Background
An EU-headquartered pharmaceutical company operating across eight countries, spanning the EU, SEE, CIS, and APAC regions, faced escalating cyber threats and was being subjected to continuous attack attempts critically threatening digital assets, infrastructure and the integrity and confidentiality of their sensitive data.
Challenge
The company leverages a sophisticated blend of its own infrastructure and Microsoft Azure services to maintain its competitive edge and ensure seamless operations. The continuous attack attempts were using leaked accounts and open services, including sophisticated attempts aimed at compromising their Active Directory Federation Services (ADFS) deployed specifically for Azure integration. Microsoft Sentinel was initially used but was ineffective at preventing these advanced attack attempts.
Solution
Custom-made digital honeytraps (made by cloning of a customer specific devices and services) were deployed on the network across Customer cyber attack surface, few traps across each of eight countries, designed as decoys to attract, confuse and learn the behaviours, patterns, tactics and IP addresses of the attackers. The Customer also integrated their perimeter control mechanisms, based on Barracuda, Cisco Firewire and PaloAlto NGFW technologies, with our advanced threat feeds, tailored based on the real time data disclosed using honeytraps. This significantly enhanced their ability to identify and respond to known and unknown threats in real-time.
Measurable Results
The deployed honeytraps collected data on over 600,000 attacks per month targeting Customer public IP addresses. This combined with the inclusion of our custom-made threat feeds, prevented over 2.9m attempted attacks per month, coming from different countries, with different attack sophistication level – from general vulnerability scans up to targeted attacks built on Customer’s leaked dark web data and custom made tools. Our custom feeds were tailored to the specific attack surface of company for protecting their Internet exposed services, ADFS portal, industrial devices, and their employees Internet access, offering unparalleled accuracy in detecting and blocking malicious connections.
The integration of our threat feeds on top of their existing Mandiant and Cisco threat intelligence solutions, improved the number of prevented attacks multiple times, with our threat feeds based policy blocking over 85% of malicious connections, while standard TI addressed just 15% of malicious connection.