SPEAK WITH AN EXPERT

CASE STUDY – PHARMACEUTICAL

Rapid DFIR response contains sophisticated network intrusion in <24 hours for a pharmaceutical company

DOWNLOAD THE PDF

About the client

The client is a U.S.-based pharmaceutical technology company, providing specialized platforms and services to customers across the healthcare sector. The organization operates a hybrid on-premises and virtualized environment to support its development, QA, and back-office functions, and had invested in a security stack that included Microsoft Defender for Endpoint, Microsoft Sentinel as its SIEM, and SonicWall for both VPN remote access and perimeter firewall protection.

The client’s challenge

The client became aware of a potential security incident when Microsoft Defender for Endpoint flagged the deployment of unfamiliar tooling across several machines in their environment. What initially appeared to be an isolated alert quickly indicated a more serious and active compromise.

Further investigation revealed that the attacker had already gained a foothold in the network before the alert was raised. The initial access vector was a misconfiguration in the company’s SonicWall SSL-VPN, which the threat actor had exploited to bypass mandatory two-factor authentication.

Without a dedicated security operations capability, the client did not have the specialist expertise, forensic tooling, or incident response processes needed to investigate the full scope of the breach, contain the threat, or determine whether sensitive data had been accessed or exfiltrated.

Benefits

  • Root cause identified within 6 hours: Forensic investigation pinpointed the exact entry point, giving the client a clear and actionable understanding of the breach.
  • Attack contained within 24 hours of first contact: Rapid identification and eradication of the threat actor’s presence before ransomware deployment or data exfiltration.
  • MITRE ATT&CK mapping across 8 tactics: Providing the client with a clear, structured foundation for prioritizing remediation and strengthening defenses.
  • Critical security gaps identified and addressed: Exposing the absence of continuous monitoring as a key factor in the attacker’s ability to operate undetected for three days.

Our solution

Within a short time of first contact, CyberProof’s Digital Forensics and Incident Response (DFIR) team was engaged, and immediately began a structured investigation, underpinned by a rigorous forensic methodology.  

All attacker activity was mapped to the MITRE ATT&CK framework across eight tactics, providing a structured, authoritative account of the threat actor’s techniques and procedures from initial access through to the point of containment. 

Initial Access  

The investigation pinpointed the entry point as the company’s SonicWall SSL-VPN. The threat actor had exploited a known misconfiguration in the device, bypassing mandatory two-factor authentication and leveraging a service account tied to the SonicWall appliance.

Reconnaissance  

Once inside, the attacker conducted systematic internal scanning to identify accessible servers and accounts, probing multiple hosts and credentials to map the environment and identify targets for further exploitation. 

Lateral Movement  

The attacker moved extensively across the network using a combination of RDP sessions, pass-the-hash techniques, and automated tooling, accessing multiple servers and using both compromised user accounts and administrator credentials to expand their foothold. 

Credential Access  

The attacker targeted the company’s Veeam backup server, executing SQL commands against the backup database in an attempt to harvest stored credentials for further use across the environment. 

Persistence and Privilege Escalation  

A new local administrator account was created on compromised servers, and multiple attempts were made to add compromised accounts to the Domain Admins group. This would establish a durable foothold designed to survive remediation efforts. 

Defense Evasion  

The attacker made repeated attempts to disable Microsoft Defender across multiple systems, modifying registry settings, excluding file paths from scans, and shutting down the Windows firewall to reduce visibility and hinder detection. 

Containment   With the full attack path established, CyberProof moved swiftly to eradicate the threat actor’s presence from the environment.  Critically, the investigation confirmed that no data exfiltration had taken place at the time of containment, significantly limiting the business impact. 

Results

Working with CyberProof’s DFIR team, the root cause was identified within 6 hours, and the attack was fully contained within 24 hours. Critical security gaps were uncovered and addressed, proving immediate value. The successful resolution of the incident marked the beginning of an ongoing relationship. Having experienced firsthand the value of CyberProof’s investigative depth, speed of response, and clarity of communication under pressure, the client chose to engage CyberProof as their managed security partner. They subsequently signed an MDxR (Managed Detection and Extended Response) agreement, giving them 24/7 continuous monitoring, threat detection and response.

Speak with an expert

Explore how CyberProof can help you respond in real-time to an active incident in hybrid and cloud-native environments.

SPEAK WITH AN EXPERT