CASE STUDY
A Merchant Bank Puts Trust in UnderDefense for Incident Response and Post-Breach Recovery
Key Results
90%
of threats are detected and resolved immediately
40+
alerts managed outside working hours
330
alerts managed outside
26%
of contained threats could cause business disruption
992
incidents investigated
Background
The Challenge
The client experienced a breach when one of their computers fell victim to a ransomware attack. The company was small, and they used to believe they were not on hackers’ radar. Consequently, their team of financial professionals was caught off guard. However, they quickly realized the severity of the situation and began searching for a solution.
Given the sensitive nature of the breach and the potential harm to their reputation, the client was eager to partner with a reliable and trustworthy vendor to recover and rebuild their IT systems. They asked the CEO of one of their portfolio companies with 80M in revenue, who had also experienced a similar incident, for a recommendation. And that’s how they found out about UnderDefense.
About the client
Headquarters: Florida, USA | Internal IT Security Team: No |
Industry: Investment Banking / Private Equity | Infrastructure: Hybrid |
Company Size: 10–49 employees | Covered Endpoints: 40+ |
Project Duration: June 2021 - Ongoing | Incidents Investigated: 992 |
Technologies and Tools: SentinelOne EDR, Windows Server Update Services (WSUS), Dropbox, Sysmon, KnowBe4 Silver | Alerts Outside Working Hours: 330 |
Provided Services: IR + MDR L1 (Incident response + 24/7 Managed Endpoint Detection & Response Subscription) Add-ons: vCISO | Manually Processed Alerts Severity: High 252 Low 740 |
The essence of the attack
This type of attack can be devastating for small or medium-sized businesses, often leading to data loss, system downtime, and significant financial losses.
Fortunately for the customer, in this case, the ransomware that infected the system could not exfiltrate data. Instead, it immediately encrypted the data without transferring files to a malicious C2 server. While still a severe incident, this mitigated the potential damage and reduced the risk of exposing sensitive data to malicious actors.
The human factor of the attack
The root cause of the infection and ransomware attack was an employee’s inadvertent click on a malicious link, which downloaded and executed a binary file.
The incident was not a targeted attack but rather a spear-phishing campaign. However, it resulted in significant business risk due to the sensitive nature of the compromised files. These files included financial documentation, term sheets, M&A agreements, and negotiation emails for high-profile family offices and private equity firms with multi-million dollar equity placements.
Local MSP oversight in incident response and recovery services
When we started our collaboration, the client was already using the services of a local MSP to manage and secure their IT and office infrastructure.
Our approach involved developing mutually beneficial cooperation with the MSP to effectively address any incidents impacting the client. By doing so, we ensured that all the parties received the necessary protection and support.
Unfortunately, the MSP provider failed to meet basic cyber hygiene criteria since:
- The client’s software was not up-to-date
- No basic anti-malware controls were in place
Challenges
- Poor security awareness and employees` unpreparedness for a cyberattack
Results
- Comprehensive cybersecurity awareness training for employees. Development of clear security policies to reduce risks of cyber incidents, ensure compliance with industry regulations, improve productivity, enhance reputation, and save costs
- Zero endpoint protection
- Implementation and full configuration of endpoint protection software to improve overall security posture, prevent further infections, and eliminate the risk of data breaches
- Use of an unsecured Dropbox platform for file sharing, resulting in the sensitive data exposure
- Design of a secure collaboration policy and safe communication channels. Control of file-sharing activity to prevent unauthorized access and reduce the risk of sensitive data exposure
- Sensitive files on Dropbox were immediately encrypted and unrecoverable
- Isolating the infected system, determining the scope of the infection, restoring data from backups, and implementing measures to minimize the impact of data loss and minimize downtime
- Lack of a Business Continuity/Disaster Recovery (BC/DR) plan
- A comprehensive BC/DR plan to minimize the impact of disruptions and financial losses, maintain critical business operations, enhance customer and stakeholder confidence in the company’s ability to manage disruptions
Challenges & Results
Challenge
- Poor security awareness and employees` unpreparedness for a cyberattack
Result
- Comprehensive cybersecurity awareness training for employees. Development of clear security policies to reduce risks of cyber incidents, ensure compliance with industry regulations, improve productivity, enhance reputation, and save costs
Challenge
- Zero endpoint protection
Result
- Implementation and full configuration of endpoint protection software to improve overall security posture, prevent further infections, and eliminate the risk of data breaches
Challenge
- Use of an unsecured Dropbox platform for file sharing, resulting in the sensitive data exposure
Result
- Design of a secure collaboration policy and safe communication channels. Control of file-sharing activity to prevent unauthorized access and reduce the risk of sensitive data exposure
Challenge
- Sensitive files on Dropbox were immediately encrypted and unrecoverable
Result
- Isolating the infected system, determining the scope of the infection, restoring data from backups, and implementing measures to minimize the impact of data loss and minimize downtime
Challenge
- Lack of a Business Continuity/Disaster Recovery (BC/DR) plan
Result
- A comprehensive BC/DR plan to minimize the impact of disruptions and financial losses, maintain critical business operations, enhance customer and stakeholder confidence in the company’s ability to manage disruptions
It can take one email for your company to come from “Woohoo!” to “D’oh!”
