US University Navigates Data Recovery Challenges
Data encryption at exam finals time
A leading university faced a critical situation when its ESXi servers and virtual machines were encrypted by a cyber-attack. This incident coincided with a particularly challenging period, as it occurred during exam finals and the holiday season. Many students were using loaned devices and were off-campus, complicating communication and coordination efforts. The university decided against purchasing a ransomware decryptor, necessitating an alternative recovery strategy. Additional challenges included the university staff's unfamiliarity with their IT environment and a lack of trust between domain controllers, further complicating recovery efforts.
Planning and implementing recovery strategy
To address these challenges, the university implemented a comprehensive recovery strategy which involved the support of Quorum Cyber. The university’s strategy comprised:
- Infrastructure Rebuild: The university rebuilt its ESX hosts using backups stored on Amazon Web Service (AWS), ensuring that critical infrastructure components were restored
- Expert Recovery Teams: Quorum Cyber’s team restored the university's environment to enhance recovery efforts and ensure a thorough and efficient process
- Security Software Deployment: Enhanced endpoint security and monitoring capabilities were deployed across the university's network.
An outstanding recovery
Through these targeted efforts, the university was able to achieve significant recovery milestones:
- Infrastructure Restoration: The rebuilding of ESX hosts from AWS backups allowed the university to regain control over its IT infrastructure, restoring essential services and systems.
- Collaborative Recovery Effort: The involvement of expert recovery teams facilitated a coordinated and effective response, demonstrating the importance of collaboration in crisis situations.
- Enhanced Security Posture: Improved the university's security posture, providing greater protection against future threats.
The university's swift and strategic response to the cyber-attack enabled the institution to overcome significant challenges during a critical time. By leveraging expert resources and prioritising infrastructure restoration, the university successfully navigated the recovery process, underscoring its commitment to resilience and the protection of its academic community.
Contact us if you would like to strengthen your organisation's cyber security or cyber resilience.
Enhancing Security for a US Utilities Company
The looming threat of a ransomware attack
A utilities company in the US faced a significant cyber security threat and the looming risk of a LockBit ransomware attack. With over 350 hosts potentially at risk and compromised domain controllers, the company needed an urgent and effective response to secure its network and protect its operations.
Activating a defence strategy
To address these challenges, the company brought in Quorum Cyber and implemented a multi-faceted security strategy:
- Device Isolation: Impacted devices were immediately isolated to prevent further spread and minimise the impact on critical systems
- Proactive Threat Hunting: The company conducted proactive threat hunting to identify potential vulnerabilities and threats before they could escalate
- Falcon Platform Utilisation: Endpoint detection and response (EDR) was deployed to identify and prioritise vulnerable hosts, enabling targeted remediation and strengthening overall security posture.
Positive outcomes and a long-term manged services contract
The comprehensive security measures led to several positive outcomes:
- Network Security Enhancement: The company successfully secured its entire network, mitigating the immediate threat and bolstering defenses against future attacks.
- Collaborative Remediation: Quorum Cyber’s close collaboration with the business ensured that compromised systems were remediated efficiently and returned to full operational status.
- Long-Term Partnership: Impressed by the effective response and improved security, the utility firm signed up for a long-term engagement with Kivu, demonstrating confidence in the company's ability to provide ongoing protection and support.
Through strategic action and collaboration, the utility company overcame the immediate cyber security threat and also established a robust security framework that supports its long-term operational integrity.
Contact us if you need help to strengthen your company's cyber security.
Managing Multiple Stakeholders During Ransomware Response
Introduction
The network of a small, privately held provider of heating, ventilation and air conditioning (HVAC) services was infected with Ryuk ransomware, leaving the company unable to run backend sales processes such as quoting and billing. Quorum Cyber was called in to clear the malware from all affected devices and restore their systems.
The challenge
The customer’s entire IT environment was managed by a regional managed service provider (MSP), which was found to be running legacy systems on the customer’s servers, including Windows 2003. In addition, the only risk management measures in place were a firewall and basic anti-virus software. Ten months prior to the incident, two banking trojans, Emotet and Trickbot, had been installed on the system via a phishing email. These enabled the attackers to subsequently install the Ryuk ransomware variant in late January 2020.
