Case Study: Incident Response and Managed Service
Ironshare were approached by the Managing Director of a National Transport Company to assist them with their IT Security, after they became victim of a Ransomware attack. They had previously experienced several minor disruptions through virus infection, so Ironshare were engaged to provide investigative assistance and recommend possible solutions to improve overall security and prevent further occurrences.
The transport company were in the process of recovering from the Ransomware attack, assisted by their IT provider. Although they had been performing backups of their systems and data, some online backups were encrypted during the attack, resulting in loss of data, although this was not deemed critical to business operation.
The company’s IT provider had only a basic understanding of Cyber Security best practices, and as can be typical with these types of attacks, the focus was incorrectly targeted at an email phishing compromise, involving a single host on the network.
The technical security controls in place were very limited, including only basic firewalls, and standard anti-virus protection. These controls were not configured or managed effectively leaving gaps in their ability to protect the organisation.
The Ransomware had encrypted files on the infected system, and its connected network shares, meaning that the data on a victim’s system was locked and unusable. With Ransomware, payment is demanded by the cybercriminals (via Bitcoin or other crypto currency) before they will release the encryption keys required to decrypt data. Once the keys are received, access to the data can be returned to the victim.
The solution came in two parts, the initial Incident Response and a Managed Security Service.
The transport company called on our Cyber Security Incident Response service to analyse the current threat, assist with recovering from the attack and seek out the root cause of the compromise.
Our first step was to deploy Cisco Umbrella and Cisco AMP for Endpoints to perform initial analysis and determine whether there was any malicious activity on the network. This was followed by direct engagement with the IT provider, to gain an understanding of the company’s systems.
The analysis comprised of performing full sandbox analysis of the infected server, and included firewall, PC, and external service reviews. We also used the Cisco Threat Grid advanced sandboxing service to submit and analyse the malware samples and associated files that were found on the server.
Root cause was successfully identified as brute forced credentials using management protocols accessible from the internet, giving the attacker access to an internal server. As a result of the analysis, external access from the Internet to the compromised servers public IP was disabled. In parallel the IT provider worked to restore service using offline backups of the server.
The following items highlight some of the key recommendations provided to close off the gaps in the existing infrastructure:
- Harden firewalls so that all management protocols such as RDP and WinRM are not be accessible from the internet.
- Do not try and manually remove the infection, if possible, perform a complete restore from backup.
- Ensure they implement a robust offline backup plan to restore all data in the event of compromise.
- Implement an effective patch management process that regularly applies security updates to endpoints and infrastructure.
Through the incident response and analysis, the customer could see the benefits that Cisco AMP for Endpoints and Umbrella would provide as a more permanent prevention mechanism. Combining that with the lack of security knowledge and experience within existing staff members, Ironshare proposed a Managed Security Service, to manage their new Cisco products and general Cyber Security on the company’s behalf.
The Ransomware was successfully analysed, and the business operation was restored approx. 48 hours after initial infection. Analysis confirmed that the Ransomware contained no propagation features, and that there had been no further spread of the infection to the surrounding servers and network devices.
The customer has since adopted our Managed Security Service, including Cisco Umbrella and AMP for Endpoints throughout the organisation in order to prevent any future occurrences. The new software has given the customer added confidence, identifying previously undiscovered threats and vulnerabilities across the network.
We have built a positive relationship with the existing IT provider, recommending security best practice, providing technical assurance, and working together to ensure that the transport companies overall security posture continues to improve.
Please note that the identity of this client has been withheld to protect commercial confidence.
Ironshare – Security Simplified