Back to Blog

Case study: How Cybereason helped a major software company discover and shutdown an APT that escaped detection for almost one year

A global technology company knew something was off in its IT environment but could not find evidence to support its suspicions. The organization, which has annual revenue in the billions of dollars, believed an outside entity had accessed large repositories of sensitive and proprietary information, potentially compromising customer data and intellectual property.

However, the company only had a few vague indications that something was awry. Without concrete evidence to use as a starting point for incident response, the security team was preparing for a cold hunting exercise.

The organization decided to deploy Cybereason’s endpoint sensors to tens of thousands of endpoints to determine if its defenses had been infiltrated. The platform quickly confirmed the company's hunch: an advanced persistent threat had broken through its defenses nearly a year earlier. Cybereason figured out that hackers were using tools built-in to Windows, like Windows Management Instrumentation (WMI), to move laterally to other machines in the organization. Hackers often use this deceptive tactic since traditional security programs don't flag activities carried out by known tools. Cybereason, though, is designed to detect this type of behavior.

Ultimately, hackers compromised 12 of our customer's machines, including a domain controller. The organization, suspecting it had been hacked, recently had its employees change their email log-in credentials, a move that proved useless since hackers had access to the server where this data was held.

To learn what other Windows tools the hackers used to carry out this advanced persistent threat (APT) attack and how Cybereason helped the organization's security manager sleep at night, read our case study.