Ransomware attack caused headaches for one of Norway's largest chains

The customer in question was in the midst of a ransomware attack and is one of Norway's largest players in wholesale and retail. The organization consists of a large number of branch offices across Norway.

IT Cloud was the vendor's operations partner. They came to Sicra because they had previous experience with us. They needed a partner with high technical competence who could assist in quickly setting up a security solution.

Together, we designed a new and more complete security solution.

The customer faced a ransomware attack

The customer was subjected to a severe ransomware attack, and all servers were encrypted, and the local firewall was turned off. They needed a complete security solution with a new segmentation plan.

The company had a centralized security solution from an internet provider that was not properly configured and had insufficient network segmentation. There was a significant lack of traffic flow internally in the company, and encrypted traffic (SSL) to the internet was not inspected.

Why are ransomware attacks dangerous for businesses?

The organization handles a massive volume of customer information every day. Financial data, in particular, is a sought-after target for cybercriminals. A good security plan is therefore essential.

The threat from cyberattacks has become so severe that the Federal Trade Commission (FTC) in the USA recently updated "The Safeguard Rule," creating new security and procedural standards. This regulation has been in place for companies since June 2023.

Wholesale and retail companies, therefore, face stricter compliance requirements than before, similar to many other industries that handle sensitive personal data.

Sicra's solution to the problem

Due to the ransomware attack, it was important for them to get a full overview of their network traffic and endpoint processes. An overview of the traffic and endpoints was especially important while servers and clients were being restored to the infrastructure.

Sicra solved the problem by adding new L3 zones, segmenting the existing L3 design into smaller L2 security zones, and adding virtual-wire for DMZ traffic. Additionally, we used Cortex XDR™ Pro for analysis of both servers and endpoint clients.

Once these security mechanisms were in place, we could safely begin restoring cleaned servers.

By collecting logs via Cortex XDR, we gained full visibility into all network traffic as well as logs from mail gateways, servers, and clients.

Sicra worked with the customer's team to set up an enterprise Palo Alto Networks firewall solution in a redundant configuration with different security zones based on risk and access profiles.

We integrated the firewalls with Palo Alto Networks technology called Cloud Identity Engine to retrieve users and groups from Microsoft Azure and the customer's AD servers.

What trust principles were implemented?

User-based access controls were configured with dedicated rules and groups for specific employees using GlobalProtect™.

Using Iron Skillet as a baseline, all security rules were created with complete security profiles and with different security policies and profiles for incoming, outgoing, and internal traffic.

We activated Cortex XDR Pro on all clients and servers (800 endpoints) with all settings set to blocking mode by default, and with blocking of "grayware" in addition.

We set up Cortex Broker VM with Windows Event Collection to collect all security events from AD servers and other critical servers.

The deployment process

The project started in March 2022, and the data center components were completed in February 2023.

The project involved three Sicra engineers and two people from the customer side, supported by a security consultant from Palo Alto Networks.

Sicra began in the data center, setting up the Palo Alto firewalls in a redundant configuration (HA) with over 40 security zones.

Strict rules were then implemented between all security zones, allowing only necessary applications and service ports that were documented and based on Zero Trust principles.

The next step was to extract logs from the firewall, Windows DHCP servers, ProofPoint Targeted Attack Protection, Office 365, and Palo Alto Networks "IoT Security" and connect these to Cortex XDR.

From the beginning of February 2023, the project was expanded to install PA-based firewalls in all remote locations based on complete segmentation and visibility. The same rule set as in the data center.

The goal is to complete the installation of the firewalls by the end of 2024.

A new and safer security environment

The lack of visibility and control led to significant costs for this customer.

The company now has a new and complete security infrastructure from Palo Alto Networks®, Proofpoint Mail Gateway, "Microsoft 365 Modern Workspace" with the Intune platform. This has made their operational and security environment completely different.

For core infrastructure and access to mission-critical applications, they have redefined a new and hardened Horizon VDI platform. We reviewed all components according to CIS Benchmarks.

In addition to a security platform, the customer also expressed a strong desire for a SOC service for 24/7 monitoring where all log sources were visible. We created a technical specification and chose Arctic Wolf as a partner based on this.

This has given the customer a simple overview of all risks and incidents. All logs are centralized, and they have full visibility into all endpoints and servers.

Sicra provided the customer with a security solution that was easy to understand. This makes it easier to make changes when needed.

Sicra significantly strengthened the customer's cybersecurity. This has given the customer a more relaxed and better workday. Additionally, they sleep better at night now that the company's sensitive data is less vulnerable to data breaches.