-virus applications, as well as SIEMs that rely solely on static indicators. Since Todyl's Endpoint Security and SIEM leverage an advanced detection and analysis engine, our platform identified and prevented attempts to launch this malware. The platform also prevented any malicious behaviors that can indicate an attack is in progress.

Based on this knowledge, the team informed Ernest that it was suspected malware, as shown in Figure 1 below.