In a new series of articles, we’ll take a look at real security breaches that have affected our customers.
With bad actors using increasingly sophisticated methods to breach corporate security, these features will shine a light on the varied ways that companies are under attack.
This story outlines how a recent real-life incident unfolded, the response, and the actions taken to prevent similar incidents in the future.
Triggering the alarm
Ben, one of our cyber security analysts, was carrying out routine monitoring of client security.
Helix, our cybersecurity monitoring platform, is there to help flag potential issues faster for people like Ben, and he suddenly noticed something strange. A client’s account showed successful logins from Nigeria.
This immediately raised concerns for Ben, who delved deeper. He knew the client had no operations in Nigeria, so unless the user was travelling, this was a concerning activity.
Ben leapt into action to analyse and respond to this potential incident. He knew time was of the essence and every moment counts when you need to neutralise an active threat.
The incident response – as it happened
The first 20 minutes
Ben knows those first moments are critical in response to a potential breach.
Any back-and-forth over email, additional information gathering, or confusion about what to do will only slow response and potentially reduce the effectiveness of countermeasures.
As such, he knew it was important to have all the necessary facts and provide them clearly to form a response.
He compiled a summary of relevant information such as the account affected, times of logins, IP addresses and an initial assessment of resources accessed by the potential intruder.
20 minutes later – the wider team is notified
Ben circulated his report to his team for their review.
He advised that the client be contacted immediately to check if the access was legitimate. If not, an immediate lockdown of the account, password reset, and access reset are recommended.
We can’t rule out legitimate access at this stage; however, the behaviour was of concern and needed investigating. Ben’s colleague Lee initiated an incident report and asked that the client be contacted immediately to ascertain if the access was legitimate.
40 minutes later – the customer is informed
We contacted the client, providing them with everything we found about the potential incident and advice on what to do if it was a security breach.
We outlined a number of steps for immediate counter-response, including immediately changing the user’s passwords, conducting security scans of the user’s devices, and checking the user’s mailboxes for malicious actions such as new mailbox rules.
While the customer was investigating the potential breach, we reassured them that we were now actively tracking the incident and continuing to monitor Helix, the customer’s Microsoft 365 real estate, and the user’s account.
60 minutes later – action is taken
As an immediate counter-response, the customer confirmed that it had blocked the country’s IP ranges from access. Within an hour of a CloudClevr team member noticing the activity, the client was on the case and had taken countermeasures.
With the IP ranges blocked, they could move on to the other actions suggested.
Post-event analysis
The customer arranged an internal meeting to evaluate the breach. Meanwhile, we continued to monitor and respond to the incident.
As part of the investigation, it was established that the breach was caused by a phishing email sent to the user’s personal account.
From there, the attacker compromised the user’s bank account and was able to exfil PII (personally identifiable information) documents from the corporate systems.
Logs continued to be monitored, and further login attempts were made on the affected account, but due to countermeasures such as password changes, they were unsuccessful.
We thoroughly investigated the user’s mobile and laptop for any signs of further intrusion and performed in-depth scans for malware, encrypted files, or other suspicious software.
Nothing was found, and while the devices weren’t the point of intrusion, we recommended that they be wiped anyway for full peace of mind.
As part of our in-depth investigations, we also found evidence of email inbox rules being created and helped the customer resolve these residual issues. The user was advised to change all their passwords, including those for personal services.
Lessons learned
The corporate systems were not the source of entry; it was a phishing attack on the user’s personal account. This means that something out of the client’s control was the initial source of the data breach.
This demonstrates that the education of employees on security best practices can’t just cover corporate systems but cover a wider approach to security.
It’s important to continue to raise awareness around suspicious emails, which are becoming more sophisticated and targeted to gain information. This should be part of building a security-first culture for employees.
It also reinforces the need to get the basics right. Strong passwords are needed, and different passwords should be used across corporate and personal accounts. Using a password manager will help improve password diversity and strength.
Multi-factor authentication should be implemented wherever possible to make it harder for bad actors to brute-force passwords or use the information they have obtained.
A successful response to a security breach
While prevention is best, it’s not always enough, particularly when any employee can become a potential attack vector through social engineering.
That’s why services like our managed cybersecurity are on hand to look out for dangers proactively, like the one illustrated here.
“This client is in the education sector, and it’s a worrying fact that organisations involved in education are often a target for hackers”, said Simon Hearne, Head of Cyber Security at CloudClevr.
“No system can be foolproof. However, with the right security posture, tools and a mixture of proactive monitoring and response, this outcome is a testament to how organisations can tackle issues before they have a chance to escalate into something much worse,” concludes Simon.
