How BNMC (A New Charter Company) used Petra to Stop a CEO Attack Missed By SaaS Alerts

BNMC has been the trusted IT partner for hundreds of businesses across the Northeast and beyond since 1991. BNMC prides itself on enterprise-level IT services with the perfect blend of regional reach and local expertise. They reduce risk, minimize downtime, and align IT to business goals. 

To get best-in-class cyber services (including Petra) from a world-class MSP with excellent support, visit https://www.bnmc.net or email sales@bnmc.net.

‍
Challenge

Pre-Petra, Stealthy Attacks Increasing.

“We monitor client environments across Azure and Microsoft 365 using multiple platforms, including SaaS Alerts” says Ken Curtis, Systems Architect at BNMC. 

“These tools do provide great visibility into user activity, but when we heard about Petra, it was clear Petra could go deeper, you know? That it could do something better for our customers.”

“It’s no secret that attackers are changing what they do. Everyone can see it. We wanted to go deeper and detect faster.”

That opportunity came when BNMC deployed Petra.

“It quickly proved its worth," says Ken.

‍
Solution

Evaluating Petra, Exposing a Detection Gap

Ken and his team spun up Petra Autopsy to examine 6 compromises where the prior ITDR had been monitoring, and pull out new forensic details.

“We’d thought attacks were being shut down pretty fast”, says Ken. Then he laughs and adds: “...and then we ran [Petra, to do an Autopsy].”

Here’s what Autopsy uncovered across 5 compromises:

• Prior ITDR caught attack 4 months and 4 days late. Attacker accessed financial emails.
• Prior ITDR caught attack 1 month and 27 days late. Attacker created a malicious app to continually exfiltrate data.
• Prior ITDR caught attack 29 days and 15 hours late. Attacker accessed 255 emails and sent at least 210 malicious emails.
• Prior ITDR caught attack 14 days and 45 minutes late. Attacker accessed 84 emails and some documents with financial info.
• Prior ITDR caught attack 5 days late. Attacker accessed sensitive financial documents and sent at least 510 malicious emails.

By the numbers:

• The 5 cases that the prior ITDR had caught, Petra Autopsy discovered were caught on average 45.9 days late, far later than Ken and his team had been told.
• The CEO compromise that the prior ITDR missed, where the attacker was still live, was active for 29 days. It was never caught by the prior ITDR.
• Across all cases, 66% of attackers accessed financial data (financial emails, bank details, or sensitive financial documents) due to the prior ITDR’s late response.
• Across all cases, 50% of attackers utilized the compromised accounts to launch outbound attacks (SharePoint phishing campaigns or malicious emails).

“The results were eye-opening to say the least”, says Ken. “I didn’t want to believe it at first, but then I saw all of the forensic details and double checked them in Microsoft. I just thought to myself, ‘oh crap’.”

‍
Results

With Petra, Catching a CEO Attack In-Progress.

In addition to exposing compromises caught late, Petra showed a currently lurking live attacker in a client CEO’s account. 

For 29 days, that attacker had been lurking in the CEO’s account. 

The attacker had:

• Added a malicious multi-factor authentication (MFA) method.
• Accessed the account from multiple U.S.-based IP addresses.
• Maintained access for 29 days.
• Viewed and downloaded several sensitive documents.

As soon as Petra onboarded to the environment, it raised the alert and showed the full forensic story of the attack.

At the time, the attacker was in the process of uploading a phishing document intended to impersonate the CEO and distribute invoice fraud/phishing emails to external contacts.

“Notably, SaaSAlerts generated no alerts during the attack — the activity looked normal under the traditional rule-based monitoring.”, says Ken. 

“It became crystal clear to us that we needed something in addition to SaaSAlerts to deliver on the protection we were promising.”

‍
Results

With Petra, Catching Attacks Faster.

After realizing that their prior ITDR was 45.9 days late on average, Ken and his team realized they needed to do something. 

“Frankly, I thought we’d been solving [the account compromise problem], but it was clear from the huge delays we uncovered that we weren’t. I had thought with all those alerts that we’d at least catch the attackers fast, but the problem wasn’t being solved.”

Since deploying, BNMC has used Petra to catch 3 account compromises for clients, much more quickly. Here are the results:

• Using Petra, BNMC detected an attack 59 seconds after logs.
• Using Petra, BNMC detected an attack 1 minute and 6 seconds after logs.
• Using Petra, BNMC detected an attack 1 minute and 18 seconds after logs.

“Now, we’re just so fast to respond”, says Ken. 

“No question about it”, says Ken, “a normal MSP would have been dealing with the fallout. But because we use Petra, we got to proactively prevent a large-scale phishing campaign that would have come from a trusted executive’s account.” He adds: “It really helped reinforce trust with that client. It helped us show them why they pay for our cyber package, and why they should trust us over any other MSP to manage their environment.”

“Our customers have to be active. They can’t be down or dealing with a BEC or some false alarm. We were getting a lot of those before, but now [with Petra] we can deliver zero downtime.”

“I’m proud to say that by adopting Petra, [BNMC has] gained a really powerful new ally to protect our clients from the huge and evolving threats in Microsoft 365 and Azure.”, Ken says.

“To anyone who wants to see for themselves, I’d say, ‘let’s do an analysis, let’s see what you might be missing’. We were definitely surprised, but now we get to pass along this Petra superpower to our clients”.

–

BNMC has been the trusted IT partner for hundreds of businesses across the Northeast and beyond since 1991. BNMC prides itself on enterprise-level IT services with the perfect blend of regional reach and local expertise––reducing risk, minimizing downtime, and aligning IT to business goals. 

To get best-in-class cyber services (including Petra) from a world-class MSP with excellent support, visit https://www.bnmc.net or email sales@bnmc.net.

‍