The MSP detected the ransomware attack and notified the company, which then contacted their insurer. By the time Quorum Cyber became involved, 12 servers were encrypted and 58 workstations were infected with either banking trojans or ransomware. This represented about 75% of the customer’s total endpoints, and left them unable to perform crucial financial transactions. No customer data was accessed or stolen.
Quorum Cyber’s response and solution
The majority of Quorum Cyber’s work was conducted remotely, linking to the customer’s onsite data centre via secure online connections. Quorum Cyber coordinated communication between the customer and the MSP, which struggled to provide system information and backups due to insufficient technical expertise. During the engagement:
- Quorum Cyber sent two incident response (IR) analysts for the initial IR phase, followed by five PBR responders for the remediation phase
- The IR team ran forensic imaging, collected evidence, and deployed KECT and endpoint detection and response (EDR) software
- The PBR team reimaged and decrypted the servers and workstations, ultimately deploying the backups to restore the company’s systems.
Outcome
Despite the incurred costs, the overall business interruption was significantly reduced by Quorum Cyber’s quick IR and remediation work paired with EDR deployment. In summary:
- No ransom had to be paid, as Quorum Cyber restored systems from backups
- EDR was installed and ran for a month to prevent secondary attacks
- Fifty-eight workstations were restored within four days over the weekend and were back online and fully operational by close of business on Monday
- The period of loss caused by business interruption was reduced by three weeks.
Preparing a US Utility Company for Ransomware Attacks
Introduction
The rampant increase in ransomware attacks has put critical-infrastructure providers on notice. A $10 billion electric utility, which provides electric power production, transmission and retail distribution operations to the south-eastern US, decided it wouldn’t wait until it was victimised. It invested in a prescriptive programme to strengthen its cyber readiness and resilience.
The challenge
With the well-publicised attack against Colonial Pipeline in May 2021 fresh in their minds, the utility’s Board of Directors was becoming increasingly concerned about how prepared their company was to identify and effectively respond to such an attack, and mitigate its potential impact. Incident response (IR) plans were in place at both a technical and executive level, and the company had an IR retainer with a well-known digital forensics and incident response (DFIR) firm.
However, the Board wasn’t confident that those plans or the DFIR partner were adequately prepared to address the unique nature of a ransomware attack. The Security Incident Response Committee turned to Quorum Cyber to understand how to best analyse the nuances of ransomware attacks, evaluate how well their IR plans were positioned for identifying and responding to an event, and determine if there were additional areas of improvement that could help limit the impact of an attack when it happened.
Quorum Cyber’s response and solution
To fully evaluate the effectiveness of the utility’s IR plans and ability to respond to a ransomware event, Quorum Cyber proposed a two-phased approach comprising:
- An IR Plan Assessment
- A technical and executive-level Ransomware Tabletop sessions.
In the first phase, Quorum Cyber evaluated the customer’s technical and executive IR plans against NIST 800-61, with a specific view toward use of incident-handling best practices related to ransomware.
In the second phase, Quorum Cyber collaborated with multiple individuals from across the organisation to develop a customised and environment-plausible ransomware attack scenario for field-testing during the two tabletop exercises. By leveraging this two-phased approach, Quorum Cyber was able to evaluate the efficacy of the company’s procedures as well as IR personnel’s knowledge and ability to respond to a realistic ransomware attack.
Outcome
By gaining insight into how well-positioned its people and procedures were to effectively respond to a ransomware event, the utility:
- Increased Board of Directors’ confidence in limiting the operational and financial impact of a ransomware event
- Prepared the executive team for evaluating the pay/ no-pay decision in a ransomware event, to limit financial exposure
- Enabled re-prioritisation of cyber investments to yield greater return on investment (ROI) in ransomware protection.
