7 Months Inside: How Threat Actors Reached the C-Suite Before Anyone Knew They Were There
How a silent attacker lived undetected inside their network, and what At-Bay uncovered when executives started getting threats
Company Industry: Finance
Threat Actor: PEAR
Attack Type: Long-dwell intrusion → data exfiltration → extortion
Ransom Payment: $0 — full recovery without payment
Before the Call
This financial services company had a managed service provider (MSP) managing their environment. Day-to-day operations were running smoothly, systems appeared healthy, and nothing flagged as unusual. From the outside, and from inside the MSP’s monitoring, everything looked fine.
What was missing: no continuous threat detection, no identity-layer visibility, and no way to detect an attacker who wasn’t making noise. The MSP’s scope covered IT operations, not security monitoring.
What Happened
C-suite executives started receiving direct contact from threat actors threatening to expose stolen data. When At-Bay Response & Recovery investigated, they uncovered the full picture: attackers had been silently inside the network for more than seven months, moving carefully and staying beneath the threshold of anything the MSP would flag.
By the time the extortion demand arrived, the attackers already knew exactly what they had.
How At-Bay Responded
- Detection: At-Bay forensic analysts worked to identify the initial access vector, following a trail of unauthorized and malicious activity back approximately seven months. Because of log rolling — the automatic deletion of older logs to make room for new events — the exact method of initial entry and precise date of access could not be recovered. The attacker had been quiet long enough that the evidence of how they got in was gone.
- Forensics & Investigation: At-Bay conducted a full forensic analysis of all available workstations, servers, and firewall logs to map the scope of the intrusion and what data had been accessed across the seven-month dwell period.
- Containment: Impacted systems were isolated from the internet. Servers and workstations were rebuilt and files restored from backup.
- Negotiation: The client recovered without making any payment to the threat actor.
- Recovery: A clean network was stood up for rebuilt systems, with all configurations validated and security software installed before migration. SentinelOne was deployed and monitoring was handed off to the client’s new MSP.
At-Bay contained the threat, rebuilt the network, and produced a forensic map of the full seven-month intrusion. That intelligence directly shaped the client’s breach response, legal obligations, and long-term security posture.
Stop Long-Dwell Attacks with MDR
Continuous threat detection is a different discipline than what an MSP might provide. Long-dwell attackers count on that gap, staying quiet inside networks that look healthy from the outside. By the time they surface, they’ve already taken what they came for. And if log rolling has cleared the oldest records, you may never know exactly how they got in.
At-Bay Stance Managed Detection & Response (MDR) monitors for the subtle indicators of long-term persistence, catching attackers before they reach your executives, your data, or your customers. Continuous endpoint, cloud, email, and identity monitoring means dwell time is measured in hours, not months.
*Response timelines differ. Past results do not guarantee future outcomes. This content is provided for information purposes only and is not intended to define any Policy commitment. No warranty is given or liability accepted regarding this information.
At-Bay Stance MDR is provided by At-Bay Security, LLC (“At-Bay Security”), and available to eligible businesses with or without an insurance policy placed through At-Bay Insurance Services, LLC. At-Bay Security, LLC is a wholly owned subsidiary of At-Bay, Inc., providing cybersecurity services including MDR and incident response. At-Bay Security, LLC does not provide insurance services.