The response in this story is based on a real incident that The Instillery Security Intelligence team recently worked on; however, names & details have been changed to protect the identities of the victim & their organisation. We also sought approval from the affected customer prior to writing this article.
It's 9:30 pm on a Friday night and Luke is absolutely pumped. His heart's racing and adrenaline is coursing through his veins. He looks over at his good friend, Dale, who grins back and asks, "one more?". Luke & Dale are out on the town. Well... sort of.
On the outskirts of Auckland’s CBD, Luke & Dale are eyeing up and breaking into cars with valuable belongings. Of especially high value tonight are laptops. A friend of theirs has given them a USB stick and instructions that will help them get more bucks for their bang.
They take their haul back to the flat and use the USB stick and instructions to brute force their way into the laptops’ user accounts. From there they look at saved passwords and logged-in sessions on various Internet browsers.
"Here's a live one", says Dale as he discovers the account is currently logged in to eBay and Trade Me. They use the stored credentials saved in these services to purchase digital goods like gift cards and subscriptions. They also have some physical goods sent to a house down the road that's currently being renovated so the owners aren't there.
Welcome to the new age of the Kiwi criminal, where a physical ‘smash and grab’ can turn into a cybercrime.
It's now 9:30 am on Monday morning and The Instillery Security Intelligence team receives a request from one of our managed SOC (Security Operations Centre) customers. One of their staff has had their laptop stolen during a car break-in on Friday night.
The laptop contained sensitive data and the customer is concerned that the information may have been leaked or otherwise abused. Has sensitive information been accessed? Have they had a privacy breach that they would need to report? Or has the device simply been wiped and sold off? The customer contact, Glen, discusses his concerns with his contact at The Instillery and asks that our SOC team investigate.
Utilising the three overlapping fields of visibility (system activity, network activity and cloud user activity), along with the NIST Security Incident Response framework, our SOC team quickly pieced together what happened to that fateful laptop before it was remotely disabled & wiped.
Crowdstrike logs show that the attackers did indeed circumvent login protections on the device and accessed the victim’s account. It also showed that the thieves didn't bother looking at locally stored files. The only files or programs they accessed were the Internet browsers. Moving to the network logs via Zscaler, the investigative team found that multiple websites were accessed, ranging from social media platforms to Microsoft Office 365 to various banks and online marketplaces. While Zscaler recorded only minimal activity on most sites, the team saw extended activity on eBay & Trade Me. Finally, the team confirmed what happened during the Microsoft Office 365 activity by using LogRhythm’s Cloud log analytics capabilities. They see that M365 was only accessed as part of the home screen which loaded when the browser was started. The thieves didn't access any other services or data in the customer’s Cloud environment.
Armed with the information that none of the customer’s sensitive data was accessed, but that the victim of the theft will want to review activity on their personal Trade Me & eBay accounts, The Instillery Security Intelligence team sent an initial report with details of these findings back to Glen as soon as possible. A full incident report which includes a number of recommendations to reduce the risk of such an attack from happening again is sent and discussed later.
The victim later confirmed that they found fraudulent activity on their eBay & Trade Me accounts which they had reported to their credit card provider.
Assess where your information is held at rest and ensure it's encrypted while there. This is especially important for end-user devices like laptops & phones which we take everywhere with us and are at greater risk of being stolen. Implement a comprehensive password policy and educate staff on using passphrases, rather than easily guessable passwords, and never writing passwords down.
A strong security posture should encompass an ‘assumed breach’ stance. With that in mind, a layered defence approach means that your business will be prepared for cyber incidents irrespective of how good its protections and controls are. The key to this layer of protection is to ensure you have the right people, processes and tools in place to detect and respond to cybersecurity incidents across your entire environment. This will include monitoring tools like the ones discussed above, as well as people with the right skills who can investigate security incidents at a moment’s notice, and finally, security Consultants who can ensure your business has the right skills and tools and that they are being properly utilised. The demanding nature and need to remain constantly informed of the latest cyber security developments means that most organisations outsource these skills to a third-party SOC service.
Cyber security isn't only about detecting and preventing the bad guys from getting access to or tampering with your data. It's also about keeping that data available to legitimate users whenever they need it. Making use of backup services and ensuring end-user devices are using Cloud storage services like OneDrive will enable an immediate return to operation should a security incident, such as the theft of a laptop, occur.
As mentioned earlier, this was a real threat that our customer and our team had to respond to and all the above steps and insights were only possible because the right people, tools and controls were in place. Whether the tactics of local Kiwi criminals are becoming more sophisticated is yet to be seen but these incidents cannot be ignored. If your business lacks the layered protection framework mentioned above or if you have any questions on the incident and response itself, then please feel free to reach out to us.