Outmanoeuvring Persistent Threat Actors in the Chemical Industry
Introduction
A small US-based chemical manufacturer with a supply chain comprising 50+ household names in chemicals was hit with a creative new twist on the HAFNIUM threat targeting Microsoft Exchange Servers. This new threat, coined ProxyShell, opened companies’ on-premise email to a new present danger. Acquired by Quorum Cyber in 2024, Kivu’s 24x7 cyber security monitoring service flagged ProxyShell and dispatched it. Within 48 hours, Kivu and the chemical company worked to remediate and evolve the stance against this attack surface and future attacks.
The challenge
HAFNIUM is a Chinese state-sponsored threat intent on information theft and espionage. Following HAFNIUM techniques that utilised mutability and suitability ProxyShell, was discovered by security researcher Orange Tsai, who showed it in detail at a security conference in August 2021. The researcher found that by chaining together three different vulnerabilities, threat actors could establish a web-shell-based backdoor access into a company’s email server. The actor could then perform unauthenticated, remote-code execution – or potentially gain the “keys to the castle” – to release emails, exfiltrate data and then move on to owning the whole company network from the inside out.
Kivu’s response and solution
Alerted to the true nature of the threat (vs. known bad actors) by the monitoring service, Kivu’s team acted immediately. By conducting analysis of log and server files, the team identified the new indicators of compromise (IOCs) associated with ProxyShell activity. Kivu isolated the problem in a safe form separate from the company’s operational systems (but still connected to Kivu), preventing further spread.
Kivu then worked with the company’s two-person IT department, following Microsoft plus industry guidance to rebuild the mail server into a hardened, refined form. Kivu consultants consolidated techniques used in this ProxyShell attempt, as well as input from Microsoft and future recommendations, into a shared threat intel and reporting platform, ensuring the knowledge was shared quickly internally and then to other Kivu clients that may have been affected or about to be attacked. Much of this work was undertaken in 48 hours over the weekend.
Kivu used this threat profiling against all of its customers, identifying those with “on-premise” Exchange mail servers, alerting nine others at risk, stopping ProxyShell attempts from further exploit, and assisting Kivu’s digital forensics and incident response efforts at large.
Outcome
Because it had Kivu’s Cyber-as-a-Service 24x7 threat monitoring in place, the company:
- Rapidly identified a brand new risk (under two days old) and remedied the situation
- Prevented hijacking and man-in-the-middle attacks risks, which could have led to fraud
- Avoided business downtime and maintained its 99% service level agreement (SLA).
Strengthening Security for a Managed Cloud Service Provider
Hit by a ransomware attack
A Canadian managed cloud service provider faced a severe security breach when a ransomware attack infiltrated their systems. The attack was initiated through a vulnerability in a business partner’s customer system, leading to the encryption of all data managed by the provider. Having recently acquired new infrastructure, the provider was operating with limited tooling and lacked a log retention strategy, complicating its ability to respond effectively to the breach.
Identifying and mitigating the threats
To counter the ransomware attack, the provider worked with Kivu, a part of Quorum Cyber, to rapidly deploy endpoint detection and response (EDR) solutions to identify and mitigate the threat. Additionally, Kivu was engaged in negotiations and facilitated payment, enabling the successful decryption of the compromised data. Subsequently, Kivu, a Quorum Cyber company, conducted a thorough forensic analysis to identify the initial point of compromise, known as "patient zero."
Recovering with stronger security
The interventions led to several significant outcomes:
- Enhanced Security Monitoring: The provider established 24/7 Managed Detection & Response (MDR) coverage, ensuring continuous monitoring and rapid threat detection.
- Operational Restoration: All operations were successfully restored, allowing the provider to resume normal business activities without further disruptions.
- Legal Support: A critical forensic timeline was developed to aid the provider in its legal proceedings, offering detailed insights into the breach.
- Infrastructure Security Reinforcement: The Canadian company reconstructed its infrastructure with a strong emphasis on security defence principles, reducing vulnerabilities and strengthening its overall security posture.
By swiftly addressing the ransomware attack and implementing robust security measures, the managed cloud service provider restored its operations and also fortified its defences against future threats, ensuring the integrity and reliability of its cloud services.
