Safeguarding an American Oil & Gas Retailer’s Future
Identifying threats from inside the business
A mid-sized oil and gas retailer in the US faced a significant internal security threat that jeopardised its operational integrity and financial standing. The company identified two employees who were engaged in illicit activities, including the trade of gift cards on the dark web and conducting fraudulent online transactions. Additionally, these internal threat actors submitted false expense receipts, one of whom held a critical leadership position within the IT Department, increasing the complexity and risk of the situation.
Containing the threats
Quorum Cyber was brought in to collect and preserve critical forensic evidence to enable the company to pursue legal action against the threat actors.
To address these challenges, onsite IT resources tasked with eliminating all access points utilised by the threat actors. A comprehensive inventory and security overhaul of the company's entire IT infrastructure was conducted to ensure no vulnerabilities remained. To maintain operational stability, Quorum Cyber provided 30 days of continuous IT services to assist end users during the transition.
Three positive outcomes
The strategic interventions led to several positive results for the company:
- Prevention of Future Threats: By implementing rigorous access control measures, the company effectively thwarted potential reattacks, securing its operations against internal threats.
- Comprehensive Forensic Investigation: The oil & gas firm delivered an in-depth forensic analysis of the threat actors' activities, providing valuable insights and evidence to support legal proceedings.
- Operational Continuity: Throughout the remediation process, the company ensured the continuous and smooth operation of its day-to-day activities, minimising disruptions and maintaining business as usual.
By addressing the internal security threats with decisive action and robust solutions, the oil & gas retailer protected its assets and reputation from harm and also reinforced its commitment to maintaining a secure and trustworthy business environment.
Contact us if you need help to strengthen your company's cyber security.
Enhancing Security for a US Utilities Company
The looming threat of a ransomware attack
A utilities company in the US faced a significant cyber security threat and the looming risk of a LockBit ransomware attack. With over 350 hosts potentially at risk and compromised domain controllers, the company needed an urgent and effective response to secure its network and protect its operations.
Activating a defence strategy
To address these challenges, the company brought in Quorum Cyber and implemented a multi-faceted security strategy:
- Device Isolation: Impacted devices were immediately isolated to prevent further spread and minimise the impact on critical systems
- Proactive Threat Hunting: The company conducted proactive threat hunting to identify potential vulnerabilities and threats before they could escalate
- Falcon Platform Utilisation: Endpoint detection and response (EDR) was deployed to identify and prioritise vulnerable hosts, enabling targeted remediation and strengthening overall security posture.
Positive outcomes and a long-term manged services contract
The comprehensive security measures led to several positive outcomes:
- Network Security Enhancement: The company successfully secured its entire network, mitigating the immediate threat and bolstering defenses against future attacks.
- Collaborative Remediation: Quorum Cyber’s close collaboration with the business ensured that compromised systems were remediated efficiently and returned to full operational status.
- Long-Term Partnership: Impressed by the effective response and improved security, the utility firm signed up for a long-term engagement with Kivu, demonstrating confidence in the company's ability to provide ongoing protection and support.
Through strategic action and collaboration, the utility company overcame the immediate cyber security threat and also established a robust security framework that supports its long-term operational integrity.
Contact us if you need help to strengthen your company's cyber security.
Preparing a US Utility Company for Ransomware Attacks
Introduction
The rampant increase in ransomware attacks has put critical-infrastructure providers on notice. A $10 billion electric utility, which provides electric power production, transmission and retail distribution operations to the south-eastern US, decided it wouldn’t wait until it was victimised. It invested in a prescriptive programme to strengthen its cyber readiness and resilience.
The challenge
With the well-publicised attack against Colonial Pipeline in May 2021 fresh in their minds, the utility’s Board of Directors was becoming increasingly concerned about how prepared their company was to identify and effectively respond to such an attack, and mitigate its potential impact. Incident response (IR) plans were in place at both a technical and executive level, and the company had an IR retainer with a well-known digital forensics and incident response (DFIR) firm.
However, the Board wasn’t confident that those plans or the DFIR partner were adequately prepared to address the unique nature of a ransomware attack. The Security Incident Response Committee turned to Quorum Cyber to understand how to best analyse the nuances of ransomware attacks, evaluate how well their IR plans were positioned for identifying and responding to an event, and determine if there were additional areas of improvement that could help limit the impact of an attack when it happened.
Quorum Cyber’s response and solution
To fully evaluate the effectiveness of the utility’s IR plans and ability to respond to a ransomware event, Quorum Cyber proposed a two-phased approach comprising:
- An IR Plan Assessment
- A technical and executive-level Ransomware Tabletop sessions.
In the first phase, Quorum Cyber evaluated the customer’s technical and executive IR plans against NIST 800-61, with a specific view toward use of incident-handling best practices related to ransomware.
In the second phase, Quorum Cyber collaborated with multiple individuals from across the organisation to develop a customised and environment-plausible ransomware attack scenario for field-testing during the two tabletop exercises. By leveraging this two-phased approach, Quorum Cyber was able to evaluate the efficacy of the company’s procedures as well as IR personnel’s knowledge and ability to respond to a realistic ransomware attack.
Outcome
By gaining insight into how well-positioned its people and procedures were to effectively respond to a ransomware event, the utility:
- Increased Board of Directors’ confidence in limiting the operational and financial impact of a ransomware event
- Prepared the executive team for evaluating the pay/ no-pay decision in a ransomware event, to limit financial exposure
- Enabled re-prioritisation of cyber investments to yield greater return on investment (ROI) in ransomware protection.
