Intersec Worldwide was contacted by a mid-sized B2B company working in the finance industry when a malicious online attacker infiltrated its IT infrastructure and threatened to release customer data and expose the data breach publically. They shared visual proof that they had access to the organization's data system and had obtained customer data. The threat actors were seeking a payout to release the data back to the organization and not reveal the data breach publicly.
The organization believed the data breach was limited to a singular segment of the organization and sought Intersec Worldwide’s expertise to review the elements of the breach, stop the threat actor from further infiltration, and help discover and remediate any vulnerabilities that could pose a problem in the future.
The Organization's Concern
While the organization wanted to ensure the threat actor’s actions were stopped immediately, they were left with many questions:
- What data have we lost?
- What other data does the threat actor have access to?
- How did the threat actor access our systems?
- How can we prevent this data breach in the future?
Intersec Worldwide assured the organization it could address all of these concerns; here is the step-by-step process we followed.
Stopping the Threat Actor
The first priority of any data breach or incident response initiative is to determine the point of infiltration and stop the threat actor from accessing any further information or data.
Intersec Worldwide’s digital forensics and incident response (DFIR) team deployed immediately and initiated threat mitigation steps. The digital forensics team had one priority—to ensure the threat actor no longer had access to the environment. To achieve this, we reset all administration passwords, implemented multi factor authentication (MFA) and password rotation, and began to identify all local administrators and systems in use.
The key element of our efforts to stop the threat actor was to allow business operations to continue as usual. Organizations cannot afford to be offline in a fast-paced industry. Our team was able to access the system and stop the threat actor without disrupting day-to-day business operations.
Monitoring and Discovery Process
Once the environment was deemed secure, the next step was to implement real-time monitoring software. This allowed our team of forensic investigators to ensure the environment remained protected from the threat actor as the investigation was completed.
“We often compare the discovery process to building an airplane as you are flying it. It is challenging and we are pivoting and adapting quickly to match the environment. Constant communication is our key to success. As we encounter a problem, we talk through it, fix it, and move on to the next, all while remaining calm, safe, and steady.”
The discovery process is where our team of digital forensic investigators truly shines. We captured images, logs, and all of the pertinent information from the IT systems. The organization thought the scope of the breach was limited to a singular business segment, but our digital investigation uncovered more activity.
Through our forensics investigation and analysis of their environment, we discovered that the threat actors could have been anywhere within the network because they had access to the whole environment. It turns out the IT architecture of the organization was all connected, and thus, the single point of vulnerability exploited by the threat actor left the entire organization exposed.
Our multi-team effort ensured we acted quickly and uncovered this critical realization in time to mitigate the organization's known vulnerabilities. We immediately implemented the necessary safeguards to protect exposed data and re-engineered the environment in a much more secure manner.
What Our Digital Forensic Analysis Uncovered
Once the environment was secure, our investigation team reviewed the findings to learn more about what caused the vulnerability and how to ensure it could not be repeated. As we peeled back the layers, our investigators used our additional arsenal of software tools to reveal what occurred, when, and how.
The Intersec team uncovered inconsistent log management. We typically recommend that logs are saved for three (3) months online and twelve (12) months in the office.
We confirmed the threat actor had access to the entire system, not just the single system the client initially flagged. Moreover, we learned that it was not malware that breached the security gates. Instead, it was remote access system software.
This type of breach, referred to as ‘living off the land,’ uses legit software, not malware, to access a network system. LogMeIn, TeamViewer, and other similar platforms, are highly used remote access software systems that threat actors exploit. When these tactics are used, they are deemed legitimate, so typical antivirus, endpoint, EDR, and XTR systems do not fire off any alerts because it looks like a regular IT administrator logging into the system.
Our investigation went through each remote access system to determine which system was not authorized or utilized by the organization.
We completed enterprise-wide forensics throughout the environment to determine the locations that used the remote software. Once identified, we reviewed the login credentials to determine which were valid and which were not.
Our investigation found the point of infiltration and mitigated any future risk by ensuring the client understood the vulnerabilities associated with remote access systems and how to implement safeguards to manage access.
The Dangers of Unencrypted Data
The next step in the investigation was to determine the scope of the data that was accessed. Our team determined the types of data the threat actors were looking for and determined whether the data was exfiltrated.
- What we uncovered was twofold.
- Not all data was encrypted.
- Some data systems had been duplicated and moved to other locations without anyone’s knowledge or authorization.
Spreadsheets of data had slipped through the cracks, and data that should have been deleted was not.
Our investigators pieced together all of the data, mapping locations and access points with the goal of helping the organization clean up processes to access, store, and manage critical business data.
Resolution
The last step in this data breach remediation process was to work with the individual business practice owners to manage necessary data and put processes and protections in place to mitigate future risk.
A Virtual CISO supported our efforts to help resolve the breach and re-organization data management to protect the business from future threats.
Our process involved analyzing the data capture process and documenting the answers into a formal procedure for future use:
- Does this data need to be retained? Is it business-critical?
- Does it need to be protected with encryption?
- Where should the data be stored?
- What are the access protocols?
- Is the data automatically or manually inputted?
- Does it need to be archived?
- Should it be deleted? If yes, when and how?
We helped the organization develop new data protocols, providing them with a complete plan moving forward for appropriate data management.
In the end, the client’s environment was restored. The data was retained and secured appropriately, and all future data use and access is expertly managed following the new process we created.
Our investigation, remediation, and process development was completed quickly, effectively, and with minimal business interruptions.
When every second counts, you need a cybersecurity partner who won’t let you down.
At Intersec Worldwide, we take a full-service, client-centered approach to cybersecurity. When a data breach occurs, we’re on-site—stopping the attack and getting your business back on track. But that’s just the first step.
We take each client through the process of understanding what was compromised and how the threat actor gained access. We then implement long-term cybersecurity solutions that help our clients reestablish security protections and stakeholder confidence. Building trust means staying with our clients through successful resolution and guiding them into the future, better protected—a capability that differentiates us from the competition.
Contact our team today to learn how we can help your organization.
Learn more about our services: