Infopercept Briefings : We, Infopercept, are a leading Managed Security Services Provider. We advise our clients regarding measures to beef up their cyber security. Cyber security crisis management and quick incident response are some of the key areas addressed by us.
We have created a case study to understand how breaches occur, how the incident response teams respond, and the associated remedial actions taken. The case study is based on real events. But due to the sensitive nature of the event, names have been concealed and certain facts pertaining to the company have been fictionalized.
BACKGROUND A financial company dealing in banking services and credit card businesses is headquartered in the Middle East with many branches spread across several cities. There were talks of a mega merger. On a Wednesday afternoon, just before a 3 day weekend, the CIO received a ransom email from an unknown entity, stating that they knew about the merger plans and also had personal data of more than 2 lac customers.
As a sample, private details of five hundred customers were enclosed within the ransom email as “proof”. The threat : Unless a major ransom was paid in Bitcoin they might leak the merger plans and sell the client info. Along with a Legal company , Infopercept , as a Managed Security Services Provider, was also appointed to manage and advise on the incident response. We commenced work right away, power-assisted by the expert competent teams, to assess and measure the volatility of the threat.
FIRST RESPONSE: Our “Security Optimization Centre” was set up as a primary step to validate the threat. We found a discussion on a hacker website, within the dark net, that talked about the availability of personal information of 2 lac account holders of our client. Additionally, personal details of 500 customers were also provided as proof.
“To catch a thief you must think like a thief.” is an age old saying.
The RED TEAM of Infopercept works on the aforementioned proverb. Although simple in nature, it is the core strategy of Infopercept. This is implemented as soon as the security audit is completed.
The RED TEAM MEMBERS are our Ethical Hacking Consultants; experts, who test various aspects of an organization’s network in the interest of identifying and resolving vulnerabilities.
Our team plunged into action, and within a few hours they were able to record and safeguard the relevant server logs. A big crisis was averted and further damage prevented, as the malware was identified and neutralized immediately which was still active on our clients network.
Even as these activities were occuring, all other communicating channels were simultaneously secured which were used between the customer, the advocates and the forensic analysts.
After thorough analysis of the sample data that was compromised, we concluded that it was indeed the client data that was compromised and security was breached.
On further analysis of the server log noise, we figured out that in reality personal data records of 500 employees were only missing and the rest of the data was safe. This also led us to doubt if the hackers had any reliable information about the merger.
REPORTING AND COMMUNICATIONS : Even as the cyber team was securing the network, another team began work on drafting and implementing guidelines for various other communications and reports that were to be generated. Immediate action was taken regarding communicating to the relevant authorities, the affected 500 customers, other staff members etc.
It had become clear that apart from the data of the 500 customers, the hackers didn’t have any other data or information regarding the upcoming merger. Thus with consensus from the company, the legal team, and us, it was mutually decided not to pay the ransom.
But action had to be taken regarding the leaked data. As it contained the customer’s name, contact details, email addresses etc., it was decided to inform them of the breach and caution them against falling prey to fraudulent emails or calls. The customer care executives too were informed and were prepared to handle queries pertaining to the same.
A press conference was called and relevant details were given out. The concerned authorities such as the monetary authority and the administrative authority were briefed within 24 hours of the receipt of the ransom email. This was done even before the customers were informed about the breach.
We wanted to ensure that the line of communication was transparent right from the beginning till the end of the investigation. This was done so that the legal team, the security team members, and the government authorities were all on the same page and there was no miscommunication.
We further reiterated that from then on, there will be sharing of information among the involved parties with regular updates. We advised the customers to strengthen their online security, be alert to any unusual activity, and inform the security team in case of any suspicion.
FURTHER INVESTIGATION & INQUIRIES Listed below are the findings of our investigation and also solutions to queries raised to us.
Modus operandi by hackers: The CEO of our client company used to travel a lot. He was also part of many CSR (Corporate Social Responsibility) activities and initiatives. An Executive Assistant (EA) was assigned to take care of all communication through emails. Like on any regular day the EA received an email requesting sponsorship with the applicant’s profile attached. The unsuspecting EA downloaded the attachment leading to entry of the malware into the system and putting the whole network at risk.