Get in touch if you would like to talk through any of your cyber security needs.
Market-leading company invests in long-term cyber security partnership
Cyber security is a huge challenge for all organisations, with a greater number of threats and more sophisticated cyber-attacks happening now, more than ever before. As such, organisations need to be on guard to protect their IT systems, data, business and reputation from harm at all times. To meet this increased demand, managed cyber security services have evolved in the last few years.
Prior to becoming a Quorum Cyber customer, and before the digital world became more inhospitable and unpredictable, a well-known organisation in the UK used an external provider’s third-party legacy system information and event management (SIEM) service that only ran from 9am to 5pm, Monday to Friday. It was designed, very optimistically, around the assumption that cybercriminals only worked during these hours and didn’t attempt to breach systems in the evenings or at weekends.
Unsurprisingly, the organisation decided to upgrade its defences. They wanted to transform to a modern SIEM, monitor the latest signals and adopt an identity-centric approach. After reviewing their options, they chose a Microsoft strategy because it was holistically integrated and connected, which could provide efficiencies for their small team. This strategy was centred around bringing in technologies that were commonly understood by IT professionals, making it easier to recruit talented people, instead of searching for people with niche and rare skills.
The best cultural fit
Choosing Quorum Cyber, a Microsoft Solutions Partner for Security, and its Managed Detection and Response (MDR) service in a multi-year contract, was straightforward for this customer. They liked the cyber security company’s modern principles and culture, which is set top-down from CEO Federico Charosky, and especially liked its mantra and vision: “We fight bullies”.
Many other benefits stood out too. Quorum Cyber monitors the whole IT estate 24x7, 365 days a year, with a UK-based team. Its investment in the future workforce, by hiring graduate talent to help fill the enormous skills gap in the sector, resonated with the customer as they had realised that experienced professionals were in hot demand. It was becoming increasingly expensive, and more difficult, to recruit, train and retain them.
“This has become a proven model over the last two years – seeing internal recruitment and promotion within Quorum Cyber has led us to maintaining relationships and continuity throughout our journey,” the customer commented.
Stronger in a cyber security community
A broader appeal in favour of working with Quorum Cyber was the community thinking proposition. “I never feel like we’re a customer, it’s a true partnership approach. Furthermore, they have top-notch people in incident response and ex-Microsoft employees to add to the value we get from them. It’s more than ‘just’ a Managed Detection and Response service, or only a consultancy – we never feel alone.”
The partnership between the customer and Quorum Cyber has deepened over time. “We have taken a risk-based approach and have worked together to increase our cyber security maturity – detection is now our highest maturity on the NIST framework. People in our organisation can sleep better at night.”
The organisation trusts Quorum Cyber to act on its behalf if they experience a cyber-attack in the dead of night. Automation and Delegated Authority is in place to take containment action quickly. This is very important now that cybercriminal dwell times have reduced so significantly in recent years.
This partnership also gives the organisation’s security team opportunities to meet more like-minded people and customers who face similar challenges while trying to protect themselves. In an age where security professionals can often feel alone and isolated, Quorum Cyber believes that it’s really important to create a cyber security community so that people can share lessons, ideas and successes with each other as the industry evolves over time.
Empowering Enable to support communities throughout Scotland
Founded in 1954, Enable is one of the fastest growing and most impactful charities in Scotland, which “believes in an equal society where everyone has the right to live, work and participate as active and respected citizens in the communities of their choice.”
Enable consists of three pillars: Enable Cares, Enable Works and Enable Communities. Across the group, and throughout Scotland, Enable delivers:
- Self-directed health and social care support
- Employability, education and training
- Community projects and campaigns.
Employing 2,500 staff and with 12,000 members and supporters, Enable is one of the 40 largest non-public sector employers in Scotland, and actively supports over 13,000 people to live independently as active citizens in their local communities.
As one of Scotland’s largest charities, the organisation is on a multi-year mission to digitally transform its operations. It’s determined to digitally enable its entire workforce so that they can use the latest tools to increase efficiencies to deliver first-class services to improve living standards for tens of thousands of families.
