Case Study: Regional healthcare provider contains Qakbot outbreak and gains rapid, detailed forensics with Attivo Networks ThreatDefend Platform

Attivo Networks Deception Platform for Forensics and Incident Response

Regional Healthcare Providing Company, a multi‑hospital organization on the Eastern Seaboard, was hit by a resurgent Qakbot malware outbreak on legacy Windows XP systems. Traditional security tools generated many high‑level alerts but lacked the specific forensics needed to act, while the customer was simultaneously running a proof‑of‑value of the Attivo Networks ThreatDefend platform (including BOTsink decoys) on several VLANs.

Attivo Networks’ Deception Platform was used to safely detonate Qakbot in BOTsink decoys, revealing compromised accounts, file drops, processes, lateral movement paths, and command‑and‑control behavior. With Attivo Networks’ detailed attack forensics the security team blocked external C2, wiped infected endpoints, contained the outbreak, and stopped further data exfiltration, saving days of incident response effort and avoiding potential patient data breach costs (average cost per stolen patient record: $363).