Inside a Real-World Cyber Incident: razorblue’s Rapid Response to a Major Breach

Recently our Security Operations Centre was alerted to a critical breach within a client’s infrastructure. A domain administrator account linked to an internet-facing firewall appliance had been compromised, triggering a fast-moving incident that required immediate containment, investigation, and full network restoration — all within the same day.

What Happened

The attack began early in the morning, with the first unauthorised sign-in to a domain admin account recorded at 07:20. This login granted the attacker elevated privileges, including access to backup and impersonation functions. Essentially, a dangerous level of control over the client’s environment.

Just over an hour later, Windows Defender began flagging suspicious activity. These alerts revealed an active, hands-on-keyboard attack. The client acted quickly and escalated the issue to razorblue at 08:34, initiating our rapid incident response.

By 08:44, just ten minutes later, our security engineers were actively managing the incident. A technical bridge was established, pulling in specialists from our security, infrastructure, and network teams to coordinate a rapid response.

The Immediate Response

The compromised firewall appliance and its associated service account were shut down by 09:12. Initial investigations confirmed that the attack originated from this device, and importantly, no further suspicious activity occurred after it was powered off.

To contain the situation and prevent any further threat actor activity, the client’s entire network was isolated from the internet by 12:28. razorblue maintained secure remote access through a private connection, allowing investigations to continue uninterrupted.

Investigating the Scope

Eight critical virtual machines were identified as potential targets of the attack. Each was methodically reviewed to understand whether the threat had spread further.

The investigation included:

• Isolating and powering down all potentially affected VMs.
• Reviewing event logs for unusual access patterns or escalation activity.
• Auditing scheduled tasks for any signs of persistence mechanisms.
• Examining RDP session history to check for lateral movement.
• Running full antivirus scans to identify and neutralise any dormant payloads.

By early evening, no further malicious activity was detected beyond the original entry point. To expedite the recovery, some non-critical machines were excluded from full scanning and earmarked for rebuild at a later date.

At the same time, firewall rules and outbound traffic patterns were reviewed to confirm the attacker had not established any ongoing foothold in the environment.

Restoring Operations

Before reconnecting the network, all domain admin credentials were regenerated, and several accounts were removed from the administrator group to reduce unnecessary access risks. New credentials were delivered securely to the client, and by 20:48, the full network — including firewalls and cloud connectivity — was back online.

One VM remained isolated overnight to complete a lengthy antivirus scan. It was successfully brought back onto the network the next morning, marking the formal conclusion of our remediation efforts.

Stability Restored

While the breach had the potential to cause significant damage and prolonged disruption, a combination of early detection, swift escalation by the client, and razorblue’s coordinated incident response enabled full containment and recovery — all within the space of a single day. This rapid turnaround not only limited operational impact but also safeguarded critical data and infrastructure from further compromise.

Our multidisciplinary approach — bringing together experts from our security, infrastructure, and networking teams — ensured that the situation was assessed and addressed from every angle. Working in close partnership with the client, we were able to restore business operations safely and swiftly, without cutting corners or leaving the environment vulnerable to reinfection.

This incident is a powerful reminder of the importance of preparation, speed, and clear communication in cyber defence. Organisations must assume that breaches can and will happen — but having the right teams, processes, and tools in place can make the difference between a controlled incident and a major crisis.

Security is not just about protection — it’s about resilience. That means knowing how to detect, respond, and recover when the worst happens.

Read more about our Managed Security service here: Award Winning Managed IT Security Services | razorblue