Skip to content

Client Case Studies

Your Company is Unique, So Your Managed Detection and Response Solution Should Be Too

Ankura InterXeptor™ isn’t a scaled-down, large enterprise monitoring solution; we built it specifically for middle market companies based on our decades of experience working with them and understanding their risk profiles and business objectives. We assess your unique security posture, analyze a range of potential threats, and design a custom solution with your company’s needs—and resource constraints—in mind.

How We’ve Helped Clients

Failed log-in attempts lead to threat detection and incident response action by Ankura InterXeptor

While monitoring a client in the financial industry, our analysts were alerted to an unusual pattern of failed attempts to log into a system. Failed log-ins are common and not usually indicative of malicious activity. Users often forget their passwords, particularly in the summer months after coming back from an extended vacation.

However, upon further inspection and analysis, one of our Ankura InterXeptor analysts recognized that the username being entered for one of the accounts did not follow the company’s usual naming convention. Forgetting a password is one thing, but forgetting your username is more unusual. Furthermore, the analyst noticed the originating and destination IP addresses had not previously been seen connecting. The analyst quickly conferred with the client and determined this activity was part of a password spraying attack. Ankura immediately blocked traffic to and from the observed IP addresses and advised the client to require a password change for the targeted user accounts.

Ankura InterXeptor’s continuously updated detection rules help spot threats, leading to rapid containment and remediation

Ankura was engaged to conduct threat hunting activities for a financial services client experiencing unusual network activity. Our analysts implemented custom detection rules to spot tactics, techniques, and procedures (TTP) known to be used by the types of sophisticated threat actors who would likely target this client. The custom detection rules alerted on a small number of anomalous Powershell (PS) executions.

The use of PS by itself is not unusual in Microsoft Windows environments. However, the manner in which the PS commands were executed was unusual, and triggered further scrutiny. Upon inspection, our analysts determined the suspect PS command execution occurred only on a small number of machines and was in fact a covert “beacon” (a communication method) set up by a threat actor to maintain persistent access to the victim network and enable ongoing communication with the attacker’s command and control server. The destination sites used by the threat actor were named to resemble the client’s legitimate sites so as to evade network traffic detection. Furthermore, our analysts determined the PS commands were designed to appear like routine software upgrades.

Based on the above findings, our Ankura InterXeptor analysts reached out to the client to confirm. Upon further checking by the client, it was ultimately determined that an attacker had gained initial access through a successful spear phishing campaign. Ankura’s incident responders rapidly responded to fully investigate, contain, and remediate the attack before there was any impact to business operations or data integrity.

Ankura InterXeptor’s behavioral anomaly detection rules stop threat actors’ reconnaissance activities

While monitoring a client in the manufacturing industry, our analysts received an alert that a netscan program execution was attempting to run but was denied by our custom preventive rules. Netscan tools are often used legitimately by IT staff to discover new devices connecting to the network, and and therefore such activity is often ignored by inexperienced analysts.

However, knowing that network scanning tools are also used by threat actors for reconnaissance purposes, the Ankura team launched an investigation and discovered the scanning was executed from an unusual location on the network. Because of this, our Ankura InterXeptor analysts carried out an additional investigation and discovered more suspicious artifacts in the same location. We reported this to the client, who confirmed the activity was not authorized.

In the end, it was determined this was the work of a cyber threat actor who was conducting reconnaissance on the client’s network to prepare for additional attack/penetration into the client’s environment. The threat actors’ reconnaissance activities were disrupted and stopped due to our analysts’ findings.

Not All MDR Partners Are Created Equal

Choosing the right Managed Detection and Response (MDR) provider is critical for staying ahead of today’s cybersecurity threats. Download our eBook to learn 10 essential questions you should ask before selecting an MDR partner who can provide the highest level of protection and service for your organization.


Sign up for three months of Ankura’s CTIX FLASH Update, which provides cyber threat intelligence to an organization’s security team.


Ankura InterXeptorTM
Risk Assessment

Our two-minute Risk Assessment can help you determine how prepared your organization is to repel a cyberattack.  Complete your risk profile now and have the answers you need immediately. 

Recognizing cyber threats that can compromise your organization and addressing those security gaps is critical to protecting your firm’s infrastructure. Mitigating your risk can be the difference between a highly manageable, isolated cybersecurity incident and a data breach causing a major disruption that paralyzes your organization for days.



It looks like you’re on the right track!

We want to offer you three months of Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Updates for free. You’ll receive recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims.

Thank you.

You’re registered to receive Ankura’s semi-weekly CTIX FLASH Updates.

Need a assessment? Talk to an advisor.

Your organization may be at risk and could benefit from improved cybersecurity.

By combining industry-best technology and human expertise, you can defend your infrastructure. Start today by downloading our Data Sheet that outlines the most vulnerable areas of risk and the tools you need to obtain continuous threat detection.

Thank you.

We hope you find the data sheet helpful.

Need a assessment? Talk to an advisor.

Your organization is at risk.

It’s time to start a conversation. You can never be too prepared for a cyber breach. Book a free consultation with our MDR experts to review the results of your risk assessment and identify the steps needed to protect your organization from cyber threats.

Thank you.

A member of our team will contact you soon to schedule a call.