The chaos of a corporate attack

CYBER SECURITY INSIDER – EBOOK 1/3

How one company’s sensitive data was breached and what they did next

The chaos of a corporate attack

2CYBER SECURITY INSIDER – EBOOK 1/3

Cyber security in real life

The purpose of this eBook is not to scare you



Cyber security in real life

You already know how frequent and public cyber security incidents are becoming. You already know how far-reaching and long lasting their impact can be on a company’s reputation and customers. And you already know that the bulk of the blame ultimately falls on a company’s management. What you (hopefully) don’t know is what a cyber security incident looks like from the inside – how it happens, how much it distracts C-level leaders and how companies get affected internally.

More important, if you’re like most C-level leaders, you don’t know how best to respond to a major cyber security incident – how to deal with a distracted business, how to deal with the reputation damage or how to deploy a coherent crisis management plan.

Over the course of this Cyber Security Insider series, we’ll show you how CISOs are protecting their organizations, as well as the best practices you can and should be applying.

The purpose of this eBook is to tell you about a specific case where an attacker breached a company’s infrastructure and extracted sensitive data, despite their existing security measures. In it you’ll learn how the breach happened, and how the company reacted to resolve the incident. You’ll see how these sorts of incidents play out and how companies should – and shouldn’t – react to them.

Let’s dive in.

The commoditization of advanced threats


The commoditization of advanced threats

Advanced persistent threats (APTs) are usually associated with well-resourced, highly organized attackers like nation states.

The trouble is, once these tactics are used in state-sponsored attacks, the techniques and procedures employed quickly become publicly known. Which means cyber criminals with fewer resources can start to use them too.

For instance, we’ve seen cyber criminals utilize APT-style attacks that deploy sophisticated crypto-ransomware inside businesses without traditional mass-infection vectors like phishing and exploit kits.

Put simply: cyber criminals are constantly evolving to become more organized. And the ecosystems they rely on to buy tools and tactics are only becoming more commoditized. So corporate defensive perimeters are increasingly susceptible to even the most common tactics.

We only bring this up to remind you that while the methods attackers use to breach companies may be highly sophisticated, they’re also unfortunately common.

A fact that was all too clear in the case of Corp X (not their real name).


The breach


The BREACH

In the autumn of 2015, Corp X, a large service provider listed on several international stock exchanges, with major financial institutions as customers, discovered a breach in their company network.

Having initially discovering the data leak, Corp X’s IT department began investigating what sort of data was being leaked, who was leaking it and how they were doing it.

But since they’d never performed a forensic investigation of this magnitude before, the team had access to a very limited skill-set, few investigative tools and practically no threat intelligence information.

So after a few weeks of probing and getting nowhere, they reached out to us and our team of white-hat security experts.

(We only mention this to explain when we got involved.)

By this point, Corp X had collected evidence that data had been extracted from their network and sent to an unknown Chinese IP address.

Given this evidence, the first big question was about where the leak came from:

Was it an internal actor (an employee, contractor, affiliate or member of the supply chain)? Or had an external party gained access to the company’s internal network?


OPEN SOURCE INTELLIGENCE

Even without publicly available sources, attackers use ‘social engineering‘ (such as calling individuals in the target company to gather information) to get the information they need.

After careful forensic analysis, it became clear this was the work of an outsider.

Next, a closer examination of the time-line of events indicated that the attacker selected Corp X as a target some time prior to the attack. In fact, they had planned their attack strategy based on information gathered during an early research and reconnaissance phase.

With a wealth of public information available, including the company’s own web pages, social media, partner and affiliate sites, and contractor sites, the attacker developed a detailed picture of Corp X.

Once the attacker had the right information, he designed an attack that hit a specific set of employees and targeted a weak spot in the organization’s infrastructure.

Specifically, he crafted a social engineering campaign that targeted Corp X’s CFO and direct reports with an elegantly worded email directing the recipients to a compromised website.

Someone in the group took the bait. And that’s when the initial breach occurred.

The BREACH


The email

We took a look at the email ourselves, and nothing about it looked suspicious. Like the site it linked to, the content of the mail related directly to the group’s responsibilities.

This was no ordinary phishing campaign.

It wasn’t a badly written email sent en-masse hoping for gullible victims.

This type of attack, commonly known as spear-phishing, relies on a carefully handcrafted, well-researched, plausible message directed at a small group of people with a common, focused set of interests. They’re incredibly easy to miss.

In fact, one of the targeted employees became suspicious and sent their own copy of the mail to Corp X’s IT department. Unfortunately, with little threat intelligence to guide them, they performed their own investigation and concluded that nothing untoward was going on.

The email was designed to direct the victim to a legitimate, non-malicious site. However, the attacker had compromised the site at an earlier time and inserted a specially crafted ad-banner into it. This ad-banner functioned non-maliciously for every visitor except for the group of victims in question.

Then, it delivered a malicious payload – specifically designed to evade that system’s anti-virus system – onto the targeted victim’s computer.