Setting out on its transformation journey several years ago, Enable’s leadership team knew from the start that building strong cyber resilience was one of the pillars of its ambitious programme.
“We invested a lot in digital transformation but lacked the relevant security controls to thoroughly monitor our IT estate,” explains Jacquie Anderson, Head of ICT and Change at Enable.
Flagging phishing emails with the Big Red Button
“Quorum Cyber is willing to help us on our journey but they appreciate that we’re a non-profit organisation without deep pockets,” says Jacquie. “When we started working together, there was no helicopter view of Enable’s IT estate, no clear view of our security. Working alongside Quorum Cyber for several years, we feel safe that they have our backs so that we can focus on delivering the best service we can to all the people we serve throughout the country.”
They focused on protecting their users from phishing emails with the Big Red Button – a simple and effective service that allows employees to notify, at the touch of a button, Quorum Cyber’s security analysts of any suspicious emails they receive.
This service was particularly important for Enable, whose frontline employees’ primary responsibilities are to help and care for people with disabilities and long-term health conditions, and who use a mobile phone rather than a laptop and who don’t work in an office. Phishing remains one of the most common tactics for threat actors to attempt to infiltrate organisations, and so all employees must play their part by identifying and escalating any suspicious messages.
Jacquie continues, “Having this key service delivered by Quorum Cyber is integral in giving ICT and Enable the comfort that any reported suspicious emails are thoroughly reviewed by Quorum Cyber and we are given the go-ahead to proceed or take the relevant actions to remove these suspect emails from our estate.”
Comprehensive security up to 2026
Having benefitted from Quorum Cyber’s protection of a three-year Managed Detection and Response (MDR) service from 2020 to 2023, Enable recently signed an extension to the contract with Quorum Cyber, under the watchful eye of the Security Operations Centre (SOC) team based in the UK. This deal keeps round-the-clock monitoring, detection and response in place through the current hostile and unpredictable digital climate, until 2026.
“There’s no way we could run a 24×7 SOC ourselves,” says Jacquie. “This contract means that no matter where I am in the world, I can trust Quorum Cyber to protect our organisation. Having a competent SOC team running our MDR service allows me to sleep at night. There are robust processes in place which includes proportionate delegated authority, allowing them to make the right evidence-based decisions and take the most appropriate actions on Enable’s behalf at any time of the day or night. I trust them 100%.
“When the time came to renew our contract, it was a very easy decision to make. The relationship, partnership, trust, and cost made it straightforward to continue as we were. We’re a large organisation, so naturally we were approached by numerous security vendors, but we didn’t need to undertake a lengthy and costly open procurement process, as we were satisfied that a continuation of the partnership was not only competitive financially, but robust and reliable operationally.”
With experienced cyber security professionals in hot demand, more organisations like Enable are calculating that it’s often better to outsource a managed service like MDR and leave the challenges of hiring, training, and retaining qualified cyber security analysts to a professional cyber security company to tackle.
All of Quorum Cyber’s services include 24×7 access to Clarity, a single dashboard for customers to see the security of their entire IT estate, and how the SOC is handling any incidents in real time. “Clarity is a fabulous tool for our team,” explains Jacquie. “It doesn’t only tell us what our vulnerabilities are, but it explains how we can fix them. And the beauty of it is that it’s not cluttered with technology jargon, so I can download service reports from it and pass these to the Enable board for them to see the continuous evolution of our cyber security posture.”
Part of the cyber security community
“Quorum Cyber is there for the greater good and they don’t want their customers to fail so they can charge them more, they want them to continuously improve and become more resilient,” says Jacquie. “This comes through whenever I speak to anyone at Quorum Cyber. You can feel the passion from the top down. The whole team wants to collaborate and help their customers – we really feel like we’re part of the community.”
Although Enable feels assured it’s in safe hands, it’s not dropping its guard. Everyone in the organisation is well aware that success can breed complacency, and complacency can lead to a breach. As such, Enable’s team is now looking at other services to enhance their security even further.
