What would you do if you discovered that a hacker got into your firm’s network? Recently a mid-sized New York law firm found itself in this quandary. With sensitive information and years of work at risk, it had to act fast.
Fortunately, Kraft Kennedy’s Support Practice Group (SPG) noticed the intrusion during a routine check and worked rapidly with the Security Operations Center in a coordinated incident response effort that mitigated risk to the firm’s clients, finances, and reputation.
It seemed initially that the firm had been hit with CryptoLocker, a common and dangerous ransomware trojan virus that can devastate businesses. The virus encrypts all network data and holds it hostage until the victim firm pays for decryption keys. The SPG, Kraft Kennedy’s managed services group, constantly monitors its clients’ systems for such malware. Alerted to the encrypted files during a routine check, the engineers investigated further and noticed suspicious remote logins to the firm’s network. Not only did it occur in the middle of the night—not in and of itself suspicious, since attorneys are known to work long hours—but also from a location where authorized users were unlikely to be.
Incident response handlers from the ISG dug deeper, sifting through login times from foreign IP addresses. Was there supposed to be someone on the firm’s network at 3AM in Africa? “Absolutely not,” was the firm’s response. Upon further investigation, Kraft Kennedy found that hackers in Russia, China, and other foreign countries had gained access to the firm’s network. In all, the analysis revealed eleven compromised accounts, including some belonging to partners.
At this point it was clear that the breach was significant. Kraft Kennedy disabled external access to the firm’s network while it sifted through evidence and immediately changed passwords for each person at the firm, a necessary but daunting task for an organization to complete quickly on short notice. The ISG’s certified incident response experts assessed the extent of the hack and closed off the vulnerabilities while the SPG worked through the night to rebuild Citrix, Active Directory, and application servers to keep the attorneys working.
The firm had full backups of the encrypted files in Datto, a cloud backup platform that Kraft Kennedy had implemented for the firm. Forensic experts also used Datto to gather event logs, firewall logs, file access records, and registry information from several Windows computers.
Within a short time, the breach was under control, the firm’s data was restored, and operations continued as normal. ISG incident handlers, security consultants, and technical experts continued to work with the firm to monitor operations and consult with firm management about how it could protect its data in the future.
In the aftermath of a data breach, incident response time is critical; it’s the factor that determines whether the damage will be widespread or contained and stopped. The firm appreciated that Kraft Kennedy incident responders had a plan ready and worked nonstop to restore the firm’s systems and save the firm from a potentially disastrous hack.