GuardYoo meets tough deadlines and provides critical findings for cybersecurity of a nationwide Telecommunication company
Monopolist telephone company of 30+ million people country, also active in Internet service providing and mobile markets. Over 24 000 employees operate and develop extensive IT infrastructure, which was built on top of the legacy hardware and outdated software.
Aside from offering multiple services like telephony, data transmission, internet, cloud services, and DDoS protection, the company also plays a crucial role in establishing and operating digital connections between ministries, government agencies, and local authorities across the country. Providing a digital network platform for the national elections, the company needed to make sure that cybersecurity specialists had full control over the complex and vastly distributed
infrastructure and did not miss any potential violation.
Detection of behavioral anomalies within IT and ICT systems is a challenging nontrivial task for such complex infrastructures.
GuardYoo compromise assessment was chosen as a useful tool for bringing more visibility to the infrastructure, and answer critical questions:
Is IT-infrastructure compromised and do adversaries have hidden access to the network?
Are there any defective IT management practices in place?
Are there unknown assets, apps and remote connections, that are in use in the company?
GuardYoo CA Platform allowed to process tons of logs within hours instead of weeks or even months and retrospectively detect behavioral anomalies around employees, services, apps and network traffic.
Using GuardYoo logs collector instrument, the customer was able to gather hundreds of gigabytes of diverse logs and other artifacts across infrastructure within one week.
GuardYoo is hosted on AWS and the data storage is protected with strong encryption algorithms and two-factor authentication.
Once the data was uploaded to the GuardYoo Cloud, the customer was able to manage the data within their personal account area, track data quality and validation process. Complex normalization algorithms prepared the data for analysis and sent the output to the GuardYoo engine.
After the data analysis and machine learning processes finished data processing and the raw findings became available, security data analysts manually validated the findings, added additional context, and transferred the results to the Threat Hunting team which finalized the report delivery.
The final report was delivered in PDF format. It included all major metrics, which described the quality and quantity of data uploaded as well as indicated the kinds and degrees of risks associated with each finding.
Missed multiple bruteforce attacks
Usage of vulnerable authentication protocols
User accounts management policy violations
Plain text passwords in logs
Multiple usage of not authorized remote access apps
Multiple usage of not authorized PSEXEC
Detection of different types of spyware: Trojans, CoinMiners, WannaCry, etc.
Detection of different types of ransomware
Windows logs deletion without authorization
More than ten categories of mission-critical and five types of business critical cyber threats were detected.
Critical quantity of remote connection apps, including not allowed instruments and their chaotic usage, made detection of security control violations complicated.
Hundreds of external bruteforce attacks were detected that had to be further investigated and corresponding compromised user account passwords had to be changed.
Some vulnerable legacy authentication technologies were revealed, that must be upgraded immediately. User account management findings, especially new accounts settings and short-term password changes, pointed to the user management policies violations that needed to be investigated as soon as possible.
“We were amazed by how accurate and quick GuardYoo’s detection was, and how explicit the findings were. For years we were searching for information security violations, while GuardYoo in just a couple of days gave us better results than we could expect.”
GuardYoo cyber health check-up revealed that cyber threats and associated operational, legal, and reputational risks faced by the customer were above average.
At the same time, considering the level of maturity of existing cyber-security controls, the quantity and diversity of the remote access tools, and capacity constraints the probability that the customer’s cybersecurity would not detect an APT attack was identified as high too.
Using the detailed and precise recommendations from GuardYoo, the customer was able to significantly reduce major risks by tuning existing infrastructural and cybersecurity technologies and minimizing possible dwell time.
The customer adopted a long-term action plan suggested by GuardYoo and supported by a risk analysis of detected gaps in technologies and processes as the basis for the new roadmap of cybersecurity improvement and capacity building.