Incident-as-a-Service

Marquis sues firewall provider SonicWall, alleges security failings with its firewall backup led ...

The 48-Hour Rule in action. This incident happened, we converted it into operational training, and your team can apply the controls immediately.

73% vs 12% Retention Lift

18.5h Breach to Training

847 Organisations

48h Action Window

Built for:

Network Security Administrators: They will benefit by learning how to securely configure and monitor critical network security appliances like firewalls, moving beyond default settings to mitigate the specific risks highlighted in the case study.
IT Risk & Compliance Officers: This course will equip them to better assess and manage third-party vendor security, map controls to frameworks like NIST CSF and GDPR, and articulate technical risks to leadership in the context of legal and regulatory obligations.
Security Operations Centre (SOC) Analysts: They will gain crucial context on how to craft detection rules for anomalies in firewall management and backup systems, and develop playbooks for responding to incidents stemming from compromised security infrastructure.

Get Instant Access — £19 Try a Free Lesson Volume Licensing

30-day guarantee. Instant access after payment. Lifetime updates for this incident package.

How This Course Is Structured

Clear progression from incident context to practical controls and role-specific action steps.

1. Incident Breakdown

Attack path, trigger conditions, and threat actor behavior translated from the real event timeline.

2. Defensive Controls

Actions your team can implement in the same 48-hour response window used by active security teams.

3. Evidence & Reporting

Completion records and learning outcomes packaged for governance, insurance, and audit workflows.

Course Outline

4 modules · 16 lessons · ~192 min total

Module 1: Threat Intelligence

Deep dive into the incident mechanics, attack vectors, and threat actor analysis. Learn to recognise indicators of compromise.

4 lessons ~180 min

📖 1.1 Marquis vs. SonicWall: A Firewall Backup Breach Deep Dive 45 min

📖 1.2 Data Breach Campaign Analysis and Supply Chain Risks 45 min

📖 1.3 Attack Vector Analysis: Exploiting Security Appliance Weaknesses 45 min

📖 1.4 Indicators of Compromise for Appliance-Based Data Breaches 45 min

Module 2: Detection and Response

Practical detection strategies using SIEM, endpoint analysis, and incident response procedures. Build effective playbooks.

4 lessons ~180 min

📖 2.1 SIEM Detection Strategies for Firewall Anomalies and Data Exfiltration 45 min

📖 2.2 Endpoint Detection and Analysis Post-Network Breach 45 min

📖 2.3 Incident Response Playbook for Security Appliance Compromise 45 min

📖 2.4 Digital Forensics Essentials for Data Breach Investigations 45 min

Module 3: Infrastructure Hardening

Implement defensive controls including authentication hardening, zero trust principles, and secure architecture patterns.

4 lessons ~180 min

📖 3.1 Authentication Hardening for Network Security Appliances 45 min

📖 3.2 Access Control Implementation for Sensitive Configuration Data 45 min

📖 3.3 Network Segmentation to Contain Data Breach Impact 45 min

📖 3.4 Zero Trust Architecture Principles for Vendor Access 45 min

Module 4: Organisational Readiness

Build security culture, communicate with leadership, manage vendor risks, and ensure compliance integration.

4 lessons ~180 min

📖 4.1 Security Awareness Programme for Third-Party Risks 45 min

📖 4.2 Board-Level Communication on Vendor-Induced Data Breach Risks 45 min

📖 4.3 Vendor Risk Management for Cybersecurity Products 45 min

📖 4.4 Compliance Framework Integration: Mapping the Breach to NIS2, GDPR, and SOC 2 45 min

Free Sample Lesson

Read one full lesson before purchasing. No signup required.

Free Lesson Access

Marquis vs. SonicWall: Anatomy of a Firewall Backup Breach

Lesson 1 of 16

Lesson 1.1: Marquis vs. SonicWall: Anatomy of a Firewall Backup Breach

Compliance Framework Mapping

Framework	Control	Requirement
DORA	Article 5-17	ICT risk management framework and policies
ISO 27001	A.8.1	Responsibility for assets
NIST CSF	PR.IP-9	Response plans (Incident Response and Recovery) are tested
NIS2	Article 21	Risk management measures for security of network and information systems
SOC 2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives
GDPR	Article 32	Security of processing

Introduction

Welcome to Lesson 1.1: Marquis vs. SonicWall: Anatomy of a Firewall Backup Breach! Over the next 45 minutes, we will explore how a trusted security product can become the very source of a catastrophic data breach.

But first, let me tell you about Marcus Webb.

It's 3:17 PM on a Tuesday in October. Marcus Webb, a senior network engineer at a mid-sized financial services firm in London, is reviewing firewall logs. The office is quiet, the hum of servers a constant background noise. He’s just finished a routine backup of the company’s primary SonicWall firewall configuration.

