Case Studies

How Ingalls works with breach victims

Working with Breach Victims Through Legal Counsel

Many of our clients have reached out to us through their legal counsel to engage our Incident Response services. This is our preferred way of engagement, as it allows us to operate under Attorney-client privilege during our investigation and support of response efforts. In many cases, our clients are notified of a breach by a third party and declare an Incident. They follow their Incident Response plan and notify their Legal Team, which may include Outside Counsel - a subcontracted legal firm specializing in cybersecurity.

In these situations, Ingalls engages with Counsel and provides a services proposal that is executed by our client under the direction of legal counsel. Once we've executed an agreement, we deploy our investigation and response tools to our client's IT environment. These tools consist of forensics software, endpoint and network prevention and detection technologies, NetFlow data and log collection and analysis solutions. Our tools allow us to investigate, determine what happened, and clean up the environment to the degree necessary for our clients to recover and return to normal operations as quickly as possible.

Ingalls provides our clients and their legal counsel with status reports, plans of action, and enhanced cybersecurity for the duration of the engagements. Once a response is concluded, we provide a detailed report of actions taken, findings, recommendations, and next steps.

Because the toolset we use for Incident Response is identical to our Managed Detection and Response, it's easy for our clients to engage us for long-term support so that they can maintain the necessary cybersecurity controls and full network and endpoint visibility to prevent future breaches from occurring and at a fraction of the cost that Incident Response requires.

Working with Cybersecurity Insurance Providers

Cybersecurity insurance is a must-have item for most businesses these days. The cost of a breach continues to climb, and it's estimated that the average breach costs businesses $7 million dollars today today (Ponemon Institute, 2018). Smart companies are engaging with insurance providers for insurance protection, and Ingalls works with our clients' insurance companies to provide all necessary documentation for a claim.

Sometimes we are engaged by a breach victim that has a cybersecurity insurance policy to cover the cost of Incident Response – policies with this benefit have a First-Party Policy clause included. Many insurance providers have a preferred vendor schedule for Incident Response firms, and Ingalls may or may not be on that schedule. In the event that we are not on the schedule to begin with, we normally have no issue working with insurance providers to get claims submitted and reimbursed.

More importantly, and in every single occurrence, we are able to deploy our tools and respond faster than any other firm on the vendor schedule for cybersecurity insurance providers. Typically, we have contained the incident and are ready to write a report before the insurance schedule vendor even has the first kickoff meeting! In many cases involving an insurance schedule vendor, we will have been happy to assist them in deploying their tools and we provide any work product and/or evidence necessary for them to let our client's insurance provider know that the incident has been resolved.

How is this possible? Simple: we built our Incident Response solution around the most critical factor in minimizing impact: the amount of time it takes to contain and remediate a breach. This was one of the reasons our company was founded back in 2010, because we knew the importance of time in a breach scenario and that we could respond faster than anyone else.

Ransomware Victims

The amount of ransomware attacks increased dramatically in 2017 and 2018, with notable and news-worthy criminal activity that has extorted billions of dollars from commercial business. We've seen a large number of these cases where the victim decided to pay ransoms, and we've seen cases where the victim had to rebuild their systems from scratch.

Ransomware Incidents require a careful approach that includes immediate containment of any malware or encryption technology used by attackers. Often we have seen cases where the victim had advanced malware protection software that wasn't fully deployed across the environment, unprotected hosts that were used to access file shares on protected hosts, and files that got encrypted despite the anti-malware solution. We are able to identify these issues and get them fixed so that the victim doesn't suffer a follow-on ransomware attack.

Another common situation we find with ransomware attacks is unprotected remote access software exposed to the Internet that allows attackers to brute-force a login system and deploy encryption tools manually. We are able to identify these situations through our forensic analysis and help our clients close the security gap that allowed the attack to succeed.

The most important factor in ransomware responses is to ensure that our clients can either live without the data that was encrypted or restore the data by any means necessary. Secondary to that is to ensure that the method the attackers used to execute the attack successfully is identified and corrected before we are done. Many of our competitors simply investigate and write a report about how these types of attacks happen, however, we not only make sure that it gets fixed—we quickly restore business operations and reduce the risk and financial cost to organizations.

Business Email Compromise (BEC) Breach Victims

Due to the rapid adoption of Cloud-based email services, such as Microsoft Outlook365, we have seen a massive uptick in Business Email Compromise cases since Q4 2017. These cases are most often caused by a lack of 2-Factor or Multi-Factor authentication for services such as Outlook365, and lead to all sorts of issues for the victims, including fraudulent wire transfers both by the victim and their clients, reputation damage due to third parties being attacked with the victim's email service, and other damaging activity.

Ingalls has the ability to investigate Cloud-based BEC breaches as well as deploy tools into any on-premises environments to check for lateral movement by attackers who have access to Single Sign On (SSO) credentials such as those managed by Microsoft Active Directory and Azure Active Directory. We are able to assist in remediation of any BEC breaches by analyzing email accounts, determining what actions attackers took (such as creation of forward and delete rules for inboxes, etc.), and purging email accounts of spear phishing emails as well as unauthorized changes.

Ingalls also provides phishing email helpdesk support during our breach response. This allows all users of a client's business email system to send suspicious emails to us for thorough analysis, threat intelligence, and also response if the employee sending the email compromised their credentials. Finally, many IR clients from BEC compromises find our MDR solution and MFA deployment capabilities to be highly complementary to the Incident Response, and we continue to offer continuous, enhanced security controls for clients who need to protect the email systems from repeat compromise.

Contact Us

If you are concerned about a potential breach or if you are currently experiencing a breach and require immediate assistance, contact our 24x7x365 Emergency Hotline:

877-461-4488

Ingalls Information Security
TOP