Cyber security for a Transport Company
Data security, trust protection
Our team was contacted by one of the largest players in the gig economy, which provides an online platform for placing orders for transportation services. Our client was the victim of a ransomware email attack after hackers gained access to and control of a number of sensitive company databases. They threatened to compromise external services and corrupt data. We were asked to become part of a remote international incident response team consisting of various cybersecurity experts with different backgrounds and skill sets from around the world. CUSTOMER REQUIREMENTS The challenge for our team was multifaceted: conducting incident analysis on several servers to assess the situation as a whole simultaneously strengthening the organization's security to prevent compromise of the company's assets
WHAT WAS DONE
KEY STEPS
Over the course of three weeks, three teams working in 8-hour shifts followed a unified plan with delegated tasks and provided real-time status updates for incident management. To successfully resolve the incident, we performed several types of work:
- In-depth analysis of the client’s infrastructure and critical assets to identify signs of modern persistent threats and malicious actions;
- Real-time infrastructure monitoring and processing of a large number of security system logs;
- Isolation of systems to preserve and collect evidence, as well as migration of all critical client systems to the cloud to minimize the impact on the business;
- Penetration testing of the main application in active mode to identify actual and potential entry points;
FEATURES
During the investigation, we found both traces of the attackers’ actions and numerous errors in the security system configuration that could have led to a potential compromise. After conducting a full-scale assessment of the compromise of the client’s infrastructure, we prepared a detailed report and provided recommendations for improving the client’s cyber resilience.
WIFI hacking scenario:
Here, the scenario boils down to creating a fake access point with a fake captive portal, DoS-attacking the legitimate access point, and using the fake point to steal login credentials to the corporate WPA network.
RESULT
With a coordinated team response, we improved visibility into the cyber incident that occurred and allowed our client to manage the response with more control, greater efficiency, and reduced time between detection and remediation. During the investigation, we identified numerous critical misconfigurations that could have been used by attackers as entry points. We hardened the system, which allowed us to restore normal operations, and informed our client about which systems were compromised.
All findings were documented with and proposed remediation actions in accordance with cybersecurity best practices.