The Committee for Public Counsel Services (CPCS) is a public agency with a mission to provide legal services for clients unable to afford to retain a lawyer, funded by the Commonwealth of Massachusetts. The CPCS acts in a manner similar to a private law firm, employing 450 attorneys and approximately 3000 outside contracting attorneys (who were never directly affected) whose activities are coordinated by CPCS staff. The organization has more than 20 offices across Massachusetts and approximately 700 employees in total. ATTACK
Vancord was introduced initially to CPCS during a cybersecurity emergency involving ransomware across hundreds of workstations and servers. CPCS responded unsuccessfully to the attack with internal resources and engaged Vancord through a referral from an existing IT provider. The situation was dire, normal business was suspended, email and communications were impacted, and its organizational reputation, and funding, was at risk.
Immediate Action Steps Needed:
Every incident response engagement requires a unique approach to contain attacks and restore systems. Vancord developed an approach customized to the threat encountered, using data analysis and triage to adapt on the fly to customer systems and requirements. Vancord deployed a team of three engineers on a full-time basis to investigate the threat, contain attackers to prevent further spread and damage, eradicate malware and attacker tools, and recover systems for normal business operation. Additional technicians were assigned as needed during recovery activity to aid in system rebuilding. All security engineers were led by an incident handler who served as the main contact for coordination, communication with the customer, and progress reporting in addition to analysis duties.
Vancord Services Provided:
For the duration of the engagement, Vancord used Infocyte for threat hunting and analysis, Elastic for security event monitoring, and multiple custom tools created by Vancord staff. These products were efficiency aids, procured in advance by Vancord for use during incident response, rather than for future customer use.
Soon after Vancord was engaged the attackers were contained and isolated. Vancord successfully stopped the attack and worked with CPCS to resume largely normal operations over the next two weeks. Employee productivity, previously halted due to the attack, resumed rapidly when email became available, when file server data was restored, and as workstations were cleaned/redeployed. Post-incident corrective actions and improvements were made as a necessary element of containment, eradication, or restoration. Throughout the process, Vancord was able to improve CPCS systems, including stability of internal email systems and the security posture of many core servers. A chief outcome of the incident, after resolution, was the delivery of an incident report that documented specific findings and areas of opportunity for the improvement of internal security. CPCS gained a key partner in information security, establishing a relationship, which will continue long after the incident. Several follow-up projects as a result of this strong partnership have included a vulnerability assessment, virtual Information Security Office, application penetration test, firewall upgrades, security operations center, and an endpoint protection initiative.
"You want Vancord in the fox hole with you if you ever have a breach or other security incident. Vancord’s support and availability throughout the entire response were phenomenal and its follow-up activities to ensure we were incident resilient going forward allows me to sleep well at night."
"Vancord understands the unique aspects of a higher-education institution, which made them a perfect partner for us."
"Vancord helped us uncover vulnerabilities in our system, protecting us from a breach that could have been very damaging to our institution."
"Vancord exhibited outstanding professionalism and commitment throughout the project, keeping us secure during this crucial time for connectivity."