Express Delivery Company
Detects and Stops Intrusion with GuardYoo
The company employs more than 25000 employees and operates close to 3000 service offices and automated parcel terminals.
The company has developed a complex and diverse infrastructure with 18000 workstations and legacy hardware and software that gradually evolved during more than 15 years of operation.
Newly appointed CIO and CISO needed to get a clear and holistic picture of the company’s cybersecurity posture and in-depth understanding of gaps that had to be fixed to successfully manage IT infrastructure development in support of further business expansion and new service concept.
To conduct advanced cybersecurity assessment the company required a toolset that would be complementary to existing cybersecurity technologies and would not require costly and time-consuming integrations and tech support.
The organization decided to undertake its first complete cyber health checkup. For this purpose, GuardYoo compromise assessment technology was selected as the only solution capable to meet quality/time/cost requirements and quickly deliver:
Full asset & application discovery
Detection of cyber threats and indicators of compromise
Diagnosis of flaws in IT and cybersecurity operations that needed to be fixed
Technical evidence of compliance measures in place and deviations that needed to be corrected
Utilizing GuardYoo artefacts collection instruments, the customer collected hundreds of gigabytes of logs and other data required for detection of behavioral anomalies around employees, services, apps, and network traffic.
Once the data was uploaded to the AWS cloud, which is protected with strong encryption algorithms and two-factor authentication, the customer was able to manage data within personal account area, track data quality and validation process. Complex normalization algorithms prepared the data for analysis and seamlessly sent the output to the GuardYoo core engine. Once the data analysis and machine learning processes were completed, and processed data and raw findings became available, security data analysts manually validated the findings, added additional context, and transferred the results to the Threat Hunting team which finalized the report delivery.
The final report was delivered in PDF format. It included all important metrics, which described the quality and quantity of data uploaded as well as discovered kinds and degrees of risks associated with each finding.
Direct communication between external addresses and organization’s hosts
Large numbers of BSODs
Multiple PSEXEC tool launches
Frequent usage of potentially dangerous software (e.g. TeamViewer, Ammyy Admin)
Different types of Spyware detected
Evidence of data deletion in the Windows event logs
As a result of complete cyber health check-up, the company received full and accurate infrastructure topology of all assets and applications, ten categories of mission and business critical cyber threats and indicators of compromise were detected, and several significant flaws in IT and cybersecurity operations were discovered that needed to be fixed immediately. Strategic long-term recommendations and rapid remediation actions were proposed.
The discovered direct communication between external addresses and the company’s hosts was scrutinized, and evidence of intrusions was detected.
Frequent use of potentially dangerous software (e. g., TeamViewer, Ammyy Admin) indicated a possibility of unauthorized and hidden remote access to the infrastructure, bypassing protection.
Numerous cases of PSEXEC usage indicated potentially compromised accounts and attackers’ access to infrastructure resources.
Records of data deletion in the Windows event logs could be a sign of attempts to hide evidence of malicious activities.
“As a newly appointed CISO, I had an urgent need in an accurate picture of the company’s IT infrastructure. Without GuardYoo automated compromise assessment this would have taken months of hard work. GuardYoo compromise assessment report gave me a precise understanding of what and how needed to be done immediately to fix security flaws and proceed with the infrastructure security development.”
CISO, Express Delivery Company
The results of the compromise assessment proved that the current level of cybersecurity was below average and the probability of not detecting the next attack was high.
The findings of this assessment were precious for the newly appointed information security management team as they provided a clear picture of the company’s cybersecurity posture and in-depth understanding of gaps that needed to be fixed.
Following the recommendations from GuardYoo, the company significantly reduced critical risks, corrected cybersecurity operations, and minimized possible dwell time. The information security department was able to support further company growth and development.