A week later, Marcus gets a call from the security operations centre. Unusual outbound traffic patterns are flagged from a server that should only talk to internal systems. The traffic is encrypted, but the destination IPs are unfamiliar. Marcus checks the firewall rules; nothing has changed. He feels a cold knot form in his stomach.

The investigation leads to a shocking discovery. The backup file Marcus created, stored on an internal file share with what he thought were strict permissions, has been accessed and exfiltrated. The file didn't just contain configuration data; it held the encrypted passwords for all firewall admin accounts. The attackers had everything they needed to map the entire network defence.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is a Firewall Backup Breach?

Think of your firewall as the vault door to your network. A firewall backup breach is like someone stealing the architectural blueprints to that vault, including the combination to the lock. It’s not just losing data; it’s handing over the master key to your entire digital perimeter.

The Hidden Value in a Backup File

A firewall configuration backup is often treated as a simple administrative file. But it’s a treasure trove. It contains the complete rule set governing what traffic is allowed in and out of your network. It maps all VPN configurations, IP address schemes, and security zones.

More critically, these backup files frequently include encrypted credentials for administrative access. While the passwords are hashed, determined attackers can use offline cracking techniques. Once cracked, they have legitimate keys to the kingdom.

The breach at Marcus’s company started here. The stolen backup gave attackers a perfect diagram of every choke point and weak spot in their network defence.

The Supply Chain Blind Spot

This incident highlights a supply chain risk. Organisations trust security vendors like SonicWall to provide secure products. When a lawsuit alleges, as in the Marquis case, that the product itself had security failings in how it handled backups, it creates a dangerous dependency.

The assumption is that the security tool is inherently secure. This can lead to complacency in how the outputs of that tool—like backup files—are protected. The blame often falls on the user for poor handling, but the design of the tool can make secure handling nearly impossible.

Think about that last point for a moment. Your most sensitive security configuration, the very rules designed to keep attackers out, might be stored in a file with weaker protection than the data it's meant to guard.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to manage risks from all third-party providers, including ICT service providers like security vendors. A failure in a vendor's product that leads to a breach is a direct ICT risk that must be governed.

ISO A.8.1 ISO 27001 A.8.1 mandates that assets associated with information and information processing facilities be identified and an inventory maintained. A firewall configuration backup is a critical information asset that must be accounted for and protected appropriately.

Content Section 2: The Attack Chain: From Backup to Breach

Understanding the value of the backup reveals why it's so effective. Let me show you exactly how Marcus's company was compromised, step by step.

The Initial Foothold

The attack didn't start with a direct assault on the firewall. Research suggests many breaches begin with a common entry point, like a phishing email to an employee. Once an attacker has a foothold on any internal machine, they begin reconnaissance.

They look for network shares, common administrative directories, and backup repositories. Tools are often automated, searching for files with names like 'backup', 'config', or the vendor's name—'SonicWall'.

In this scenario, the firewall backup file was found on a departmental file share. The permissions, while intended to be restricted to the network team, were misconfigured or inherited from a overly permissive parent folder.

Weaponising the Backup

With the backup file in hand, the attackers exfiltrated it to their own systems. Now, in a safe environment, they could analyse it at their leisure. They parsed the configuration to understand the network layout: where the sensitive servers were, what subnets existed, what traffic was allowed.

The encrypted passwords were extracted. Using powerful cracking rigs and pre-computed rainbow tables, they worked on decrypting the hashes. One admin password, perhaps a slightly weaker one chosen for convenience, eventually yielded.

Why Traditional Perimeter Defences Fail

Defence Layer	How It's Bypassed	Result
Network Intrusion Detection (NIDS)	Traffic is the exfiltration of a single, legitimate-looking config file. No exploit code is used.	No alert triggered.
Firewall Itself	Attackers now use legitimate, cracked admin credentials to log in. The login appears normal.	Access granted.
Endpoint Detection (EDR)	The initial foothold may be detected, but the act of reading a backup file is a normal user/process behaviour.	Low-priority alert, if any.
Data Loss Prevention (DLP)	The backup file is a proprietary format (.exp for SonicWall). DLP may not recognise it as sensitive if not configured for these file types.	File exfiltrated unnoticed.

Notice what all of these methods have in common. The attack doesn't look like an attack until it's too late. It looks like normal administrative activity because it uses the organisation's own tools and data against it.

This attack bypasses standard security layers because it uses legitimate access and data. Here’s how common defences are rendered useless:

Now pay attention, because this is the moment that control was lost. This is the moment where a low-level compromised user account, with no special privileges, could read the file that held the keys to the network's highest privileges.

