It’s any business leader’s worst nightmare: A cyberattack that paralyzes their entire company, from top to bottom, leading to work stoppages, delivery delays, and devastatingly high costs. Over the years, Xantrion has been called multiple times to help different companies reeling from cyberattacks. Each time, Xantrion has helped them get back on their feet.
In the interview below, Xantrion Chief Technology Officer Christian Kelly explains the anatomy of one such attack on a food and beverage business and how it transformed the company’s approach to cybersecurity.
Q: Why did the food and beverage company contact Xantrion for help?
A: They contacted us for help after company executives woke up one weekend only to discover all their servers, all their endpoints, and essentially all their systems were encrypted. They had fallen victim to a CryptoLocker attack.
Q: What’s a CryptoLocker attack? Is it different from a data breach?
A: The object of a CryptoLocker attack is to shut down the target’s operation by encrypting their computer systems, and then demanding a ransom to restore operations. In contrast, in a data breach, criminals steal a company’s data, copying it to their own systems, and then blackmailing the firm with the threat of releasing sensitive information. Criminals will often combine these two attacks, denying a company access to its own information while at the same time threating to release it to the public.
Q: What consequences did the company suffer?
A: Unfortunately, the consequences that the company suffered were huge. There was a full work stoppage for at least a week, while their production lines were down. Business capabilities, like taking orders and processing invoices, were impacted for multiple weeks. They were down to pen and paper and taking orders over the phone – slower, antiquated ways of working. The total recovery cost was millions of dollars.
Q: How did hackers access the company’s system?
A: Determining the exact path hackers take to break into a company’s system can be difficult. What we do know in this case is that forensic investigators found a strain of malware and the assumption is that it came in through a phishing link. Unfortunately, since the company’s internal controls at the time were lacking, through just one endpoint, the malware was able to move laterally and infect all their systems.
Q: Could the types of protections Xantrion puts in place for clients have prevented that attack?
A: The protections that Xantrion provides for customers are very powerful. That said, I’m careful about saying with 100% certainty that we could have prevented this attack because even if you do all the right things, we can’t say that something like this could never happen. It can always happen. That said, we’re confident that the controls we typically put in place would have made the chances of an attack like this succeeding much, much lower.
Q: What measures does Xantrion take to spot and stop such incursions?
A: Xantrion puts together a comprehensive set of measures to prevent hackers from accessing our client’s systems. Those who try confront six or seven layers of protection. First, there is phishing and malware protection at the email level, which would stop the email with the phishing link from even hitting the user’s inbox. If that failed, there’s the layer of protection stemming from user training – we ensure that our clients’ employees take part in regular training and testing to identify suspicious emails. If that fails and a user clicks on the phishing link, the next layer of protection would block the user from actually navigating to the link and surface a warning message instead.
If that fails, and the user inadvertently downloads malware, Endpoint Detection and Response (EDR) software should kick in. It identifies suspicious activity, such as malware scanning the network. It can also isolate the infected device from the rest of the network and stop the malware from moving laterally. During multiple points in this entire process, we — the client’s vCIO and dedicated team at Xantrion — would be notified of what’s going on. Between all those layers of protection and having a managed security services provider (MSSP) watching the information coming off of those layers and taking action…knock on wood, anyone who has all of that in place hasn’t sustained that type of attack.
Q: How did Xantrion help the food and beverage company recover?
A: Xantrion undertook a massive, meticulous effort to get the company back and up running. All of their infrastructure was on premises, so we made the decision to rebuild in the cloud. It was a five-alarm fire for multiple weeks where we essentially rebuilt everything from scratch. It forced a refresh of the company’s technical environment, which, on its face, isn’t necessarily a bad thing, but the impact on the business was high.
Q: Does the company now use Xantrion as its managed security services provider?
A: Yes, and we’re very happy to have the company as a client. We’ve implemented all the layers of protection I described earlier, as well other security measures. They’ve been our client for several years and I’m proud to say that they haven’t experienced any major cybersecurity incidents in that time.
Q: As cyberthreats continue to evolve in sophistication, what are the top three things every company should have in place as part of an incident prevention strategy?
When it comes to your incident prevention strategy, it’s important to have priorities. You’ll want a cybersecurity program that includes managed endpoint protection as well as managed identity. That, in tandem, with active monitoring is powerful protection. By active monitoring, I mean working with a partner like us to watch activity and system information around the clock. With those three elements in place, you can spot early signs of attack and likely get ahead of it before it turns into something bigger.
If your company is ready to work with a managed security services provider, Xantrion is here to help. Our IT experts have helped hundreds of small and medium-sized businesses reduce IT support costs, improve cybersecurity and increase productivity. Contact us today to learn more.