Rapid remote response shuts down hacker
The challenge:
A global organisation approached CCL to assist with a suspected data breach. Given the international status of the client, CCL was engaged to respond to the incident, remotely. The client’s security team had identified an irregularity on their network and were suspicious that they had experienced a cyber attack. Although they were able to identify the irregularity and the servers involved almost immediately, they did not know how severely their systems had been compromised. Additionally, they had no knowledge on how long the threat had been present, which files had been accessed, nor how the server was accessed in the first place.
Although CCL have an international collections team, in this instance, the client team removed the compromised machines, took images of the virtual machines and sent them securely to the cyber security experts at CCL.
Overcoming the challenge:
The extraction of data for a digital forensic examination can be a slow process and this case required a quick reaction. Instead, our experts were able to implement a modern approach, incorporating forensic data acquisition and threat hunting determined by their hypotheses, to understand not only the result of the attack via Indicators of Compromise (IOC) but also the how and why.
Our experts achieved this through the use of multiple advanced tools and were able to communicate this to the client via methodologies, including Cyber Kill Chain and MITRE ATT&CK Framework, a knowledge base for hackers’ tactics, techniques and procedures (TTP). This assisted the team in determining that the hacker gained access via a zero day on an unpatched plugin and proceeded to download archived files, rather than personal data – suggesting their motivations were opportunistic rather than malicious. Luckily.
Our experts examined the artefacts, tracked the adversary’s lateral movements across the network, analysed and documented the TTP and produced a final report for the client.
The result:
Once our experts had produced the report, they then flew overseas to deliver the final report and discuss the lessons learned across all teams that contributed to resolving the breach. The ability to put in place a proactive Response Capability plan is often as important as the analysis and can be used to contribute to overall resiliency in the future.