SAMH Puts its Trust in Quorum Cyber to Recover from a Cyber-attack
Scotland’s leading mental health charity strengthens security and IT after its worst day
If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.
At first, their IT team thought they were experiencing a few technical issues. Hours later they were locked out of all their own IT systems. Then they discovered a ransom note.
Immediately, the Scottish Action for Mental Health, better known as SAMH, had a major problem: what to do from a data security point of view.
This type of cyber incident can be incredibly stressful for everyone involved, sometimes causing panic, leading to a lot of unnecessary blaming and seriously affecting people’s sleep. It’s often an emotional roller-coaster.
In this situation, it’s important to contact the right organisations to communicate and seek advice. SAMH’s leaders did the right thing by talking to the Information Commissioners Office (ICO), Police Scotland, the Scottish Charity Regulator (OSCR), their law firm and the Scottish Business Resilience Centre, who gave them a list of cyber security companies to contact.
Jason Bryce, SAMH’s Chief Operating Officer (COO), decided to call Quorum Cyber and talked to their Senior Incident Responder, Mark Cunningham-Dickie. “Right away, we could see his expertise,” says Jason. “We were basically trusting him 100% from the start and it was good to speak to someone who had been there before. At 8pm on a Friday evening he made himself available to us for the whole weekend, it felt like he dropped everything else and prioritised us.”
Removing data from the dark web
Early the next week, Mark reported his findings. “Somehow, the criminals were able to very quickly identify confidential data, and they released approximately 85,000 files to the dark web,” explains Jason. “Mark was very calming and explained what he would do, including copying the data from the dark web to a safe environment where it could be reviewed in more detail.”
Working alongside other partners of SAMH, Quorum Cyber helped with the next few stages, starting with data recovery. Although their servers were unusable, thankfully they had back-up discs which were accessible and disconnected from the affected systems, so they could retrieve their data up until the start of the month.
SAMH, like many charities, holds confidential and sensitive information, so needed to understand exactly what information had been leaked.
No organisation should feel alone after a cyber-attack
SAMH was extremely appreciative of the support that Quorum Cyber’s whole team gave them, from the account manager and the service delivery manager up to the Quorum Cyber COO. As well as the skilful technical investigation and careful data management, the team assisted with the important but delicate communications to external stakeholders.
Once the situation was contained, Quorum Cyber’s team ran a security maturity assessment to ascertain the state of their cyber security and identified areas for improvement to start the journey to becoming significantly more resilient.
In parallel, the ICO reported that everything SAMH’s team had done to prepare for a potential cyber-attack and every action they had taken since it occurred had been correct. “That was a huge relief,” says Jason.
In today’s inhospitable digital climate, cyber-attacks can happen to any organisation in any industry including the non-profit sector, in which Quorum Cyber has years of experience protecting. It’s no organisation’s fault when they experience a cyber-attack but there are specific actions that need to be taken, or should not be taken when responding to one.
The start of a successful relationship
Determined to come out of the experience stronger than ever, SAMH signed a two-year deal for Quorum Cyber’s Managed Detection & Response (MDR) service, which is run by the Service Operations Centre (SOC) team in the UK. Two weeks ahead of schedule, in June 2023, the charity was onboarded to provide their entire IT estate with monitoring, detection and response services 24/7, 365 days per year.
SAMH also took the opportunity to seek advice from Quorum Cyber’s Advisory Services team who ran comprehensive IT health checks and gave recommendations on how to bolster resilience across the organisation.
“Throughout the whole engagement, I felt like their most important customer,” concludes Jason. “They listened to us, and gave us total confidence and assurance without over-promising what they could do and when they could do it by.”
As SAMH evolves and extends their security controls, aligning themselves to industry best practise, Quorum Cyber continues to support the mental health charity in any way they need. And trust, which was the bedrock of the partnership since day one, continues to flourish.
