Cybersecurity Incident Response Service for a Massachusetts-Based Company

By Patrick Morin December 11, 2019

Challenge

Suspicious events, including antivirus alerts and anomalous computer behavior, point toward a possible attempt to obtain unauthorized access to confidential information. The entity does not have an incident response plan in place, nor are sufficient tools in place to quarantine and neutralize the threat. Data collection, retention, and handling procedures for evidence are absent or insufficient, and could inhibit compliance with relevant data breach laws and regulator notification obligations for multiple states.

Solution

Provide “boots on the ground” coordination and investigation actions to identify if unauthorized access occurred, quarantine any suspicious activity, analyze and neutralize the threat, and restore operations. Using the documentation created during the incident, perform a post-event review to determine the lessons learned and improve existing processes and controls to better prevent and respond to future events.

HOW WE HELPED

A variety of suspicious activities identified during day-to-day network operations indicated that there were potential external attempts to gain unauthorized access to confidential information. Given the possibility of unauthorized access, we worked with the organization’s senior leadership to identify and assemble an incident response team to handle the security event.

Our team provided incident response assistance spanning several weeks after the initial detection. At our recommendation, legal counsel was engaged to protect the details of the investigation through attorney-client privilege. Following our analysis of the suspicious activity, our team moved to contain the potential threat through a suspension of external applications until the threat was eradicated and the systems properly secured. We subsequently performed a thorough, systematic evaluation of all connected systems and devices for further signs of unauthorized activity, and subjected any potentially compromised machines to forensic analysis.

The process resulted in the design and deployment of a new security architecture that enforced the security principles of least privilege for all internally and externally accessible systems. The security improvements included the implementation of an event log retention and analysis program to monitor network activity and alert administrators when signs of unauthorized access were detected. To block potential future unauthorized access attempts, strict access rules were devised to permit only the necessary inter-network device communication. With our team’s incident response and remedial services, the organization was able to shorten the response time and minimize its exposure to unauthorized access and potential destruction of confidential company information.

Recommendations that resulted from this event fall into the following categories:

1. Design and implement a secure network infrastructure that limits access to authorized users
2. Update procedures and capabilities to monitor and respond to unauthorized activity
3. Elevate security measures on externally accessible web applications to prevent unauthorized access
4. Redesign the internal network infrastructure to employ security measures and processes designed to prevent unauthorized access or modification (e.g. – via ransomware).

Using the information gathered during the event, our team was able to identify, quarantine, and respond to the threats faced by the organization including the analysis of the suspicious events and remedial action on the affected systems. We also implemented the means to detect and respond to any potential future events. In the final step, we conducted a post-incident review that supplied the Client with conclusions, identified the lessons learned, and provided plans for improving the organizational processes going forward.