Case Studies

Case Study: Incident Response and Managed Service for a National Transport Company

February 27, 2019

Case Study: Incident Response and Managed Service


Ironshare were approached by the Managing Director of a NationalTransport Company to assist them with their IT Security, after they becamevictim of a Ransomware attack. They had previously experienced several minordisruptions through virus infection, so Ironshare were engaged to provideinvestigative assistance and recommend possible solutions to improve overallsecurity and prevent further occurrences.


The transport company were in the process of recovering fromthe Ransomware attack, assisted by their IT provider. Although they had been performingbackups of their systems and data, some online backups were encrypted duringthe attack, resulting in loss of data, although this was not deemed critical tobusiness operation.

The company’s IT provider had only a basic understanding ofCyber Security best practices, and as can be typical with these types ofattacks, the focus was incorrectly targeted at an email phishing compromise,involving a single host on the network.

The technical security controls in place were very limited, includingonly basic firewalls, and standard anti-virus protection. These controls werenot configured or managed effectively leaving gaps in their ability to protectthe organisation.

The Ransomware had encrypted files on the infected system, and its connected network shares, meaning that the data on a victim’s system was locked and unusable. With Ransomware, payment is demanded by the cybercriminals (via Bitcoin or other crypto currency) before they will release the encryption keys required to decrypt data. Once the keys are received, access to the data can be returned to the victim.


The solution came in two parts, the initial Incident Response and a Managed Security Service.

The transport company called on our Cyber Security Incident Response service to analyse the currentthreat, assist with recovering from the attack and seek out the root cause ofthe compromise.

Our first step was to deploy Cisco Umbrella and Cisco AMPfor Endpoints to perform initial analysis and determine whether there was any maliciousactivity on the network. This was followed by direct engagement with the ITprovider, to gain an understanding of the company’s systems.

The analysis comprised of performing full sandbox analysisof the infected server, and included firewall, PC, and external service reviews.We also used the Cisco Threat Grid advanced sandboxing service to submit andanalyse the malware samples and associated files that were found on the server.

Root cause was successfully identified as brute forced credentialsusing management protocols accessible from the internet, giving the attackeraccess to an internal server. As a result of the analysis, external access fromthe Internet to the compromised servers public IP was disabled. In parallel theIT provider worked to restore service using offline backups of the server.

The following items highlight some of the keyrecommendations provided to close off the gaps in the existing infrastructure:

  • Harden firewalls so that all managementprotocols such as RDP and WinRM are not be accessible from the internet.
  • Do not try and manually remove the infection, ifpossible, perform a complete restore from backup.
  • Ensure they implement a robust offline backupplan to restore all data in the event of compromise.
  • Implement an effective patch management processthat regularly applies security updates to endpoints and infrastructure.

Through the incident response and analysis, the customercould see the benefits that Cisco AMP for Endpoints and Umbrella would provideas a more permanent prevention mechanism. Combining that with the lack ofsecurity knowledge and experience within existing staff members, Ironshare proposeda Managed Security Service, to managetheir new Cisco products and general Cyber Security on the company’s behalf.


The Ransomware was successfully analysed, and the businessoperation was restored approx. 48 hours after initial infection. Analysisconfirmed that the Ransomware contained no propagation features, and that therehad been no further spread of the infection to the surrounding servers and networkdevices.

The customer has since adopted our Managed Security Service, including Cisco Umbrella and AMP forEndpoints throughout the organisation in order to prevent any futureoccurrences. The new software has given the customer added confidence,identifying previously undiscovered threats and vulnerabilities across thenetwork.  

We have built a positive relationship with the existing ITprovider, recommending security best practice, providing technical assurance,and working together to ensure that the transport companies overall securityposture continues to improve.

Please note that the identity of this client has been withheld to protect commercial confidence.


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi