After spotting suspicious cyber activity within seconds, Visory’s multi-step process of containment, removal and recovery kicked into overdrive to resolve it.
As part of our ongoing and active monitoring protocols, the Visory team spotted suspicious activity inside a client’s private server. It appeared as if an employee had logged on from an unusual IP address and their behavior was outside of their normal usage patterns.
Our AI-enabled technology flagged the aberrant behavior in less than 60 seconds, and we rapidly determined that a bad actor was using stolen employee credentials that were not protected by multifactor authentication (MFA) to gain unauthorized server access and set up for an impending ransomware attack.
Once the suspicious activity was discovered and confirmed, the multi-step process of containment, removal and recovery kicked into overdrive.
This involved containing the attack by isolating our client’s server and taking it offline to remove and remediate all traces of the bad actor’s handiwork. Only after we were fully satisfied that the systems were clean did we re-enable access to the server so that the client could continue business as usual.
In this incident, the client was inconvenienced by a few hours of server downtime – a necessary but critical part of salvaging, protecting and restoring the firm’s systems.
Even though this client had not engaged us to manage their end devices and did not have MFA in place, Visory was able to save the firm by taking their server offline during their business day to address this attempted attack. With end device management and MFA in place, the employee’s ID credentials would not have been compromised and this situation would not have happened.