Unit 42 Secures Medical Device Manufacturer After Network Breach

The Incident Response team quickly contained the breach, identified vulnerabilities, and implemented robust security measures.

Results
1day

To identify internet-exposed services and attack vectors via Cortex Xpanse®

2days

To mitigate command and control (C2) activity and identify risky security policies using AIOps across 500 NGFWs

2days

To identify harvested credentials and initiate hardening

The Client

Global medical device and equipment manufacturer

The Challenge

The client experienced a network intrusion related to a VPN vulnerability. Initial activity was detected due to brute-force attacks exploiting known vulnerabilities. Unit 42® was engaged to augment the client’s threat hunting and incident response efforts and help:

  • Identify impacted areas and additional compromises within their network.
  • Understand the scope of intrusion and implement containment measures.
  • Build remediation and recovery plans.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes

Assess

The initial assessment revealed an unpatched vulnerability in the client’s VPN, leading to the discovery of a significant breach within the network.

Investigate

Unit 42 found compromised domain controllers and, using Cortex Xpanse, identified exposed risks and additional security gaps.

Secure

Unit 42 advised immediate password resets, systems to be quarantined, VPN migration, and bolstered perimeter defenses with NGFWs.

Recover

Restored compromised systems using known good configurations and conducted extensive vulnerability assessments.

Transform

Enhanced security via tech hardening, reducing attack surfaces, and improving policies, procedures, and personnel.

“We've used other companies in the past. This is probably my 400+ incident response. Honestly, the Unit 42 team is the best of the best.”

VP, Global Security

First trigger point

Assess

Investigate

Secure

Recover

Transform

Scroll right

Resolution Timeline

Assess

Investigate

Secure

Recover

Transform

Days 0 - 2
Crisis Intervention

Initial assessment revealed evidence of a threat actor conducting remote code execution and access.

Identified multiple domain controllers that were compromised and domain admin credentials had been extracted.

Began credential reset on all impacted users, quarantined affected endpoints, and blocked C2 traffic using NGFW policies.

Days 3 - 5
Remediation

Utilized Cortex Xpanse to uncover additional security gaps, including numerous out-of-date VPNs and unmonitored RDP access points.

Began restoring compromised systems to known good configurations and conducted extensive vulnerability assessments.

Days 6 - 8
Restoration

Deployed additional Next-Generation Firewalls to enhance perimeter defenses.

Provided continuous guidance to ensure all measures were correctly implemented and effective.

Shared best practices for using AIOps on client’s NGFWs for better network hygiene and visibility.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain, and recover from incidents faster and emerge stronger than ever, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

Backed by the Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon
    Technology

    Palo Alto Networks platform for in-depth visibility to find, contain, and eliminate threats faster, with limited disruption.

  • Experience symbol
    Experience

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.