Incident Response

Share This

RISK/CHALLENGE:

A mid-sized company in the Legal Industry was faced with impacts from a network and data security breach carried out by CLOP ransomware group

  • Client required immediate Incident Response to include containment & remediation, forensics, and recovery & restoration of systems.
  • The Threat Actors demanded a $1M ransom for access to decryption keys.
  • The clients Managed Services Providers (MSP) infrastructure was compromise and allowed sophisticated malware to run and infect the majority of the firms infrastructure.
  • The firm had a backup strategy, however backups were targeted and infected by CLOP.
  • The firm was completely shut down and all systems were unusable.
  • CLOP operators hit the law firm with triple extortion tactics.

 

TOOLS & TECHNIQUES:

  • Emergency Response: Redpoint supported immediate incident response, investigation and containment Deployed security tools to protect to network from additional encryption.
  • Forensics: Conducted forensics and timeline analysis to confirm credential harvesting (Mimikatz) and primary propagation method was GPO (Group Policy Object).
  • Containment: Coordinated with network engineering team to contain active “hostile hosts” through routing updates, data center isolation, and targeted shutdowns of critical operations capabilities.
  • Threat Actor(TA) intelligence gathering: Redpoints threat intelligence team established communications with the TA to gain valuable insight into the TA operations and share the intel with the network team.
  • Discovery: Analyzed client physical/virtual server environment to identify recoverable systems and/or configuration to facilitate rebuild of critical infrastructure Performed data integrity analysis on unencrypted data and exfiltrated data to shared storage solution for recovery after spinning up new server infrastructure.
  • Remediation: Consulted with client leadership, technical staff, and 3rd-party provider(s) to plan and execute migration to cloud-based server infrastructure with proper backup policies established and in use; planned, organized, and executed re-imaging for client client’s servers/ workstations at all locations using newly established clean infrastructure.

 

OUTCOMES:

  • Rapid response including initial engagement within the first hour of being engaged by Breach ounsel.
  • Established critical “mass on target” within first 12 hours including facilitation of daily 5pm coordination meetings with client senior leadership team.
  • Systematically identified, contained, and remediated “hostile hosts” while balancing business priorities.
  • Remediation of client’s hybrid cloud/on-prem workstation and server distribution.
  • Initial restoration of essential business services to internal staff and clients was performed within 72 hours, and full restoration completed within seven days.

Join Our Newsletter & Learn

Get our latest content delivered to your inbox.