Don’t postpone your business security, request a quote today
The Solution
Within five days of receiving the first email from our client and being informed of the affected business, we had a call with their CEO. During this call, we collected incident information and suggested 3 ways of protection to initiate the Incident Response (IR) process.
UnderDefense provided an IR team to address the initial threat and clean up the systems. We also involved the customer’s legal and marketing representatives in preparing external communication and response as part of further Incident Response readiness and IR Plan.
IR team activities:
- Risk assessment and damage evaluation
- Deploying SentinelOne EDR solution across all endpoints
- Monitoring anomalies
- Discovering critical files and recovering them via O365 archives
- Reconfiguring Windows domain Group Policies
- Establishing the Sysmon Windows service
- Dark web monitoring
- Continuous monitoring of the customer exposure and external risks, including any C2 activities from their networks
Critical findings
After checking corrupted backups, we realized that Microsoft O365 was the single source of data recovery. As a result, we focused on recovering critical files from O365 mailboxes and used data discovery techniques to identify sensitive business data and files. Later, our team secured these sensitive files to ensure their protection.
Within three weeks, our vCISO team was engaged to evaluate the customer’s current cybersecurity posture, map available controls to the NIST CSF framework, and develop a transformation roadmap. Once the customer approved the roadmap and the budget, we implemented all the necessary best practices from the NIST CSF to ensure that the customer moved from maturity level one (ML1) to maturity level two (ML2).
Virtual CISO team activities:
- Defining critical areas
- IT and security infrastructure assessment based on the framework similar to CIS20
- Conducting security awareness training
- Reconfiguring Microsoft O365
- Conducting phishing simulation by our RedTeam
- Configuring KnowBe4 Silver
- Providing a list of short- and long-term tactics with strategic recommendations
We also involved the expertise of a SOC (Security Operations Center) team to ensure constant monitoring and timely detection of malicious activities on the client’s endpoints. Their responsibilities include collecting and analyzing security logs and alerts, managing security tools and technologies, and providing real-time monitoring services.
SOC team activities:
- SentinelOne EDR solution deployment
- Activating 24/7 managed EDR, standard package (L1)
- Starting 24/7 SOC team threat hunting and monitoring
Outcomes
In light of potential cyberattacks, it becomes vital for organizations to have a reliable security partner, who can provide the necessary skills and expertise, minimize the risk of future attacks, and mitigate the potential consequences. Our client has taken proactive measures by collaborating with UnderDefense to prevent any possible financial losses and damage to their reputation.
Through a comprehensive assessment process, we have provided our client with a list of short- and long-term tactics, as well as strategic recommendations tailored to their unique needs. Our recommendations focus on synchronizing business goals with the cybersecurity roadmap, ensuring that the client’s business is secure and aligned with its long-term vision.
Cost-effective solution for business
Forward-looking businesses prioritize operational expenses (OPEX) over capital expenditures (CAPEX). Instead of building an expensive in-house cybersecurity team, our client has outsourced their security needs to a trusted third-party provider like UnderDefense. By doing so, they have reduced operating costs, minimized risks, and can now focus on what they do best – growing their business.
Affordable cloud technology stack
Our top-notch cloud technology stack has been meticulously crafted to provide the client with an affordable and efficient solution that seamlessly integrates with their existing systems. The client has streamlined operations, improved productivity, and enhanced overall performance.
Flexible payment options
Our simple monthly payment plan eliminates the need for long-term commitments, and our customer can access our services without a large upfront investment. This gives them the flexibility to manage their cash flow and allocate resources where they are needed most.
Ongoing protection, monitoring, and reporting of threats
Incident Response Retainer (IRR)
IRR is a valuable investment that provides the client with peace of mind knowing that they have a plan in place, can proactively prepare for potential security incidents when needed, and can quickly access expert help in the event of a security incident.
Enhancing IT with vCISO support
Our information security expertise helps the client to develop a comprehensive security strategy that aligns with their business goals and objectives. We also help the client identify and manage information security risks and ensure appropriate security controls are in place to protect their data and systems’ confidentiality, integrity, and availability.
Besides, we work closely with the client’s team to ensure they have the knowledge and skills to maintain a secure environment.
Furthermore, we provide regular updates and reports on the client’s security posture status and recommend additional measures to maintain a strong security stance.