Ever try to chop down a tree with a fork? Any type of skilled labor requires the use of proper tools, and incident response is no different. In my experience as an incident responder, many organizations often lack both the proper incident response tools and staff trained to use those tools. In this war story, we take a look at what that can mean for rapid response and remediation.

Incident Response War Story

In a recent incident response engagement, a victim of a data breach contacted us regarding the loss of credit card data. This company had received a notification from a Federal law enforcement agency, which, during an investigation, had observed the organization’s IP addresses in relation to stolen credit card data. Further investigations showed that the stolen credit card data had been taken from the organization’s network. The notification had little for the organization to go on, which is typical in this type of situation. Yet, once a company receives such a notification, it has to pursue an investigation to determine if there had been a breach, the extent of it and what data had been accessed. As with most of these investigations, there was not only credit card data present on the network, but also other forms of data that an attacker would find worthy of theft.

Whenever we are contacted to conduct an investigation, we hold a preliminary scoping call to determine the situation. Moving forward, we learned over the course of multiple conversations that the organization had little knowledge about their own internal network and what data was present. This caused a slower remediation of the incident and impacted our response efforts. We were unable to narrow down where the incident had occurred with no prior incident response planning in place.

The task of searching for an attacker across a network, with little knowledge of that network, is vast and can seem overwhelming. When that is coupled with neglect for basic security considerations, it becomes herculean. Preparation is the first step to preparing for an incident. If you haven’t prepared for a breach, then handling a breach becomes much more difficult, akin to chopping down a tree with a fork.

We ended up deploying Carbon Black into the network to identify infected endpoints and hopefully narrow down the search. Once the deployment was complete, our analysts were able to identify the infected endpoint, which had a new variant of Suppobox running, and immediately isolated it from the rest of the network. Anti-virus products do not identify these new variants because their signature is unknown. We were able to obtain a sample of the malware and reverse engineer it nearly immediately, which provided us with indicators of compromise and lead to the eventual securing of the network. This also allowed us to submit the sample to the clients’ anti-virus program for signature creation and updating, which provided greater protection across the environment. Alongside this, we added a watch list to Carbon Black to provide even more in depth protection.

During this investigation, we were unable to determine exactly how long the attacker had been inside the network nor how much data had been exfiltrated, which is a worst case scenario for any organization, especially for those who handle sensitive data, such as PII or credit card data. If the organization had taken steps to prepare for an incident, and determined a plan, it would have saved time and money. The attacker wouldn’t have gotten as far in their attack, and the remediation and recovery stages would have been far shorter.

Lessons Learned

So, let us review and bring together the lessons from this brief war story scenario.

  1. Prepare for an incident before you experience one. Provide proper training to both the end users and to your security team to prepare them for the eventual incident. We can help by providing in-depth tabletop exercises based upon real world incidents and facilitated by experienced incident response analysts. Contact NTT Security for more information. 
  2. Know the topology and structure of your network. Utilize tools such as NMAP and Packet Sled to build your network map and identify where at-risk data is both stored and moving through your network. Solutionary can assist you in identifying the topology of your network and constructing proper network defenses for the structure present in your environment.
  3. Install endpoint protection across your network such as Carbon Black to provide defense in depth and to allow your security team to immediately investigation, remediate and solve incidents before the attacker completes their nefarious activity.
  4. Engage with an MSSP to provide holistic network monitoring such as NTT Security. ActiveGuard® seamlessly integrates with Carbon Black to provide in-depth network monitoring by a 24 hour a day security operations center.

Cutting down a tree requires the proper tools being used by people who know what they are doing, and incident response is much the same. Provide your team with the right tools and training so your network and data is properly protected.

Stay tuned for a second blog that will take a look at various tools that can easily be used to enhance your ability to respond to, investigate and remediate security incidents like the one referred to in this war story.