The BREACH


‘Living off the land’

Once the payload was successfully executed on the victim’s computer, the attacker gained access to Corp X’s internal network. From this point on, he moved laterally onto the CFO’s system, and from there, further into the organization’s network with stolen credentials from their active directory.

Once a foothold had been secured, he covered his tracks by deleting all evidence of the initial breach. By impersonating employees, the infiltrator was able to operate undetected inside Corp X’s internal network, a state commonly known as ‘living off the land’.

During this period, he was able to spy on employees and accumulate critical data that he would then upload to his own systems. It was during one of these uploads that the IT department at Corp X first flagged the activity.

Further forensic analysis revealed the full extent of the attacker’s theft – 7GB of data had been stolen.

And the intruder had complete access to Corp X’s network and data for close to nine months before he was finally caught.

The importance of proactive cyber security

Corp X caught a lucky break in noticing the data leak when they did. The upload was being executed during office hours, late in the afternoon, and on a busy workday. Had it’s IT staff been putting out fires or performing other critical tasks at the time – as was the case with all the other uploads the intruder got away with – they probably wouldn’t even have noticed it happening.

The BREACH


The aftermath


The aftermath

At this point, Corp X knew how the intruder gained access, how long he’d remained undetected, how much sensitive data he’d collected and how he was ex-filtrating that data.

Now it was time to respond. And it wasn’t going to be easy.

Once they’d determined the scope of the crisis, Corp X began setting up an incident response process.

This involved:- Taking potentially breached systems offline- Freezing compromised accounts - Setting up network access restrictions

As the forensic investigations progressed, it became clear just how much data had been ex-filtrated from Corp X. So a major incident management process was initiated.

It was at this point that Corp X’s leadership team was first informed about what had happened – how a major data breach had occurred and that private customer data had been stolen by a then unknown third party.

The next decision made was to inform stakeholders and – due to the nature of the data leak and Corp X’s client base – financial supervisory authorities. So during the weeks that followed, Corp X’s leadership team would have to give the incident their full attention.

Next, contingency and recovery plans were drawn up, the legal department was brought in and briefed, and stakeholder communications and official company statements were drafted. Soon after, the first customer communications were sent out.


The floodgates open

As you’d imagine, Corp X received a deluge of client demands. Key account managers and service representatives were hammered with questions from unnerved customers.

After breaches like this one, everyone’s focus shifts. The single most important thing at this point is to make sure you communicate the right things and understand the best way to communicate them.

‘What happened?’ ‘How did it happen?’ ‘When did it happen?’ ‘Why did it happen?’ ‘How does it affect me?’‘How are you going to fix the situation?’ ‘When are you going to fix the situation?’‘Are there any legal implications?’


Everyone’s overworked

The legal department, communications department, incident response team and leadership team all worked themselves into the ground trying to feed the appropriate answers to all these questions.

In fact, it was only months later, that the panic slowly began to subside at Corp X.

Clear communications were sent to customers, legal processes were understood and initiated, forensics were completed, and systems were slowly recovered to normal. Employees that had been fully focused on reacting to the incident were able to get back to their normal jobs. Those affected by the incident response measures could, once again, get back to work.

The importance of a clear plan for crisis management

During a major incident like this one, the more facts about the severity of the situation come to light, the more panic starts to set in. Multiple departments get tied up, employees and leaders have to stop thinking about their day-to-day business and customers get increasingly irate.

Often, critical systems and services need to be shut down, leaving some staff without the tools they need to work. Everyone involved is usually fatigued and stressed. It’s during these moments that you realize how important it is to have a clear plan for crisis management.

Think about it: every company conducts infrequent fire drills. They’re important because they make sure everyone knows how to react in the event of an actual fire – before the fire happens.

But when it comes to cyber security, most companies have no clue what they should do when something goes wrong. By defining a clear plan for crisis management and then rehearsing that plan, you ensure everyone – from the top down – knows what they need to do to ensure safety and get back to work as soon as possible.

That might sound paranoid, but what’s more likely to happen, a fire or a breach?

The aftermath


The fallout

It took over six months to get from the moment the breach was first noticed to the moment its impact was fully understood. Unfortunately, the story didn’t end there.

Corp X suffered substantial losses from this incident. Some of them are easily quantifiable: business and productivity losses during the escalation period, closed customer accounts, incident response costs and up-front legal fees were all fairly easy to calculate.

But the long-term reputational repercussions are a whole lot harder to measure. In fact, Corp X is still involved with ongoing legal proceedings.

The data that was stolen is still in the hands of the thieves, and it remains to be seen whether any of it will be leaked to the public, or used against the company in some other way (it’s not uncommon for companies to be held to ransom).

Even a full six months after the intrusion was discovered, Corp X still has a massive mess to clean up.

Moving forward

During the weeks and months that followed, Corp X performed a full risk assessment analysis and put major plans in place to improve their security.

