The solution:
- Installed IBM Security QRadar EDR on all ship endpoints.
- Low data usage allows ground crews to monitor ships in real time and respond when connections are available.
- Automated response and remediation help remove threats while internet connection is not available.
After a series of ransomware attacks that created severe issues on ships, the shipping company asked IBM® to secure its infrastructure. An initial hygiene check showed a large number of ships already infected with a variety of malware, including RATs, Trojans and reverse shells. All identified infections were assessed and removed, and the IBM Security QRadar EDR software was then reconfigured to align with the specifications of the company: risk to business continuity had to be minimized while ensuring no data loss when there was no internet connectivity. Data transfer also had to be minimized to avoid saturating the satellite connection essential to daily operations.
Hygiene check
After the initial deployment, QRadar EDR immediately flagged a variety of anomalous behaviors and quickly addressed and remediated them. The majority of malware had been brought on board by crews, while other instances originated in content downloaded from internet-connected endpoints. A threat hunting campaign was initiated and revealed a few “dormant” malware instances waiting for a remote operator to connect and take control. Those, too, were remediated, and an observation period of seven days followed. After confirming the absence of further anomalies, IBM reconfigured the platform to operate within the company’s parameters of optimal data usage and low risk of business disruption.
Day-to-day operations
To centralize ship management, IBM and the shipping company installed a security dashboard in the company’s main base. On the ships, where the on-board networks are unified and only a single endpoint has internet access, IBM created a secure channel to allow all endpoints, including crew devices, to deliver QRadar EDR data (and nothing else) to the main base, where a team of analysts monitors and responds to possible incidents.
When ships are scheduled to go offline, the shipping company enables QRadar EDR’s ransomware protection capability, as ransomware is the only malicious vector that could endanger the data. An infection by means of a RAT or Trojan would have had no immediate impact, due to the absence of connectivity. All other behaviors are monitored, with their tracking data archived locally, to be delivered immediately after an internet link is available again.