ERP Software Developer Used GuardYoo
to Secure a Major Update Release
A well established innovative software development company, founded back in the late 80s and employing 350 professionals today, serves clients around the globe, including major manufacturing companies that operate critical infrastructure assets. The organization’s flagship product is a comprehensive ERP solution used daily by more than 200K users worldwide. Serving many organizations that operate critical infrastructure facilities, the company follows strict rules and standards for its cybersecurity processes.
Among customer’s clients, there are many organizations from military, oil and gas, energy, and heavy industries that operate in densely populated regions, and a cyber attack against them can cause large-scale negative consequences: from sabotage to environmental disaster and national security failure. In preparation for a major software update, the software developer needed to make sure its infrastructure is free from malicious presence and backdoors and cannot be used by adversaries as a tool in the supply-chaintype of attack.
GuardYoo compromise assessment technology and GuardYoo professional services were chosen to address the challenge. The customer needed to not only detect potential dormant malware or sleeping agents but also verify if there were any unnoticed cybersecurity incidents in the past. Since GuardYoo platform allows for retrospective data analysis based on logs and temporary files, it perfectly fitted the customer’s needs.
Within a relatively small infrastructure and with a high level of IT automatization, the customer was able to gather all available logs in two days and upload the data to the GuardYoo cloud. GuardYoo complex normalization algorithms prepared the data for analysis and sent the output to the GuardYoo engine.
The capability of GuardYoo technology enabled uploading and acquiring additional data before, during and after the process of analysis that in turn allowed to add further context on the go and not to miss any critical finding.
The whole infrastructure was mapped within the first 24 hours of assessment, which immediately showed certain misconfigurations and logical errors in the network segmentation, that could be exploited as backdoors.
After logs were collected, the rest of the assessment did not require customer involvement, and the final report was presented the same day when the assessment process was finished. The remediation recommendations from GuardYoo Threat Hunting Team significantly enriched the report that was adopted by the customer as his new cybersecurity development roadmap.
Abnormal usage of PSEXEC on critically important servers
Not encrypted authentication data accessible from external connection
Multiple remote connection tools were used without proper monitoring and control
3+ months dormant malware
A lot of open administrative sessions between multiple servers
Seven categories of critical threats and six moderate threats were discovered and explained, including but not limited to:
Abnormal usage of PSEXEC on mission and business critical servers by potentially compromised accounts – typical pattern pointing out to high probability that attackers had access to the infrastructure
Not encrypted authentication data accessible through external connection
Multiple remote connection tools were used without proper monitoring and control – could be an indication that unauthorized and hidden remote access to the infrastructure was available for attackers
3+ months dormant malware found meaning potentially successful attack in the past
A critically large number of open administrative sessions between multiple servers
Considering that the findings were classified as highly dangerous, the customer’s IT and IT security teams immediately implemented necessary improvements.
“Our huge gratitude to the GuardYoo team for a nearly instant compromise assessment service.
We were very impressed with the fact that our urgent tasks could be solved so quickly and in such an elegant manner”
The compromise assessment report delivered by GuardYoo enabled critically important review and update of the company’s cybersecurity strategy and tactics. It helped better prioritize technology integration projects, have certain integrations postponed, while other technologies that were initially not planned as priority projects such as for Privileged Session Management were prioritized as urgent.
Compromise Assessment report provided significantly more relevant results compared to penetration tests and IT-infrastructure settings reviews that the customer regularly practiced before.
The company decided to take compromise assessments as complete cyber health check-ups regularly.