The client

Our client is a technology solution designer and manufacturer who provides essential products to support the US government's defense mission. This successful, founder-led business with a close-knit workforce had grown steadily over several years, adding new technology stacks to legacy systems and constantly trying to keep up with a rapidly changing IT environment. When COVID-19 broke out, the business had to swiftly adapt again and do something they had never done before – migrate their business model to a largely remote workforce. 

The challenge

The company's CFO (and early starter) discovered a ransom note from an adversary on her computer. Unfortunately, it quickly became apparent that it had also infected many other computers and servers holding essential financial and CAD-design data with ransomware. As a result, the design and business operations ground to a halt. The client had an internal IT team but needed a cybersecurity team. Additionally, due to the nature of the manufacturer's work, they needed an incident response team that they and their government clients could deeply trust to handle the incident swiftly and any data accessed appropriately. 

Our approach

The client asked a trusted government contact who she should contact and was immediately referred to Loki. The client reached out to a Loki engineer and explained their situation, and the Loki incident response team immediately swung into gear. In keeping with our corporate value of integrity, the engineer immediately advised the client on how to contain the attack immediately. Over a matter of days (and in some cases hours), we guided the client through the entire incident response lifecycle: 

• Preparation: We mobilized a full-incident response team with appropriately cleared individuals who could navigate sensitive or controlled information issues. We liaised directly with the FBI and other information sources to gather essential data to support management's decision-making processes. 

• Detection & Analysis: We deployed security and investigative agents throughout the network to scope the attack. Analyzing available data, we determined how the adversary gained entry, how they subsequently traversed the network, the likely information exfiltrated or accessed, and whether backups were infected or had been tampered with. This enabled the company to determine the impacted stakeholders. 

• Containment, Eradication & Recovery: Working seamlessly with the client's available team, we isolated infected systems and assets. We negotiated with the adversary on the client's behalf, coordinating closely with law enforcement. Due to crucial servers being encrypted multiple times by the malware, we had to carefully apply and troubleshoot the encryption process to enable data reconstruction. We then purged the malware, and all adversary accesses to the client network, restoring assets in keeping with the business priorities. 

• Post-Incident Activity: Once the client was back up and operational, we worked with them to design and implement a viable cybersecurity strategy and defensive perimeter. We monitored all digital assets through our 24 x 7 x 365 security operations center, hunting for further backdoors or beaconing and awaiting the adversary's eventual return. We conducted security awareness training for employees, tailoring the training to issues most immediately relevant to the business. Several months later, our penetration testing division conducted a full and independent assessment of the client's network to ensure no residual vulnerabilities.

“Loki’s people are deeply dedicated to their craft and to us.  We simply don’t want to be dealing with today’s cybersecurity threats without them by our side and keeping watch.”

— Client CEO

The results

Within 72 hours, the business was back in limited operations. All systems had been decrypted, cleaned, and hardened within three days. Ten days after the actual breach, the company had a complete and detailed incident report that they could provide to their US government stakeholders to explain the comprehensiveness of the containment and eradication processes that had been followed. Also, using the same report and the resulting security strategy, the company got cyber risk insurance for the first time, despite being breached a few months prior.

When the adversary returned five months later, they were disappointed. A combination of Loki’s continuous monitoring, our upskilling of the client’s staff, the process changes the client implemented with our guidance, and other technology and system-hardening measures we helped the client implement, prevented the motivated and focused adversary from gaining entry.

*We do not publicly reveal clients' names for security reasons but can always provide references.

OUR SERVICES

Learn more about our service offerings.