How REI Defended Its Active Directory with Mimic

Overview

REI (Recreational Equipment, Inc.) is a leading outdoor retailer with 180+ stores, an e-commerce platform, and a co-op with millions of members. Their security team was concerned by the increasing prevalence of ransomware attacks on unprotected Active Directory domain controllers (AD). By some estimates, 50% of ransomware attacks target AD, and sever access to critical business assets in the process. REI’s large hybrid IT environment spanning stores, warehouses, and digital operations is dependent on AD and a successful ransomware attack could be catastrophic.

REI turned to Mimic because its deep ransomware deflection technology is the first in the industry to protect assets, such as Active Directory, at the speed of ransomware.

The Challenge

Broad EDR solutions can’t detect ransomware in AD environments and their ransomware detection in broader enterprise applications isn’t fast enough to protect the enterprise once an attacker moves through AD and targets other critical applications.

So, like many Fortune 500s, REI needed ransomware-specific protection and maintenance of their on-prem AD infrastructure with clear goals:

• Rapid Detection & Deflection: REI needed a solution that could detect ransomware MUCH faster, deflect accurately, and be extended to their other critical applications quickly.
• Seamless Integration in a Complex Stack: Their security environment already included multiple tools, many of which had a history of blocking new deployments or complicating configurations.
• Optimize Resources within the Budget: Cost was a major consideration - deploying to the enterprise without exceeding the budget. REI prioritized protecting AD first, with plans to expand to critical applications.

Solution Implementation

Highly Specialized Active Directory Protection

Mimic’s solution protects REI’s AD estate from ransomware and alerts them to unauthorized changes to their environment that may signal a ransomware attack.

Rapid Deployment

Mimic’s ability to deploy extremely quickly with minimal impact on the REI security team utilized two new technologies:

• Firstly, Mimic’s patent-pending node’s ability to auto-learn the underlying asset’s profile completely and then build a tailored shield to protect it.
• The Mimic delivery team's exceptional speed and focused approach throughout the entire deployment lifecycle—from initial design to hands-on training, threat intelligence, and meticulous analysis of each detection and deflection.

Navigating Budget Constraints

In collaboration with REI, Mimic can deploy its capability to all REI critical servers at no cost. In this mode, Mimic’s technology just silently watches for an attack, but if a threat actor launches ransomware and tries to encrypt or exfiltrate REI critical data, Mimic can instantly protect the application being attacked. And REI pays only if or when that protection goes live.

Building a Real-World Cyber-Range

Mimic’s Arena technology allowed REI to safely detonate real ransomware strains in an identical mirror of their environment without exposing their network to risk. This provided a unique level of insight, including:

• A precise view of how ransomware would behave inside their exact infrastructure, including key security agents across various operating systems.
• A risk-free way to test defenses before an actual attack occurs.
• A clear demonstration of Mimic’s Detection and Deflection capabilities in action.

Empowering REI’s Security Team

The Mimic delivery team partnered with REI cybersecurity specialists not only in the deployment of the Mimic solution on REI’s critical assets, but all internal testing was done by the REI security team itself, giving them the unique ability to:

• Properly understand the solution and implementation.
• Gain visibility into their overall security posture.
• Stress-test Mimic’s solution independently.
• Red team their own environment, performing various attack scenarios.

The Results

1: Mimic immediately was able to warn REI about unauthorized changes going on in their AD environment.

2: REI will be protected on all critical applications but does not have to take the budget expense upfront.

3: Faster, smarter response times with zero excess alert noise to REI’s SOC.

‍