©2024 Akamai Technologies
The Challenge
After a successful propagating malware attack that impacted business operations, a global manufacturer began working with the breach remediation services company to restore and improve security in its environment. The attack, initiated from an employee’s laptop, had quickly spread and impacted most operating locations in addition to penetrating the organization’s backup servers.
The Solution
Initial containment methods, such as applying internet access restriction rules across firewalls, were slow to contain the rapidly worsening breach. The complexity of the environment and the reality of networking in a distributed enterprise made implementing and enforcing restriction rules with firewalls a slow and ineffective process.
Additionally, visibility into legacy machines was a significant issue for the incident responders responsible for investigating and containing the breach. Seeing the urgent need to accelerate segmentation before the lateral spread impacted even more assets, the breach remediation service provider recommended Akamai Guardicore Segmentation.
Guardicore allowed us within four hours to stop the attack from spreading and restore downed production lines in a “sterile” network segment without modifying any underlying networking. All during ongoing IR investigation and containment.
CISO at Breach Remediation Company
The Results
Instant visibility
Within three hours, the breach remediation services organization swiftly provisioned Guardicore agents across more than 3,000 company servers. And, just minutes after deployment, granular visibility into networking and communications flows began to emerge, giving the incident response team the context and accurate data they needed to investigate the breach and validate containment.
Fast time to policy
Shortly after achieving much-needed visibility, teams took action to segment critical assets from the broader environment. Two crucial production applications, responsible for the only functioning manufacturing line, were quickly identified and secured. Using Guardicore, a policy was immediately introduced that restricted connections from infected subnets and parts of the data center to the applications — a task that would have taken weeks with legacy firewalls. A simple query also revealed that legacy machines connected to the internet had bypassed legacy firewalls and were attempting containment restrictions. After discovering noncompliant communication, the team created policies that effectively restricted internet access for all servers, including legacy machines, within minutes.
Preventing lateral movement during recovery
During the next part of the recovery process, the team recreated the manufacturer’s application clusters, baking in Guardicore agents. The team configured an initial policy that blocked all incoming connections and used Guardicore to identify dependencies. Then, communications were allow listed on a need-to-have basis, only after validating the requirements and understanding the context. This approach allowed the team to recover and bring the applications affected by the ransomware attack back online without the risk of reinfection.
Future protection
The internal data center segmentation introduced during the phased recovery significantly reduced the attack surface. Today, the organization’s security posture has improved and the impact of any future breach greatly reduced.
Guardicore enabled the breach remediation services company to demonstrate significant added value for its customer, the manufacturer, while helping it recover from the ransomware attack. This opened up the opportunity for the services company to increase revenue, expand its footprint, and better help clients realize their IT and security goals.