Highlights

• UK higher education institution supporting 150,000+ students and staff
• 24×7 monitoring to secure recovery and sustain protection
• Two weeks from dark web claim to evidence-backed findings
• Emergency MDR and Clarity Extend

The challenge

A UK higher education institution was alerted by a third-party that legitimate account credentials had been compromised and were being advertised for sale on the dark web. Alongside this, there were claims that over 100TB of data had been impacted. The activity pattern strongly suggested the involvement of an Initial Access Broker (IAB), cybercriminals who gain a foothold in systems, often using stolen credentials or vulnerabilities and then sell that access on to other threat actors to conduct follow-on attacks.

This presented an urgent risk – once access is sold, attackers are able to move rapidly from credential abuse to cause deeper compromise, service disruption and large-scale data extortion.

With a large and complex infrastructure covering over 12,000 endpoints and the potential exposure of highly sensitive data and intellectual property (IP), the institution urgently needed clear, defensible answers. How was access gained? What actions did the attacker take once inside? Was any data viewed or exfiltrated? And were the threat actor’s claims credible?

Quorum Cyber was engaged to rapidly get to the truth, coordinate a secure eradication and recovery, and establish the foundations for robust, long-term protection against future attacks.

The approach

Quorum Cyber conducted the investigation along two parallel tracks. The Incident Response (IR) team worked within the environment to pinpoint the likely ingress route and reconstruct attacker activity, tracking signs of enumeration, privilege escalation, persistence mechanisms, and any attempted lateral movement.

At the same time, Threat Intelligence (TI) experts traced the origin of the dark web listing and examined the surrounding claims, building a clear picture of what was being marketed, how the access was presented, and what this revealed about the threat actor’s intent and potential next steps.

To turn hypotheses into evidence, we deployed a remote forensics and artefact collection capability across the impacted servers. This established a clear defensible timeline and determined what data had been accessed, providing clear, evidence-led answers for operational stakeholders and legal counsel.

During the eradication and recovery phase, Quorum Cyber deployed emergency Managed Detection and Response (MDR) to secure the estate. Backed by 24×7 monitoring and rapid response from its Security Operations Centre (SOC) team, this gave the organisation immediate visibility across the environment, transformed previously opaque areas into actionable insight, reduced risk, and restored confidence.

“When a dark web claim surfaced, we needed to move quickly without disrupting critical services,” said the Director of Information Security, UK Higher Education Institution. “Quorum Cyber helped us turn uncertainty into evidence and then manage the threat with 24×7 monitoring that gave us confidence to recover safely.”

Importantly, emergency MDR gave the university security team immediate reassurance. Their team could progress recovery activities with confidence, knowing suspicious behaviour would be identified, contained and communicated quickly, with no surprises. The goal was to move the organisation from its vulnerable state to a safe one, so it could recover from the cyber incident and return to normal operations as quickly and securely as possible.

Once the incident stabilised, this emergency MDR posture became a stepping stone to a long-term MDR service, with Clarity Extend, providing the team with visibility, monitoring, and response capability as ‘business as usual’, not just during a crisis. The Clarity user interface gave their team immediate visibility into their security posture and how it was being managed by Quorum Cyber.Top of Form

“Quorum Cyber’s Emergency MDR service helped us contain the immediate threat and bring stability back to the environment. Once we recovered, we knew we wanted that same visibility, proactive monitoring, and reassurance on an ongoing basis, which made a long-term partnership the right decision for us,” explained the institution’s Director of Information Security.

Results

Within two weeks, the institution was able to replace speculation with certainty; crucial in a higher education environment where trust, continuity, and duty of care matter as much as technical recovery. With their evidence-backed understanding of the initial access and attacker behaviour, the stakeholders were able to make confident decisions about containment, communications, and legal posture.

Through 24×7 SOC-led threat detection and response, Quorum Cyber guided the organisation through eradication and recovery while keeping day-to-day services running across their large, diverse estate.

Just as importantly, clear findings and targeted remediation helped the institution demonstrate strengthened security controls and risk reduction to their leadership and third parties, supporting a secure return to normal service. By progressing from emergency MDR during the incident to ongoing MDR, with Clarity Extend, the institution was able to carry that assurance forward, maintaining continuous monitoring and response as part of a strengthened security baseline.

“When credentials are sold, the hardest part isn’t reacting, it’s proving what’s true,” said the Incident Response Team Lead at Quorum Cyber. “Our job was to replace uncertainty with evidence, fast.  We confirmed the access path, reconstructed the attacker’s actions, and gave the customer the confidence to recover securely.”

Explore our managed services

Browse and compare our full range of Managed Security Services and contact us if you’d like to talk to an expert.