Following the detection of a targeted attack, a government department needed digital forensics and incident response to determine the damage and prevent future attacks.

Neutralizing the attack and restoring service

During the COVID-19 pandemic, a government department became aware of a targeted attack that potentially exposed extremely sensitive personal and financial information. The attackers employed a technique called Credential Stuffing, using compromised passwords and usernames to access government services online. After the department became aware of the threats, they sent hundreds of thousands of notices to citizens alerting them that they would be locked out of their account until they reset their password.

Because the department did not have full visibility as to when the breach started or which systems were affected, they asked our experts to help. After the department contacted CGI, we deployed our digital forensics and incident response (DFIR) team. The DFIR team quickly built a cloud-based threat hunting platform, neutralizing the attack in a matter of days, and facilitating restored access to the platform.

This custom solution included visualization dashboards and Machine Learning capabilities. And because it was capable of identifying the source of the attacks, their scope, when they began, and when they finished, this threat hunting platform also minimized the risks of future attacks: it would flag these credentials, even if additional passwords were acquired.

Securing the platform and building future protection

Once the initial attack was resolved, CGI then developed several approaches and strategies to prevent similar attacks from happening again. In addition to building better monitoring systems for this department, we also helped the department build better detection capabilities.

An essential part of CGI’s response was building a large scale, extremely flexible analytics platform in a highly secure cloud. This project, which took six months to complete, gave the department the ability to do research at an elevated level and correlate their findings with third-party information and intelligence about potential threats. This analytics capability places the department’s security capabilities at the top echelon of today’s security capabilities.

Since the initial response, we have continued to work with the government department, providing training to help them understand how to perform more effective threat hunts, how to do better data mining, and how to make better use of the analytics about security information.

Protecting this extremely sensitive information has large scale financial implications, not only for the government, but for citizens in general. The services we provided to this department are also replicable in other government contexts, and we are working on an ongoing basis to protect governments against malicious actors and sophisticated, organized cybercriminal organizations.

Removing barriers and creating more flexible workflows

Historically, governments have taken a siloed approach to workflows, and this department was no different: they had one team dealing with authentication and logins, one dealing with web servers, one working with applications and databases, and one team dealing only with the cloud. While this approach may have been satisfactory in the past, today’s digital platforms depend on seamless functionality between processes and functions.

We were able to remove the barriers between these disparate teams and draw them together. We were also able to help the teams coordinate their approach to the broader problems of security, allowing them to work together with the data, identify the sources of information, and harmonize their approach to those sources.

Reducing threats, now and in the future

By enabling the creation of a more holistic security view, we helped the department lower the overall risk landscape. The department also now has the ability to find and address security threats in real time, preventing future attacks of this nature.