NormCyber helps investment company fight off ransomware attack before reducing its
long-term exposure to cyber risk.
The challenge
The nature of this organisation’s business – investing in key public services – means that it takes a cautious approach to managing risk. It was against this backdrop that, in 2023, it decided to recalibrate its cyber security strategy and look for a specialist managed security service provider, which could relieve pressure on its internal IT team by taking care of round-the-clock monitoring. This initiative was part of a broader digital transformation programme aimed at helping the investment fund build a more agile, resilient, and secure infrastructure. However, at the beginning of 2024 – before this new strategy had been fully rolled out – the fund found itself facing a much more serious challenge. It was notified by the National Cyber Security Centre (NCSC) that there was evidence that hackers had infiltrated its network. Immediate action was required to lock down operations and minimise further damage.
The organisation needed to act quickly and decisively to appoint specialist incident responders with the necessary experience and expertise to guide it through this rapidly unfolding crisis.
Selecting the right incident response team
With no time to waste, the company’s internal IT and operations team prioritised selecting an incident response team which could take immediate action. However, it was also conscious that the partner needed to be one it could trust, offering the appropriate level of support.
Over the course of just a few hours, the team drew up a shortlist of three organisations based on NCSC’s list of assured Cyber Incident Response (CIR) service providers, setting up 20-minute meetings to assess their capabilities. While all these service providers are certified to provide CIR to a prescribed standard, this call would provide a sense of how each candidate would steer the organisation through this emergency.
NormCyber – which is a level 2 assured CIR service provider – was already known to the organisation. It was therefore invited to the selection process alongside two other CIR assured companies.
During this initial call, it became clear that Norm didn’t just have the skills but was the ideal partner to navigate through the incident.
As the company’s Managing Director of Business Support, who oversees IT, explains: “It was immediately obvious to us that our incident would be NormCyber’s top priority. The company had the full team on the call – including the CTO – so we could see that we would receive strategic business support, not just access to their technical expertise; this gave us all a lot of confidence.”
Norm’s clear and transparent commercial terms were also a determining factor in the selection process. As the Managing Director of Business Support continues: “The terms of engagement were simple, fair and transparent. It was clear that Norm was a company we could trust as a business partner, which provided extra reassurance that it was the best team to steer us through this situation.”
Norm’s response process
Once the decision had been made to appoint Norm, its CIR team mobilised immediately, in line with the company’s commitment to respond to all breaches within just 15 minutes. The immediate priority was to shut down compromised systems, preventing the hackers from inflicting any further damage. The Norm team worked closely with the in-house team to gain access to all IT and security tools, before locking down the infrastructure and helping to contain the threat.
It also began an exercise to establish which systems had been impacted, assessing whether any sensitive data had been accessed or exfiltrated, and by whom. In parallel to this, Norm set up dark web monitoring, which would provide vital intelligence.
Norm’s immediate response plan extended far beyond a list of technical actions. It was available round-the-clock to provide the organisation with jargon-free insights, so the customer’s senior leadership team had a clear understanding of what was happening and could make quick and effective decisions. Norm also pulled in support from its Crisis Management PR partner, which provided strategic advice and written statements to help communicate the breach to impacted parties.
Mindful that it played a central role in delivering essential public services, the organisation elected to take a cautious approach to the response plan, considering the worst-case scenario every step of the way.
“We needed to err on the side of caution; we owed that to our customers, employees, shareholders and business partners. Norm played a pivotal role in our response, explaining the investigation findings in plain English so our non-technical leadership and board could understand how our wider business might be affected. Norm’s calm and easy-to-understand guidance accelerated our ability to make decisions at a time when speed really was of the essence,” continues the fund’s Managing Director of Business Support.
In addition to overseeing and interpreting the investigation process, the Norm CIR team continued control of the organisation’s IT infrastructure, patching vulnerabilities, resetting systems and passwords, introducing new procedures and – when it was deemed safe to do so – gradually bringing the infrastructure back online.
No nation state activity was discovered during the investigations process. Furthermore, while the criminal gang responsible for the attack demanded a ransom to restore operations, this was not even a consideration as there was no evidence of data being encrypted, stolen, or posted to the dark web.
Working towards long-term security and stability
Once the incident was resolved, the organisation doubled down on its digital transformation objectives. This widescale programme would see the organisation move from on-premise infrastructure to a Microsoft Azure cloud-based environment. This migration would allow the organisation’s employees and partners to access systems in a more flexible way, and enable the company to scale and pivot operations, as required.
Cyber security would form a central pillar of this transformation programme. The company had previously
taken a best-of-breed approach to vendor selection, choosing market-leading tools and solutions. While this approach brings benefits, it also creates challenges. The management overhead of configuring and ensuring the interoperability of multiple solutions is high, especially for a small in-house team.
The organisation has now standardised on Microsoft, using the vendor’s integrated cyber security suite to simplify the way it safeguards its data, people and overall IT infrastructure. However, recognising that best practice cyber security requires more than tools, it has also appointed Norm to manage this environment.
A long-term Microsoft Security Solutions Partner, Norm has also attained a Microsoft security specialisation for Threat Protection, in recognition of its technical credentials and proven track record for deploying Microsoft’s suite of cyber security solutions within enterprise environments. This deep expertise in combination with the organisation’s experience of working alongside Norm, made it the obvious candidate to manage its ongoing security operations.
The organisation is now leveraging Norm’s award-winning Managed Detection and Response (MDR) service, backed by its CREST-accredited UK Security Operations Centre (SOC). This enables the company to take a proactive approach to cyber security, and includes continuous monitoring, rapid detection & response, threat hunting, plus incident investigation and mitigation
The benefits
From responding to the initial breach to managing its cyber security operations day-to-day, this organisation has seen considerable benefit in partnering with Norm.
As the Managing Director of Business Support concludes: “Our crisis situation was Norm’s bread and butter – its team was instrumental in minimising the disruption to our business and to our reputation and gave us clarity and reassurance at a time when we really needed it. It’s a team we could trust, and that’s why it made perfect sense to select Norm to manage our security operations on an ongoing basis. However, it offers us far more than round-the-clock monitoring. Instead, we have a partner which is committed to continuously enhancing our security posture so we’re in the best position possible to fend off future attacks.”
