HackersDigitalHackersDigital
Zero-Trust Infrastructure — Construction Firm Case Study

Securing a Construction & Design Firm: Building a Data Centre from Scratch, Implementing Zero-Trust Networking & Ransomware Recovery

Construction & Design
50 – 75 Employees
Infrastructure Security, Zero Trust, Incident Response
6 Months

Executive Summary

A well-established construction and design company with operations spanning multiple regional offices found itself at a crossroads after a devastating ransomware attack crippled its operations for over two weeks. The company had grown rapidly but its IT infrastructure had not kept pace — legacy systems, flat network topologies, and minimal security controls had created an environment ripe for exploitation.

HackersDigital was engaged to not only recover from the incident but to design and build an entirely new data centre from the ground up, implement enterprise-grade firewall infrastructure, deploy a zero-trust network architecture, and completely transform the company’s threat landscape. This case study details the full journey from crisis to a hardened, resilient infrastructure.

Complete Transformation

From ransomware victim to hardened, monitored infrastructure

6Months
100%Recovered

The Challenge

When HackersDigital was brought in, the situation was critical. The company’s primary file server, project management systems, CAD workstations, and email infrastructure were all encrypted by a ransomware variant that had propagated laterally across the network within hours of the initial breach.

Key Issues Identified

  • Flat network architecture: All departments — billing, design, engineering, and administration — shared the same network segment with no segmentation or access controls.
  • No dedicated data centre: Servers were housed in a repurposed office closet with inadequate cooling, no redundant power, and no physical access controls.
  • Legacy firewall: A consumer-grade router served as the sole perimeter defence, with default configurations and no intrusion prevention capabilities.
  • No backup strategy: Backups were stored on a NAS device connected to the same network, which was also encrypted during the attack.
  • Lack of endpoint protection: Workstations ran basic antivirus with no centralised management, EDR, or threat intelligence feeds.
  • No incident response plan: The company had no documented procedures, no designated point of contact, and no forensic readiness.

Critical Findings

Legacy systems with zero security controls created catastrophic risk

6Issues
0Segmentation

The Ransomware Incident

The attack originated through a phishing email received by a mid-level project coordinator. The email contained a macro-enabled document disguised as a subcontractor invoice. When opened, the macro executed a PowerShell-based dropper that downloaded the ransomware payload from an external command-and-control server.

Within 45 minutes, the malware had escalated privileges using a known Windows vulnerability, harvested domain credentials, and began encrypting file shares across the network. By the time the IT team recognised the issue, over 12TB of project data — including active construction blueprints, financial records, and client contracts — had been encrypted.

The ransom demand was significant, and the attackers threatened to leak sensitive client data. The company chose not to pay the ransom and instead engaged HackersDigital for full incident response and recovery.

Attack Timeline

From phishing email to total encryption in under an hour

45Minutes
12TBEncrypted

Our Approach

HackersDigital deployed a phased approach that combined immediate incident response with long-term infrastructure transformation. The engagement was structured into four phases over six months:

Phase 1: Incident Containment & Forensic Analysis (Weeks 1–2)

Our incident response team was on-site within 4 hours of engagement. Immediate actions included:

  • Network isolation — severed internet connectivity and segmented affected systems to prevent further lateral movement.
  • Forensic imaging of compromised servers and workstations for evidence preservation and attack chain reconstruction.
  • Identification of the ransomware variant, its indicators of compromise (IOCs), and the initial attack vector.
  • Partial data recovery from offline backup tapes that had not been connected at the time of the attack.
  • Stakeholder communication plan — drafted executive briefings and regulatory notification templates.

Rapid Response

On-site within 4 hours — isolate, image, investigate

4 HrsResponse
Wk 1–2Timeline

Phase 2: Data Centre Design & Build (Weeks 3–10)

With the immediate threat contained, we turned to the core infrastructure problem: the company simply did not have a proper data centre. We designed and built one from scratch within their existing facility:

  • Physical infrastructure: Dedicated server room with raised flooring, precision cooling (N+1 redundancy), UPS with 30-minute battery backup, and diesel generator for extended outages.
  • Rack & power layout: Two 42U racks with managed PDUs, cable management, and environmental monitoring (temperature, humidity, water leak detection).
  • Compute & storage: Hyperconverged infrastructure (HCI) cluster providing virtualised compute, software-defined storage with erasure coding, and live VM migration capabilities.
  • Backup architecture: Implemented a 3-2-1 backup strategy — three copies of data, on two different media types, with one copy stored offsite in an air-gapped vault. Automated daily snapshots with weekly immutable backups.
  • Physical access control: Biometric (fingerprint + badge) entry, CCTV monitoring, and an access log auditing system.

