Back arrow icon

Back to Case studies menu

Rapid remote response shuts down hacker

The client: Global organisation

The challenge:

A global organisation approached CCL to assist with a suspected data breach. Given the international status of the client, CCL was engaged to respond to the incident, remotely. The client’s security team had identified an irregularity on their network and were suspicious that they had experienced a cyber attack.  Although they were able to identify the irregularity and the servers involved almost immediately, they did not know how severely their systems had been compromised. Additionally, they had no knowledge on how long the threat had been present, which files had been accessed, nor how the server was accessed in the first place.

Although CCL have an international collections team, in this instance, the client team removed the compromised machines, took images of the virtual machines and sent them securely to the cyber security experts at CCL.

Overcoming the challenge:

The extraction of data for a digital forensic examination can be a slow process and this case required a quick reaction. Instead, our experts were able to implement a modern approach, incorporating forensic data acquisition and threat hunting determined by their hypotheses, to understand not only the result of the attack via Indicators of Compromise (IOC) but also the how and why.

Our experts achieved this through the use of multiple advanced tools and were able to communicate this to the client via methodologies, including Cyber Kill Chain and MITRE ATT&CK Framework, a knowledge base for hackers’ tactics, techniques and procedures (TTP). This assisted the team in determining that the hacker gained access via a zero day on an unpatched plugin and proceeded to download archived files, rather than personal data – suggesting their motivations were opportunistic rather than malicious. Luckily.

Our experts examined the artefacts, tracked the adversary’s lateral movements across the network, analysed and documented the TTP and produced a final report for the client.

The result:

Once our experts had produced the report, they then flew overseas to deliver the final report and discuss the lessons learned across all teams that contributed to resolving the breach. The ability to put in place a proactive Response Capability plan is often as important as the analysis and can be used to contribute to overall resiliency in the future.

Back to Case studies menuBack to Cell Site

CCL Solutions Group Logo

CCL (Solutions) Group Ltd
34-36 Cygnet Court,
Timothy’s Bridge Road,
Stratford-upon-Avon,
CV37 9NW

E: contact@cclsolutionsgroup.com

T: 01789 261200
Services
Digital ForensicsInvestigative ServicesCyber SecurityConsultancy & Training
Forensic tools
SPEKTORCascadeRabbitHoleMOBILeditResellers
About
About usTeamCareersCentre of ExcellenceAcademyCranfield UniversityAccreditations
Resources
LatestCase studies
Quick links
Website Privacy PolicyCookie PolicyWebsite Terms and Conditions of UseCCL Group Privacy Notice

CCL Solutions Group is made up of the following companies: CCL (Solutions) Group Ltd (company number 08128980), CCL-Forensics Ltd (company number 05314495), Evidence Talks Limited (company number 04611669), CCL Cyber Solutions Ltd (company number 11316398), CCL (Computer Consultants) Ltd (company number 02049601)

Copyright @ CCL Solutions Group