Rapid incident response on the worst day ever

Our IR team is used to such requests at unsociable hours and this one wasn’t out of the ordinary – in fact, it’s a normal day’s work for our certified incident responders who are on standby 24/7 to handle such situations. We quickly ascertained that several alerts strongly indicated a ransomware attack. The day’s work extended to the whole weekend as our team figured out what had happened.

Our customer’s concerns proved to be for good reason. Their client had suffered a fairly large ransomware attack. Response time is critical once threat actors have infiltrated an organisation’s systems – every second counts to minimise damage, expel the attacker and get the situation under control. Our team couldn’t have arrived sooner, and they knew exactly what to do.

“A lot of their critical systems had been taken down and were in the process of being encrypted,” explains James Allman-Talbot, Quorum Cyber’s Head of Incident Response and Threat Intelligence. “They shut down the whole network on the Saturday morning and we started the investigation.”

He adds that while their IT systems were critical for the running of their business, “they weren’t able to bring anything back up online because of the level of access that the attacker had.”

Our team duly advised the organisation of the nature and severity of the breach, calmly explained what we had done to contain it and what the options were to safely and securely move forwards to achieve a positive outcome.

Communication is key

Careful communication with internal and external stakeholders is extremely important during cyber-attacks, which are highly stressful and can be mentally and emotionally exhausting for the teams involved. At times, they can also cause some friction in the event that people point fingers of blame. It’s nobody’s fault that they are breached and at Quorum Cyber we have a tried a tested procedure for turning what might seem like the worst day into significantly strengthening the organisation’s security posture in the long term.

That’s why, in incidents like this one, our IR team advises the customer on how to communicate to the business and to other stakeholders, to police, insurers, legal bodies and industry regulators. What, when and how to communicate is a skill in itself, especially as most stakeholders will have different perceptions and opinions, and can jump to assumptions which may make working relationships worse.

Onboarding onto the Tactical MDR service

Another top priority was to protect the customer from any further attacks, whether from the threat actor that the IR team had caught red-handed or from others who may have been lurking in the background and looking for vulnerabilities to exploit.

So, on Sunday morning, the company agreed to be onboarded onto our Tactical Managed Detection & Response (Tactical MDR) service, run by our Security Operations Centre (SOC) team. Within four hours of signing a contract, our SOC team was able to monitor all their devices and endpoints for suspicious activity. However, their servers had to be taken offline to prevent them coming to harm.

Over the next few weeks, our IR team thoroughly investigated the incident. They determined that the threat actor had been in the system for at least a month prior to the incident being flagged. Our responders identified exactly what they had accessed and what damage they had done during that time. While one month is a long time, some threat actors do take their time to stealthily move laterally within systems to reduce the chance of triggering alarms and being caught in the act.

Building back better

Once the investigation phase was complete, we advised our new customer that the safest step would be to rebuild everything from scratch. This is obviously an arduous and costly endeavour but on this occasion we convinced them that it was by far the safest option. James explains that by taking this approach, “in only a few months the company accelerated their whole security and infrastructure maturity strategy by about three years.”

A project of this size requires great teamwork. The company had been a Microsoft customer for years and so Quorum Cyber, a Microsoft Solutions Partner for Security, worked very closely with Microsoft throughout, especially in the first few weeks. Microsoft provided superb support and advice every step of the way. And while Quorum Cyber’s IR team led the engagement, it was a true team effort, with Quorum Cyber’s Engineering team contributing to its success. On the back of this work, Quorum Cyber’s Advisory team now provides a Security Director-as-a-Service (SDaaS) for the new customer.

The organisation made some quick wins and rebuilt whole systems with security in mind. In essence, they have constructed a world-class zero-trust network with the very best monitoring and detection in place 24/7, 365 days a year.

While the customer – and indeed any organisation – would not want to experience a breach of any kind, let alone one where their systems had to be completely shut down, they are now in a much better position to serve their own customers without fear of an imminent cyber-attack. Introduced to Quorum Cyber in an emergency, they instantly became a short-term customer at a very difficult time.

Today, they are a long-term cyber security partner which benefits from the protection, detection and response that our Managed Extended Detection & Response (M-XDR) service provides.

If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.