Our newly released Deception @ Work report will share a summary of a semiconductor manufacturer’s cyberattack involving a recently discovered insider attack. This report will overview this attack, share details on the incidents of compromise, and provide evidence of the high accuracy and unique capabilities of deception technology in identifying cyberattacker activity.

Our client, this leading fabless semiconductor manufacturer has billions of dollars in revenue, worldwide facilities in many countries, and many thousands of employees. Initially they wanted to increase network visibility and reviewed the addition of new security controls. Their existing toolsets focused on perimeter defense and detection and did not provide the internal visibility and detection they required.

This manufacturer required technology that would not use agents nor rely on signature recognition. They also suffered from severe alert management overload, and did not want to add a significant new burden to the traffic which was already overwhelming their SIEM and security operations center (SOC) team personnel. They also needed automation to provide for easy deployment of the new security controls across their global networks. Their security team was strong, but short-handed and often challenged with managing personnel transitions. Ultimately, after a comprehensive review of security control technology they made a decision to select Acalvio ShadowPlex.

Initially they deployed the software within their corporate headquarters and then out across the manufacturing plants and engineering centers. This included multiple decoys across two different VLANs. One VLAN was part of their production facility and the other was within the DMZ. Within 72 hours the Acalvio Shadowplex installation detected anomalous activity coming from one user Windows workstation. Apparent attacker activity was touching several of the decoys within the network. Initial investigation found malware which existing signature-based EDR was unable to detect.

Over the next few hours, it was determined that a malicious attacker was making multiple login attempts using a wide variety of compromised credentials. It was determined that this attacker was using stolen scripts from their red team, specifically one stolen from one tester, which had his credentials embedded with it, to continue to perform reconnaissance and investigate this and many other network VLANs.

IP addresses are obfuscated or hidden to protect the identity of the manufacturer, and protect the confidentiality of any law enforcement investigations which might be ongoing at this time.