NIST PR.IP-9 NIST CSF PR.IP-9 requires response plans to be tested. This incident shows why testing must include scenarios where core security infrastructure (like firewalls) is compromised. Your incident response plan likely assumes the firewall is a trusted tool for containment, but what if it's the source of the breach?

NIS2 Article 21 NIS2 Article 21 mandates risk management measures for network security. A key measure is understanding and securing the entire lifecycle of critical configuration data, like firewall backups, not just the live device.

Content Section 3: Detection: Seeing the Invisible Attack

Marcus's network knew something was wrong. It just couldn't tell him. The signals were there, buried in noise. Detecting this breach requires shifting your perspective from looking for exploits to looking for misuse of trust.

Behavioural Indicators on the Firewall

Look for administrative logins from unusual source IP addresses, especially those originating from inside your network but from non-admin workstations or servers. An attacker with cracked credentials will log in from their foothold machine.

Monitor for configuration changes made outside of documented change windows. After gaining access, attackers may add firewall rules to permit command-and-control traffic or exfiltration that their stolen network map showed was blocked.

A key signal is the download of a configuration backup by a user who doesn't normally perform that action, or from an unusual location. The firewall itself can log this activity.

Indicators on the File Server

Enable detailed auditing on directories where configuration backups are stored. Alert on any access (especially read operations) from user accounts outside a designated security group, such as 'Firewall_Admins'.

Look for large file reads followed by outbound network connections from the same host. The sequence of a user account reading a 2MB .exp file and then immediately establishing an SSL connection to an external IP is a major red flag.

Use File Integrity Monitoring (FIM) to detect unauthorised changes to the backup files themselves, which could indicate tampering.

Identity and Access Signals

Correlate firewall admin account logins with other identity events. Did the same admin account authenticate to the firewall and, minutes later, attempt to access a sensitive file share it never uses? This suggests credential compromise.

Implement strict just-in-time access for firewall administrative roles. If an account with admin rights is suddenly used after being dormant for weeks, it should require re-evaluation and generate a high-priority alert.

SOC2 CC6.1 SOC 2 CC6.1 requires logical access controls to protect information assets. This incident shows that logical access controls must extend beyond the live system to the backup and configuration files it generates. Protecting the asset (the firewall) is incomplete if the data that defines its security is not equally protected.

GDPR Article 32 GDPR Article 32 requires appropriate security of processing. A firewall managing traffic to systems holding personal data is a key security measure. Failing to secure the backup configuration of that firewall could be viewed as a failure to implement appropriate technical measures to ensure a level of security appropriate to the risk.

Activity: Configuration Backup Security Audit

This activity will help you identify potential weaknesses in how your organisation protects network device configuration backups.

Important Security Note: Important Security Note: Do NOT access, copy, or test actual firewall backup files during this activity. Do not document specific file paths, share names, or password hashing algorithms used in your environment. This is a high-level policy and process review. Engage your security team if you plan any hands-on testing.

Instructions

Step 1: Identify: List all critical network security appliances in your environment (e.g., firewalls, VPN concentrators, intrusion prevention systems). For each, determine the standard method and schedule for configuration backups.

Step 2: Locate: Without accessing the files, determine where these backup files are stored. Are they on a network share, a dedicated backup server, or a local drive? Who, in theory, has read access to these locations?

Step 3: Assess: Review the policies or procedures (if they exist) for protecting these backups. Are they encrypted at rest? Are access controls reviewed regularly? Are the backups included in vulnerability scans or penetration test scopes?

Step 4: Analyse: Consider the recovery process. If you needed to restore a firewall from backup, how would you retrieve the file? Does that process rely on overly permissive access or shared credentials?

Submission

For the course discussion forum, share general learnings only:

What categories of devices had the most clearly defined (or undefined) backup protection processes?
What common themes did you discover regarding storage locations and access models?
Which compliance framework (e.g., NIST, ISO) control was most challenging to map to your current backup protection practices?

Do NOT share: Do NOT share: Specific device names, IP addresses, internal share paths, details of access control lists, names of individuals or teams, or any details of your organisation's network architecture.

Review and comment on at least two other students' submissions, focusing on the security principles they discovered rather than their specific environment.

Content Section 4: Building Your Compliance Evidence

Compliance isn't about ticking boxes; it's about building a verifiable story of due care. This lesson provides the chapters for that story, showing auditors you understand and manage this specific risk.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework includes specific consideration of risks stemming from security product configurations and backups, moving beyond just vendor selection.

For ISO A.8.1 auditors... For ISO 27001 assessors, you can evidence that you have identified firewall configuration backups as critical assets and can describe the controls (like access management and logging) applied to them.

For NIST PR.IP-9 auditors... For NIST CSF reviewers, you can show that your incident response testing scenarios have been updated to include cases where administrative credentials or configuration data from security appliances are compromised.

