How The AME Group’s people work together to secure its clients

The AME Security Team presents to our company related news and updates. This week features an internal story about how we come together to improve our existing security controls. 

It is challenging to keep up with the steady stream of news about security breaches and threats.  Like many companies, The AME Group has teams across locations and working remotely.  We connect via Microsoft Teams and work collaboratively most often in digital and virtual forms.

This past week, the President of AME saw an article on LinkedIn. He sent it via Teams to the leads of our Security Team and Network Operations Center.  The title was not compelling – “Conti ransomware prioritizes revenue and cyberinsurance data theft”.  The article started with a sentence that made stop and say, “the ransomware group has a training manual?”.  They posted the manual to the internet by a disgruntled business associate. 

In those manuals was a key take away.

The ransomware group used a legitimate piece of software called rclone to exfiltrate data from the victim’s network prior to locking it and setting a ransom. This is a common tactic used now and is a type of blackmailware.  They steal your data and threaten to post it publicly or on the dark web. This puts extra pressure on their victims to pay the ransom.  Dealing with criminals never gives you certainty you will get back your data if you pay the ransom.

Does this impact our clients?

The two team leads quickly realized how this might impact our clients.  The conversation back in forth in Teams was how to leverage our current security tools to write detection rules and reports.

The same afternoon they read the article, they created a detection and alerting rule in our SEIM. It was tested and implemented it for our Managed Security Services clients shortly after.

Then their attention turned to the clients not under Managed Security Services.  Our Managed IT Services clients’ devices are protected by an EDR (endpoint detection and recovery) program.  This program has an application monitoring component. This was used to determine that none of our clients or end user devices had the rclone application installed.

We pulled the signatures (hash) of the rclone.exe files. Then added them to the EDR to be blocked, killed, and quarantined immediately if it appears on their network. Remember, this is a legitimate program (open-source backup tool) and not malware so that is why this step was a key in adding a layer of protection against this tactic. 

Security Controls Updated

So, in less than a day after this story broke, AME was able to update our security controls with meaningful responses for our clients. The Conti group will probably come up with a new attack vector, but they will not be using this one on any of our clients.

AME has invested in very solid security tools for our clients. It is an ongoing effort to improve those tools as security threats never stop evolving.  It also takes everyone working together because being a security defender on behalf of all our clients is a daunting task.  Cybercriminals must only be right once to execute a breach.  In these times of remote work and companies that work across multiple States, collaboration is still possible and is an essential part of this story.