These plans included implementing additional hardening of infrastructure, deployment of new security awareness measures, executing security culture improvements in the company, and drafting up recovery plans for future incidents.

The aftermath


Y axis: Stakeholder focus/Demand on resources X axis: Time

The timeline of Corp X’s attack

Y

X

IT discovers the anomaly

The threat is escalated to Security Monitoring and Incident Management (MIM)

Internal stakeholders are notified

Clients begin demanding an explanation

1 2 3 4 5

7

89

10

11

1213

6

The CMT briefs affected business units

The Incident Response Team (IRT) gets involved

The Financial Services Authority (FSA) demands information

The National Data Privacy Ombudsman demands information

The comms teams start preparing statements

An external PR company is brought in

The 1st forensics report reveals the breach is larger than expected

The issue is escalated to the management team

The CEO starts preparing a statement

Corp X freezes certain processes

The CMT isolates a suspected system

Corp X reports to the FSA

Closed accounts start to hinder internal operations

A major security improvement program is initiated

Two risk assessments are conducted

Corp X starts scoping its new security program

The IRT, MIM and CMT are organized

14

15

16

17

18

1920

21


Five big lessons from Corp X’s experience

No two companies are identical. But there are a lot of lessons to be learned from breaches like Corp X’s




Here are five big ones: 1. Static defenses aren’t enough.

No matter how many static defenses you put in place, a persistent attacker can always breach your perimeter. This isn’t to say your investments in things like endpoint protection, anti-virus and anti-malware software aren’t necessary.

They absolutely are. They just can’t be the only protection you count on.

A bulletproof vest is necessary – it just doesn’t make you invincible.

2. When it comes to breaches, speed is of the essence.

Since you can’t stop every perimeter breach, your focus needs to be improving the speed with which you react to issues.

If Corp X had caught their breach within minutes or hours (rather than months) the intruder wouldn’t have had nearly enough time to acquire the data he needed. Speed’s also about making sure you plug similar holes before an intruder tries again.

3. Define a contingency plan for cyber attacks.

Nobody ever has a clear contingency plan for cyber attacks. As we mentioned earlier, without a plan, you wouldn’t know what the consequences of shutting down network connections, freezing user accounts, and taking critical resources offline are.

A coherent plan accounts for worst-case scenarios before they happen so you’re ready to act in case they ever do.



4. Investigations start with great forensics.

Intruders will always try to cover their tracks and hide where they’ve been, what they’ve had access to, and what they’ve done. Being able to trace an incident back to its starting point is the only way to fully understand what happened, what needs doing and which next steps to take.

As Corp X’s IT team found out, without the right forensic methods and tools, their hands were tied.

5. Cyber security is all about threat intelligence.

Unless you have access to threat intelligence data – samples, indicators of compromise, and an extensive knowledge of the tactics, techniques and procedures (TTP) used by attackers – you can’t know how to react.

But it isn’t just about the data – it’s about having the human expertise to use that data.


Getting cyber security Right


getting cyber security right

Needless to say, this isn’t the kind of learning experience anyone at Corp X wants to repeat.

But here’s the thing: nothing that happened to Corp X can be considered out of the ordinary. Attacks like this happen all the time. And they don’t use any particularly advanced techniques or technologies. The attacker just needs to be patient and persistent. If the first group of victims hadn’t taken the bait, another group would’ve.

What’s far less common is for these kinds of breaches to even get noticed.

As we mentioned, Corp X was lucky to spot what they did. And if they were like most other companies, they’d have had to wait for an external party like law enforcement to alert them to any suspicious activity.

It’s also worth noting that Corp X wasn’t a particularly exciting target from an attacker’s perspective. A lot of companies think they aren’t interesting enough to be targeted. But the reality is that even the most ‘ordinary’ businesses are viable targets.

(Again, we don’t bring any of this up to scare you.)

But the more we talk to companies about their breaches, the more we notice the same patterns.

The C-level invariably admits they treated cyber security like little more than an insurance policy. They’re always surprised the attack happened. They’re always the first to concede their risk management strategy wasn’t good enough. And they always wonder what could have been.

We hope learning about what Corp X got right (and wrong) helps you figure out what your company needs to get cyber security right.This is too important to ignore. And too many corporate leaders are flying blind.


We’re f-secure And we’ve been a part of the security industry for over 25 years. It’s why we’ve become a trusted advisor to both industries and EU law enforcement agencies across Europe.

In fact, we’ve been involved in more European crime scene investigations than any other company on the market.

Our Cyber Security Services help companies react faster, learn more and respond more intelligently to threats and breaches of all sizes. So if you’re one of the smart ones and you’re getting serious about cyber security, we should talk.

Next in the cyber security insider series

In the second part of the Cyber Security Insider series, we’ll take a look at what CISOs in Europe are doing in order to prepare their companies to handle the type of advanced threats we’ve talked about.

https://business.f-secure.com/get-in-touch/

Software

The chaos of a corporate attack