Built From Scratch

Complete data centre with redundant power, cooling, and compute

42URacks
3-2-1Backup

Phase 3: Firewall & Zero-Trust Network Implementation (Weeks 8–16)

The network was redesigned from the ground up following zero-trust principles — “never trust, always verify” — ensuring that no user, device, or application is inherently trusted regardless of its location.

  • Next-generation firewalls (NGFW): Deployed enterprise-grade firewalls at the perimeter and between internal segments with deep packet inspection, SSL/TLS decryption, IPS, URL filtering, and threat intelligence feeds.
  • Micro-segmentation: The network was divided into discrete security zones — Design/CAD, Engineering, Finance, Administration, Guest, and a DMZ for public-facing services. Inter-zone traffic is inspected and policy-controlled.
  • Identity-based access: Implemented 802.1X network access control (NAC) so devices must authenticate before gaining network access. Unknown or non-compliant devices are quarantined automatically.
  • Multi-factor authentication (MFA): Enforced MFA on all user accounts, VPN connections, and administrative interfaces. Eliminated single-factor password-only access across the organisation.
  • Encrypted tunnels: Site-to-site VPN between offices with IPSec and always-on client VPN for remote workers, ensuring encrypted transport for all data in transit.
  • DNS security: Deployed DNS filtering to block known malicious domains and prevent command-and-control callbacks, providing an additional layer of protection at the DNS resolution level.

Zero-Trust Network

Never trust, always verify — every user, device, and application

6Zones
NAC802.1X

Phase 4: Endpoint Hardening & Monitoring (Weeks 14–24)

  • Endpoint Detection & Response (EDR): Rolled out a centrally managed EDR solution to all workstations and servers, providing real-time behavioural analysis, automated containment, and forensic investigation capabilities.
  • Privileged Access Management (PAM): Implemented a PAM solution to vault administrative credentials, enforce just-in-time access, and record all privileged sessions.
  • Security awareness training: Delivered phishing simulation campaigns and quarterly security training to all employees, with targeted training for high-risk roles (finance, project management).
  • Centralised logging & SIEM: All firewalls, servers, endpoints, and network devices feed logs into a central SIEM platform with correlation rules, alerting, and a 90-day hot retention / 1-year cold retention policy.
  • Incident response plan: Developed, documented, and tabletop-tested a comprehensive IR plan with defined roles, escalation paths, and communication templates.

Full Monitoring

EDR, PAM, SIEM, and security awareness across the organisation

90dRetention
AllTrained

Results

The transformation was comprehensive. Within six months, the company went from having no formal security posture to operating a hardened, monitored, and resilient infrastructure:

100% Data Recovered
6 Network Zones Created
3-2-1 Backup Strategy
  • Data recovery: Critical project data was recovered through a combination of offline backup tapes and forensic decryption assistance — no ransom was paid.
  • Zero security incidents since deployment: In the 12 months following project completion, the company experienced zero successful intrusions, zero ransomware events, and zero data loss incidents.
  • Regulatory confidence: The new infrastructure and documentation enabled the company to meet client security questionnaire requirements that had previously been barriers to winning larger contracts.
  • Operational efficiency: Centralised management, automated backups, and modern virtualisation reduced the IT team’s maintenance burden by over 60%, allowing them to focus on supporting the business.
  • Business continuity: Tested disaster recovery procedures demonstrated the ability to restore full operations within 4 hours of a catastrophic failure, down from an estimated 2+ weeks prior to the engagement.

Key Takeaways

This engagement reinforced several principles that apply to any growing business:

  1. Infrastructure debt is security debt. Delaying investment in proper IT infrastructure creates compounding risk. A repurposed closet with consumer-grade hardware is not a data centre.
  2. Flat networks are indefensible. Without segmentation, a single compromised endpoint means total compromise. Zero-trust architecture is not optional — it’s foundational.
  3. Backups must be tested and isolated. A backup connected to the same network as production is not a backup — it’s an additional target. The 3-2-1 rule with immutable and air-gapped copies is the standard.
  4. Incident response starts before the incident. Having a tested plan, designated responders, and forensic readiness transforms a crisis from weeks of chaos into an managed recovery.
  5. Security enables growth. Post-engagement, the company successfully bid on three enterprise contracts that required documented security controls — controls they could now demonstrate.
 Back to Insights Next: PKI Console  

Facing a Similar Challenge?

Whether you need to recover from an incident or build resilient infrastructure from scratch, our team is ready to help.

Book Your Assessment