Known threats help warn of new cyberattacks

Learn how the AT&T Security Operations Center (SOC) helps customers be proactive

by Donna McCally, Sr. Product Marketing Manager, AT&T Cybersecurity Solutions

Well known and time-worn cyberthreats can help alert cybersecurity teams of new attacks.

When the WannaCry ransomware outbreak hit full force in mid-May, some AT&T Threat Manager customers had the advantage of early warnings. They received these warnings after teams from the AT&T Security Operation Center (SOC) detected anomalies exhibiting Conficker-like behaviors.

Conficker is a worm targeting Microsoft Windows systems, and it has been around for nearly a decade. US-CERT originally issued an alert on Conficker (also known as Downup) in March of 2009.

“We actually notified customers of Conficker-like activity,” said Stephen Roderick, director of technology security for AT&T. “WannaCry happened to be showing some of the same threat behaviors as Conficker.”

Although there are anti-virus programs and security patches in place to wipe out Conficker and the known variants, it consistently ranks as a top threat detected among AT&T Threat Manager customers. That’s because there are still old operating systems in place, and many organizations don’t keep current on anti-virus software or security patches – even though these are foundational cybersecurity best practices every organization should follow.

Old cyberthreats

In some cases, old cyberthreats still proliferate from machine to machine and are never activated, becoming irrelevant as time passes.

“A lot (of old cyberthreats) become background noise,” says Steve Hurst, director of security strategy and compliance for AT&T Security & Advanced Applications.

Sometimes, however, bad actors draw from characteristics or pieces of code from old threats in an effort to build new malware. That’s apparently the case with WannaCry. In the earliest stages of the WannaCry outbreak, the AT&T teams didn’t know about the ransomware.

“It was just brewing,” Roderick said.

Eventually, the SOC teams saw old Conficker signatures fire on some customer networks, sparking cause for closer investigation. And because of Conficker-like anomalies, AT&T notified Threat Manager customers that their networks were being targeted, and incident response plans were successfully implemented.

“That’s the reason we had a heads up,” Roderick said. “We happened to see an old signature fire.”

Roderick said the SOC’s uniquely skilled threat analysts clearly put his team at an advantage in this situation to look out for WannaCry early on and prevent the ransomware from impacting our Threat Manager customers.Added Roderick: “We have the expertise. We have the knowledge base. We have experienced threat personnel who know the landscape. It’s important not only to see what’s happening, but also to understand what’s happening in real time.”

Perhaps a decade from now, next year, or even next month, our SOC team will be alerted to another new threat with characteristics similar to the WannaCry attack. The scenario is not unlikely, according to Ivan Imbuido, Threat Manager subject-matter expert for AT&T Cybersecurity Solutions.

“The bad actors will inevitably take pieces of the WannaCry code and morph it into something new that works on their specific targets,” Imbuido said, adding that a robust threat detection program monitored by experienced teams as part of a multi-layered approach to cybersecurity is one defense against evolving threats – old and new.

Learn more about the multi-layered solutions AT&T has to offer on our Cybersecurity Solutions page.