Audit Trail

Document your completion of this lesson:

Lesson title and date completed
Time invested: approximately 45 minutes
Key learnings in your own words
Activity submission reference
Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The breach escalated. With full network visibility and admin access, attackers moved laterally for weeks, eventually exfiltrating sensitive client data. The incident cost the company over £500,000 in direct remediation, forensic services, and regulatory fines. Marcus, though not solely responsible, faced significant professional scrutiny.

The organisation eventually overhauled its approach. They implemented strict, isolated storage for all security device backups with mandatory encryption and immutable logging. They moved to privileged access management solutions for firewall admin accounts, eliminating static passwords in config files. They learned the hard way that the security of their security tools was not a given.

But it doesn't have to be your story. That's why we're here.

You should now understand why a firewall backup file is a crown jewel target. You understand the step-by-step attack chain that turns a stolen config into a network takeover. You know the specific behavioural indicators that can signal this type of breach. And you understand how to map this risk to your compliance obligations.

Next, we'll explore Next, we'll explore Lesson 1.2: The Aftermath: Legal and Regulatory Repercussions. We'll examine the lawsuit between Marquis and SonicWall in detail, and what it means for vendor management and liability in a breach.

See you there.

Key Takeaways

1. The Backup is a Target: Firewall and network device configuration backups are high-value assets that contain network blueprints and often encrypted credentials, making them a primary target for attackers seeking persistent access.

2. Supply Chain Risk Applies to Security Tools: The security of your network depends on the security of your security vendors' products and their features, including how they handle sensitive data like configuration backups.

3. Detection Requires Behavioural Monitoring: Traditional signature-based defences will miss this attack; detection relies on correlating unusual access to backup files with subsequent administrative logins and configuration changes.

4. Compliance Must Cover Configuration Data Lifecycle: Frameworks like ISO 27001 and NIST CSF require controls that must be applied to the entire lifecycle of critical configuration data, not just the live systems they define.

Resources

The course materials folder contains downloadable resources for this lesson:

Lesson 1.1 Quick Reference Card - Summarise the key detection indicators for firewall backup breaches and immediate isolation steps for a compromised network security appliance on a single page.
Compliance Mapping Worksheet - Map your organisation's controls for protecting network device configuration backups to the DORA, ISO 27001, NIST CSF, NIS2, SOC 2, and GDPR frameworks referenced in this lesson.
Risk Assessment Template - Assess your organisation's specific exposure to firewall backup breach threats based on the storage, access, and vendor management practices covered in this lesson.
Further reading - Links to official framework documentation (NIST SP 800-53, ISO 27002) and threat intelligence reports on supply chain attacks targeting network infrastructure.

Marquis sues firewall provider SonicWall, alleges security failings with its firewall backup led ... Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026

This is 1 of 16 lessons included in the full package.

Enrol Now — Unlock All Lessons

Want to track your progress? Create a free account

Choose Your Access

All plans include 30-day money-back guarantee

Taster

£ 19

Single course access — ideal for trying us out

Full course access
Completion certificate
Try before you commit

Standard

£ 49

Full course with materials and certificate

Full course access
Downloadable materials
Professional certificate
Email support

Or get everything

Access every course in the catalogue, including all future courses

£ 29 /mo

Monthly All-Access

Every course, cancel anytime

£ 249 /yr

Annual All-Access

Save 28% — £20.75/month effective

Teams

Transparent pricing, no sales call required

Starter Team

£ 499 /year

£99.80/seat effective

Up to 5 learners, all courses included

Growth Team

£ 999 /year

£66.60/seat effective

Up to 15 learners, all courses included

Scale Team

£ 1999 /year

£39.98/seat effective

Up to 50 learners, all courses included

Need 50+ seats? Contact us for a custom plan.

Fast Checkout

Start Learning in Minutes

Enter your details, choose a tier, and complete secure checkout. Access starts immediately after payment confirmation.

Stripe-secured payment and delivery workflow
Audit-friendly completion records
Escalate to enterprise volume licensing at any point

48-Hour Relevance Guarantee

If this course does not provide at least five actionable controls your team can deploy quickly, request a full refund within 30 days.

Secure checkout

First name * Last name *

Email *

Select pricing tier Taster — £19 Single course access — ideal for trying us out Standard — £49 Full course with materials and certificate

By continuing, you agree to the terms and privacy policy.

Not ready to purchase? Create a free account to browse and track progress.

Questions Before You Enrol?

Immediately after successful payment. Your learning link is generated and delivered in the success flow.

Yes. Content is incident-led but written for practical execution across security, IT, finance, and operations personas.

Yes. Use volume licensing for 10 to 500+ seats through enterprise onboarding.