When attackers don’t learn their lesson on the first try, don’t give them a second chance has been saved
Case studies
When attackers don’t learn their lesson on the first try, don’t give them a second chance
A cyber incident response case study
Even with advanced warning, it can be nearly impossible to prevent a ransomware attack. With the help of Deloitte’s extensive forensic, remediation, and monitoring capabilities, our client was able to rebound from one attack, quickly respond to a second attack, and work toward preventing future attacks.
The client dilemma
The client was provided with intelligence indicating it was at risk for an imminent ransomware attack. Deloitte was engaged by the client by noon on the same day to discuss the information and triage activities thus far, which included shutting off internet access for all its sites and a rudimentary analysis of the environment using the indicators the client received leading to the discovery of malware on six of the client’s systems. Beyond the client’s initial discovery of compromised systems, Deloitte performed an in-depth response, resulting in discovery of additional compromised systems.
The Deloitte response
After the kick-off call, Deloitte quickly got to work investigating and triaging the damage. Our team of cyber specialists:
Pushed Deloitte’s Endpoint detection and response tool set (which implements years of custom detection rules and content from our past experiences) to the client’s environment of more than 4,500 systems
Identified remote-access Emotet and Trickbot trojans in more than 100 systems
Performed data forensics on the systems and reverse-engineered the malware to focus the scope of the investigation
Isolated numerous machines to prevent further spreading and began the eradication phase
More than results … recovery
After a week, the client was able to turn the internet back on for its sites for business continuity purposes. Deloitte remained cautious, monitoring the environment in case the threat actor returned. A day later, while monitoring the client’s environment, our custom threat intelligence and curated detection methodologies picked up the threat actor executing the advanced tool PowerShell Empire on about 50 systems. The Deloitte team was able to actively fend off the second-stage attack and, through forensic analysis, identify a key system the attack was leveraging, one not recorded by the client as part of its asset management strategy. A complete system remediation and attacker expulsion were conducted to finally secure the environment. To prevent future damaging attacks, the Deloitte team worked with the client to recommend more effective IT security measures to strengthen its overall cybersecurity posture.
Cyber Incident Response Services: Prepare. Respond. Rebound.
Get in touch
Andrew Morrison Principal Cyber Risk Services Deloitte & Touche LLP |
Isaac Kohn Principal Cyber Risk Services Deloitte & Touche LLP |
Wayne Johnson Senior Manager Cyber Risk Services Deloitte & Touche LLP |
Mike Wilson Specialist Leader Cyber Risk Services Deloitte & Touche LLP |
Recommendations
When it comes to confronting a ransomware attack, two teams are better than one.
A cyber incident response case study
When cyberattacks lurk around every corner, you need 360-degree prevention and protection
A cyber incident response case study