Systemhaus Krick

Security incident
detected and prevented

Overview

Systemhaus Krick offers its 1,100 customers over 20 years of practical experience in the field of IT and system solutions. True to its motto “the highest quality for demanding customers at reasonable prices”, the 50 expert employees at Krick offer support to SMBs for the operation and consolidation of IT services, cost optimization, expansion, and IT infrastructure security. Besides implementing security solutions at customer sites, Systemhaus Krick also offers security services such as malware scanning for email and websites based on Trend Micro products.

“As a supplier of security solutions, it goes without saying that we closely monitor what’s happening in this area. As such, we’ve noticed that installing virus scanners is no longer the done thing,” explained Robert Krick, the company’s founder and CEO. “We have to protect ourselves and, of course, our customers from unknown threats.” It was against this backdrop that the systems provider decided to test the Trend Micro Deep Discovery solution— both with a view to using the product itself and to adding it to its portfolio.

Why Trend Micro

The product, with the two modules Deep Discovery Inspector and Deep Discovery Analyzer, provides flexible protection against unknown threats. It detects network threats, conducts user-defined sandbox simulations, and generates real-time analyses and reports. Defense mechanisms can therefore be quickly adapted as an effective response.

Using such a solution requires comprehensive knowledge of the many protocols and types of network connections available, as well as of what can be done with these. Systemhaus Krick therefore works in cooperation with the experts at Trend Micro. The provider offers extensive expertise and experience not only with sandbox analyses but also, most important, with the processing and classification of the results of such analyses.

“A security incident occurred during the test phase,” CEO Krick reports. “It was lucky that we were using Deep Discovery, as the solution detected the threat and was able to prevent the situation from spiraling.”

The incident began when a user received an email with a seemingly trustworthy link to a file containing details about a T-Mobile invoice. The user clicked on the link and triggered the download of malware from the Internet. None of the antivirus solutions detected the virus, but Deep Discovery Inspector reacted as the file download ran through a LAN segment that was monitored by the software.

The software’s Advanced Threat Scan Engine (ATSE) rated the file as suspicious and sent it to Deep Discovery Advisor’s sandbox for analysis. The file was executed in the sandbox and the analysis of the file’s activities, such as the addition of autorun in the registry, enabled the engineers to identify it as malicious code.

"A security incident occurred during the test phase. It was lucky we were using Deep Discovery, as the solution detected the threat and was able to prevent the situation from spiraling.

Robert Krick,
founder and CEO, Systemhaus Krick

 

The analysis findings were recorded in a report and immediately forwarded to the administrators responsible. Their lists of user addresses enabled them to find the machine where the file had been downloaded. They quickly initiated countermeasures in the relevant terminal server profiles.

Solution

Following this incident during the Deep Discovery test phase, the company decided to use the solution in its own infrastructure. Reflecting on the experience, Krick says “this security incident clearly highlighted to us that we need a complete rethink in terms of security. We can no longer prevent all attacks or rely on exact detection rates from antivirus software. These come too late.” The CEO is also aware that data thieves are now extremely clever and use malware variants that are sent to specifically selected addresses. As soon as security manufacturers get a sample, that means there’s already been at least one victim.

“The Advanced Threat Scan Engine plays a key role in providing protection against unknown threats”, emphasizes Michael Tants, Security Consultant at Trend Micro and member of the EMEA TrendLabs Team for Research and Analysis. “It can use highly aggressive heuristics to detect suspicious files, even if this often results in false positives.” According to the specialist, this is because wrong decisions by the engine have no major impact as, unlike conventional threat scan engines, they do not alter the users’ systems in any way. The ATSE only decides whether an analysis should be conducted in the sandbox. On the other hand, Tants says that it is essential for potential victims to be warned as soon as possible, even if the malware has not yet been precisely identified.

“The only solution to the problem is to allow unknown malicious code to get through and to establish the facts as quickly as possible based on analyses,” the CEO concludes. “These facts can then be used to make responsible decisions about suitable reactions in order to restore systems to a trusted state.”

Robert Krick has also included the Trend Micro solution in his company’s product range. However, the test run also showed that a great deal depends on the interpretation of the analyses of suspicious activities and the resulting instructions for action. Not all users have the experience and expertise required to ensure that these responses are always adequate. “We want to offer our customers more added value in this regard,” the CEO explains. “We take on responsibility for analyzing and evaluating the data as a managed service and supply customers with final results and recommended actions to protect them against targeted attacks.” Talks with users have identified a definite need for such services. Some users even recognized the social engineering involved in the attack, as they too had received the same email. Users have been benefiting from this service since April 1, 2014.