Extensive telemetry and intelligence for accelerated investigation and remediation.
Unit 42® was called in to investigate a complex attack involving social engineering, exploiting security tools and data theft.
To identify, contain, and evict threat actor
To identify new TTPs of emerging threat actor, helping contain future incidents faster
From Cortex XDR® blocking a second brute force attack to Unit 42 MDR team responding and recommending defensive measures
Global business process outsourcing company
The client was the target of a sophisticated cyberattack executed by Muddled Libra. Five attacks within a one-week period demonstrated the threat actor’s ability to adapt and find new pathways into the network, including using the victim’s own security tools for lateral movement and further compromise. Unit 42 was brought in to:
Assessed the environments to identify signs of unauthorized access and suspicious activities to determine the scope and impact of the attacks.
Unit 42 conducted a broad investigation and gathered evidence to quickly identify impacted systems and accounts.
Advised the client to secure compromised accounts and systems, begin Active Directory reconstruction, immediately isolate affected systems, change passwords and harden firewalls.
Priority was to restore affected systems to a secure state, apply patches and harden network vulnerabilities.
The client worked with Unit 42 to apply lessons learned to drive ongoing improvements to their security practices, implementing awareness training and conducting regular security assessments.
Identified initial signs of unauthorized access and suspicious activities and assessed the scope and impact of the intrusion.
Investigated digital evidence to identify systems and accounts involved.
Secured compromised accounts, isolated compromised systems, began Active Directory reconstruction and firewall hardening.
Restored affected systems to a secure state, removing any malicious presence and hardening vulnerabilities.
Performed continuous monitoring for unauthorized activities, assessing extent of lateral movement and reconnaissance.
Further investigation to identify tools and techniques used by the threat actor.
Implemented additional security measures to mitigate risks, including blocking access to specific tools and updating security policies.
Identified exfiltrated data, restored affected systems and identified and remediated vulnerabilities.
Assessed impact of unauthorized access attempts into a third-party virtualized domain, evaluating potential risks and exposure.
Further investigation to determine the extent of unauthorized access and potential data exfiltration.
Secured third-party domain, implementing stronger access controls and conducting security assessments.
Began identifying exfiltrated data and restoring third-party domain to a secure state, identifying and remediating vulnerabilities.
Strengthened security posture of third-party domain, implementing additional security controls and conducting regular audits.
Assessed impact and evaluated potential exposure of unauthorized access to file share and email operations.
Further investigation to identify accounts involved and extent of data accessed or manipulated.
Secured affected accounts and systems, resetting passwords and implementing additional monitoring and access controls.
Recovered compromised data and restored affected accounts and systems, identifying and remediating vulnerabilities.
Enhanced data protection measures, implementing data loss prevention controls and strengthening email security protocols.
Assessed overall impact of network intrusion and effectiveness of security measures, evaluating readiness to prevent future incidents.
Identified any remaining vulnerabilities or potential areas of improvement, reviewing IR process and security policies.
Implemented additional security controls, conducted penetration testing and enhanced monitoring capabilities.
Continuous monitoring and proactive threat hunting to ensure systems were free from unauthorized access.
Used lessons learned to drive long-term improvements in security practices, conducted regular security assessments and training.
With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.
Extensive telemetry and intelligence for accelerated investigation and remediation.
Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.
Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.