Non deployment of IT staff 24x 7 : Even though important security measures were in place such as antivirus and firewalls which delayed the breach, it wasn’t sufficient to stop the hack. As the attack was intelligently planned on the weekend, the log alerts went unnoticed and there was no one to take action.
Lacking of Competent Technical Resources: Given the size of the large corporation, the resources allocated to take care of security was proportionally very less. This was a glaring loop hole in the entire security framework.
Security Audit: It was also learned that there was no one looking into the security audit of the firm which is essential to remain on top of the game. So the first thing we suggested and implemented was putting in a team to do regular audits and all other compliances.
Benefits of Security Audit: We reiterated to the client the importance of having a regular security audit. The main benefit being identifying vulnerabilities or gaps in the system and rectifying them before any untoward incident occurs.
Outsourcing of WEB PORTAL & Applications: The design and implementation of the website of the customer was given to a third party. Naturally it gave rise to security concerns but we allayed their fears.
Loopholes in Cyber Security: In spite of using a number of cyber security measures to take care of the websites, applications and their external network, three glaring vulnerabilities were spotted by our team and brought to the notice of the company.
WEAK ENCRYPTED INTERNET TRAFFIC: The most shocking observation we found was the lack of use of HTTPS (which is the encrypted internet traffic) at a login form in the website. This glaring error made the network vulnerable and easy for the hackers to get access to the customers usernames and passwords, when they would log in on this vulnerable page. This way our clients’ customers accounts may have been compromised. The customers were bank account holders, credit card holders of our client, and those accounts were at big risk of being compromised.
Bridge between our CLIENT and the AMALGAMATOR: As the incident was out in the open, everyone including the buyers who were part of the merger had become aware of the security breach. Although a lot of damage control had been done, still it was necessary to convince the buyers of a secure network. Thus the client requested us to play the role of “Security Advisor”. We represented the client and did a presentation in front of the board members of the buyers and their cyber security team to show the security of the infrastructure. We explained in detail the reason for the hack, the lapses and the remedial action taken by us. Once they saw the security measures taken up by us they were reassured and convinced and gave the green signal to proceed with the merger.
SOLUTIONS AND CYBER SECURITY IMPLEMENTATION:
Security Audit: Upon auditing the security network, 300 odd lapses were found and corrective actions taken.
Training of the resources: Our team shadowed the clients IT Team, trained them, and kept up the training for a period of 90 days.
OPTIMIZATION taken as a Approach: The first step taken by us was that of Optimization. We optimized the client’s resources and tools within the allocated budget and were able to produce top of the line security of their infrastructure.
Technology Optimization Centre : A Technology Optimizations Centre (TOC) was set up for the client. As the client was in the banking sector, PCI DSS (Payment Card Industry Data Security Standard) was set up to take care of the transactions. A 90 day trial run was done and all activities were mapped.
Compliances: Compliance certifications were done as per the required norms of SAMA (Saudi Arabian Monetary Authority) regularization. This was well appreciated by the client as this determines their credibility and provides grounds for continued licensing by the SAMA.
Reengineering of the Processes and systems: All the IT processes and systems were reengineered in a chronological order. This streamlined the operations and brought in much relief to the clients. They were now able to focus on their core business by leaving the security management to Infopercept. From time to time the management sought reviews from us as well as their IT team.
Tools used for Cyber Security: As per the requirement of the client we implemented DARK WEB as the most reliable tool to secure the online transactions being done by customers of our client. Various techniques of Infopercept were implemented such as Deception technology for advanced attack detection. Moving Target Defense (MTD) was brought into action to control the changes across the multiple system dimensions. This was done to make it complicated for the attackers to hack the network, stall their attack and buy time to stop them from causing major damage.
After the great job done by Infopercept’s RED TEAM, BLUE TEAM, GREEN TEAM, PURPLE TEAM, and PINK TEAM for 180 days,our clients were extremely satisfied with the result. We were asked to look after their security systems for a year and set up their SOC, TOC and COC centres for a year. We further advised them to be alert to any suspicious activity and report at once to our security team. We also taught them the remedial actions to be taken in case of a future attack. As part of strengthening their network we asked them to segregate their activities related to their daily dealings from the network that deals with storage of sensitive data and information pertaining to their customers. We also worked closely with them in reframing their cyber security policies and procedures and increasing awareness among their employees.