Rapid Incident Response on the Worst Day Ever
Our Incident Response (IR) team is used to such requests at unsociable hours and this one wasn’t out of the ordinary – in fact, it’s a normal day’s work for our certified incident responders who are on standby 24/7 to handle such situations. We quickly ascertained that several alerts strongly indicated a ransomware attack. The day’s work extended to the whole weekend as our team figured out what had happened.
Our customer’s concerns proved to be for good reason. Their client had suffered a fairly large ransomware attack. Response time is critical once threat actors have infiltrated an organisation’s systems – every second counts to minimise damage, expel the attacker and get the situation under control. Our team couldn’t have arrived sooner, and they knew exactly what to do.
“A lot of their critical systems had been taken down and were in the process of being encrypted,” explains James Allman-Talbot, Quorum Cyber’s Head of Incident Response and Threat Intelligence. “They shut down the whole network on the Saturday morning and we started the investigation.”
He adds that while their IT systems were critical for the running of their business, “they weren’t able to bring anything back up online because of the level of access that the attacker had.”
Our team duly advised the organisation of the nature and severity of the breach, calmly explained what we had done to contain it and what the options were to safely and securely move forwards to achieve a positive outcome.
Communication is key
Careful communication with internal and external stakeholders is extremely important during cyber-attacks, which are highly stressful and can be mentally and emotionally exhausting for the teams involved. At times, they can also cause some friction in the event that people point fingers of blame. It’s nobody’s fault that they are breached and at Quorum Cyber we have a tried a tested procedure for turning what might seem like the worst day into significantly strengthening the organisation’s security posture in the long term.
That’s why, in incidents like this one, our IR team advises the customer on how to communicate to the business and to other stakeholders, to police, insurers, legal bodies and industry regulators. What, when and how to communicate is a skill in itself, especially as most stakeholders will have different perceptions and opinions, and can jump to assumptions which may make working relationships worse.
Onboarding onto the Tactical MDR service
Another top priority was to protect the customer from any further attacks, whether from the threat actor that the IR team had caught red-handed or from others who may have been lurking in the background and looking for vulnerabilities to exploit.
So, on Sunday morning, the company agreed to be onboarded onto our Emergency Managed Detection & Response service, run by our Security Operations Centre (SOC) team. Within four hours of signing a contract, our SOC team was able to monitor all their devices and endpoints for suspicious activity. However, their servers had to be taken offline to prevent them coming to harm.
Over the next few weeks, our IR team thoroughly investigated the incident. They determined that the threat actor had been in the system for at least a month prior to the incident being flagged. Our responders identified exactly what they had accessed and what damage they had done during that time. While one month is a long time, some threat actors do take their time to stealthily move laterally within systems to reduce the chance of triggering alarms and being caught in the act.
Building back better
Once the investigation phase was complete, we advised our new customer that the safest step would be to rebuild everything from scratch. This is obviously an arduous and costly endeavour but on this occasion we convinced them that it was by far the safest option. James explains that by taking this approach, “in only a few months the company accelerated their whole security and infrastructure maturity strategy by about three years.”
A project of this size requires great teamwork. The company had been a Microsoft customer for years and so Quorum Cyber, a Microsoft Solutions Partner for Security, worked very closely with Microsoft throughout, especially in the first few weeks. Microsoft provided superb support and advice every step of the way. And while Quorum Cyber’s IR team led the engagement, it was a true team effort, with Quorum Cyber’s Engineering team contributing to its success. On the back of this work, Quorum Cyber’s Advisory team now provides a Security Director-as-a-Service (SDaaS) for the new customer.
The organisation made some quick wins and rebuilt whole systems with security in mind. In essence, they have constructed a world-class zero-trust network with the very best monitoring and detection in place 24/7, 365 days a year.
While the customer – and indeed any organisation – would not want to experience a breach of any kind, let alone one where their systems had to be completely shut down, they are now in a much better position to serve their own customers without fear of an imminent cyber-attack. Introduced to Quorum Cyber in an emergency, they instantly became a short-term customer at a very difficult time.
Today, they are a long-term cyber security partner which benefits from the protection, detection and response that our Clarity Managed Extended Detection & Response (M-XDR) service provides.
If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.
