The client first found out about the breach when someone on their security team received a notification that there was an account on a domain controller attempting to privilege escalate.
He determined it was an active session. So he removed it and disabled the account in Active Directory.
The client didn’t realize this was a massive attack until the threat actor deleted all of their virtual machines, and locked the client out of their entire cloud environment, including email. Their business came to a halt and their panic level went to 10. That’s when they called Unit 42 Incident Response.
Watch the video to see how Unit 42 helped the client recover, educated them on the gaps in their organization’s policy and process that led to the breach, and guided them through understanding what they needed to do to bring their organization forward.