There’s a delicate balance to strike when you want to share stories in Information Security. It almost always involves clients, likely involves your own organization, possibly a competitor, or even a friendly business partner. This story involves most of the above, but we’ll protect the innocent because honestly, it doesn’t really matter WHO it is as much as WHAT happened. And, while anecdotes can be Interesting Stories to Learn From, they’re also just a single example of whatever it is the storyteller is trying to persuade you to believe or buy, so yes – YMMV - with this and any anecdote from anyone. With that disclaimer behind us, let’s walk through an Interesting Story to Learn From that BTB Security recently encountered.
It begins when BTB Security received a call from a prospective client about a potential incident, which is a fairly regular occurrence when you're in the business of InfoSec. We’ve had numerous conversations with this organization, whom we’ll call “Acme Corp” (really clever, we know), over the past few months, with the focus of the conversations around how BTB could help them improve their cybersecurity posture through our Managed Detection & Response service, RADAR.
We love RADAR, our RADAR clients love RADAR, but we also recognize that we're not the only game in town when it comes to security monitoring, and this particular prospect already had "a solution" - a very popular Enterprise Detection & Response (EDR) tool/solution. Which, fine, there are plenty of those on the market and they fill a particular need for many organizations… except this prospect was simply tired of triaging dozens, hundreds, even thousands of alerts on their own, hence the interest in RADAR.
The Limitations of EDR
But back to where this story moves from 'meh' background context to something actually interesting to you the reader. One of Acme's Development staff recently had a personal credit card compromised, which we later determined was likely connected to a compromise of their personal computer and even more interestingly – their Acme work computer and personal network router (more on how we came to know this below, pinky swear). This unfortunate victim was hacked up and down, left and right, but of course Acme could only see what was happening within the work computer that was protected by the EDR solution.
And oh boy, did the EDR generate alerts (yay!) to notify Acme InfoSec personnel of a malicious event - "one user account was compromised" was the determination by the EDR. So, Acme initially worked with the EDR provider who recommended they move-on as these kinds of events happen all… the… time. In fairness, they do - users get compromised with shocking regularity and in an InfoSec mature organization, these are, mostly, non-issues. However, Acme still had some questions about how their domain account was compromised (poor password?, shared password?, attacker luck?) and if the personal credit card and home machine compromise was connected. At this point, BTB Security joined the chat…
Tracing the Steps of a Hacker
Our FIRE and RIOT Labs teams jumped at the opportunity to assist in the investigation and, after gathering some initial data (e.g., logs/alerts, IP addresses involved) and installing our own endpoint agent, we noticed that Remote Desktop Protocol (RDP) was open on the compromised Acme workstation… not a standard or authorized configuration. Further digging with OSINT tools (Shodan, Censys) by BTB helped identify the compromise of the home router (because we knew the user's home network IP address), which had “port forwarding” for RDP enabled… another non-standard and totally suspicious configuration. Oh, and to add insult to injury, the router was fairly far behind in firmware updates.
I love it when a plan comes together - Hannibal, A-Team leader
For those keeping score… personal computer compromised -> personal credit card compromised -> Acme workstation compromised -> personal router compromised. Not necessarily in perfect order, but good enough to understand the broader context of the event.
Humans- Not Just Machines- Make the Difference
Using IR experience and intuition, knowing how attackers operate, going above and beyond, not accepting the easy answer - that's the difference with BTB Security and RADAR. Before engaging us, Acme knew they had one compromised account, but they had zero context, making further IR and business decisions less clear. BTB's FIRE and RIOT teams, with some smarts and a little bit of elbow grease, painted a much clearer picture of what occurred. The difference wasn't in the magical EDR tools built by Cambridge unicorns, AI/ML, SOAR, or some automated-continuously-orchestrated-cyber-visibility-threat-cloud… but in the People and Process.
Acme is now a happy client, and a soon to be RADAR client.
Interested in learning how BTB can help you improve your organization's security posture? Contact us today.