paint-brush
Reviewing a Security Incident: A Case Study in Investigation and Responseby@gtmars
151 reads

Reviewing a Security Incident: A Case Study in Investigation and Response

by VicJune 19th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Every nation and organization have established a Computer Security Incident Response Teams (CSIRTs) to respond to and mitigate cyber incidents. Failure to implement and respond to incidents can negatively impact business operations, reputation, loss of revenue, lawsuits, and customer trust. The consequences of cyber incidents lead to legal action against the individual organization related to data privacy, breach notification, and national security.
featured image - Reviewing a Security Incident: A Case Study in Investigation and Response
 Vic HackerNoon profile picture

Abstract

Cybersecurity incidents have significantly grown in contemporary infrastructure and are rapidly becoming more diverse, disruptive, and destructive. Every nation and organization has established Computer Security Incident Response Teams (CSIRTs) to respond to and mitigate cyber incidents. When a company fails to implement and respond to incidents or security breaches, it can have negative impacts on business operations, reputation, revenue, lawsuits, and customer trust. The consequences of cyber incidents can lead to legal action against the organization for data privacy violations, intellectual property rights violations, breach notification, and national security.


It is necessary for organizations to demonstrate compliance with relevant laws, regulations, and industry standards to regulators and other stakeholders. A security and risk management framework plays a crucial role in the incident management life cycle. Choosing and applying the right framework is essential for success, regardless of the organization's size or mission. The NIST Cybersecurity Framework, ISO/IEC 27001, General Data Protection Regulation (GDPR), Australian Privacy Act 1988, and the Federal Data Protection Act (BDSG) are prominent industry standards that facilitate the implementation of cybersecurity policies and procedures.


A successful security incident investigation process aims to identify the root cause of the incident, quantify the extent of the overall business and operational impact, and adopt measures to prevent similar incidents in the future. This essay proposes conducting information security incident management activities following the ISO/IEC 27035 standard to compare and contrast the nature of cyberattacks, including their background, ramifications, regulatory options, and industry policies, controls, and procedures to mitigate and improve the situation. The essay concludes by emphasizing the significance of implementing security incident phases, employing advanced technologies to enhance incident management capabilities against cyber warfare and terrorism, and offering further directions for research.


I. Introduction

In today's digital infrastructure, cybersecurity incidents are becoming more frequent and posing severe consequences for organizations and national security [1]. They are a growing threat to various industries, particularly in the technology and defense sectors. The modern infrastructure, interconnected with billions of devices and systems, faces increasingly frequent and sophisticated cyber-attacks. Securing an organization's data and infrastructure is paramount but can be challenging due to the complexity of modern business environments. This complexity necessitates the implementation of preventative measures to secure sensitive data. Failure to adhere to incident management guidelines and a reluctance to report incidents can leave an organization vulnerable to cyber-attacks and data breaches, potentially resulting in non-compliance with national privacy and security laws and regulations [2]. Non-compliance can lead to defamation, breach of trust, and financial penalties.


Some notable standards include the General Data Protection Regulation (GDPR), ISO/IEC 27035, Australian Privacy Act 1988, Federal Data Protection Act (BDSG), and PCI-DSS [3–7]. To ensure effective incident investigation, organizations should consider the NIST Cybersecurity Framework as a baseline. It provides a comprehensive approach to identifying, protecting, detecting, responding, and recovering operations from risks and threats [8].

The ISO/IEC 27001 standard outlines the requirements and highlights the significance of having an incident response plan [9]. Recent research suggests that incident response plans should be periodically reviewed, updated, and approved to remain aligned with emerging threats and practices (Smith & Jones, 2020). Additionally, the incident response plan must be communicated to all stakeholders involved in the response process, including IT teams, legal departments, and corporate executives.


To effectively investigate the RavenCorp case and mitigate security incidents, Osprey Cyber Corporation (OCC) has decided to follow a structured process defined by industry standards, research, and regional and national regulations. The ISO/IEC 27035 incident investigation process often guides this process, which includes several phases such as preparing, detecting, analyzing, containing, eradicating, recovering, and post-lesson learning. RavenCorp must ensure compliance with these regulatory frameworks to diminish the likelihood of data breaches and apply these prominent industry standards that facilitate the implementation of cybersecurity policies and procedures.


Source: CNET.


II. Analysis of the case:

This case study examines an incident in which a threat actor gained unauthorized access to a remote desktop server using a phishing email, resulting in the exfiltration of valuable data from RavenCorp. The section evaluates the type of attack perpetrated, identifies the root cause of the incident, determines the scope and impact, identifies the probable threat actor, analyzes the consequences of technical loopholes, and highlights similarities with past events to differentiate similar attacks. Effective analysis of this case requires a thorough understanding of the network and security infrastructure, processes, people involved, and an objective approach to identifying and addressing existing vulnerabilities.


The Background of RavenCorp security incident:


Portfolio:

RavenCorp is a drone development company headquartered in Sydney, Australia, with a presence in Munich, Germany. The company uses both on-premises and cloud infrastructure in its business environment.


Activities of Privilege escalation:

On January 16, 2022, the company experienced a security incident when an employee fell victim to a social engineering-based phishing attack. The employee was lured into clicking on a fraudulent Microsoft domain and unknowingly shared their credentials, granting a threat actor access to the company's system.


Data Exfiltration:

The actor successfully elevated their privileges to administrator, leading to the exfiltration of customer information, employee personal information, and technical drawings for a prototype drone with military applications. The threat actor remained undetected in the system for approximately 330 days, during which they exfiltrated several terabytes of data.


Figure 1. RavenCorp-Security incident profile.


Security Incident Evaluation

After analyzing the preliminary artifacts in the background section, we have determined that this incident was a phishing and spear phishing attack. Threat actors utilize phishing, a social engineering technique, to lure individuals into divulging sensitive information such as login credentials through a spoofed email campaign.


Social Engineering (SE):

An assortment of techniques is applied to the target, which encompasses the "Art of persuasion and manipulation." According to IEEE, Social Engineering is defined as "the practice of exploiting vulnerabilities in human nature or behavior to gain access to confidential information or systems" (Gutmann, 2019). It involves manipulating individuals into divulging sensitive information, such as login credentials and confidential data, through various techniques, including impersonation, phishing, and pretexting (Krombholz et al., 2015). Social engineering attacks specifically target the cognitive and emotional aspects of human behavior, bypassing sophisticated security controls and protocols that may be in place (Islam et al., 2021).


Phishing:

Phishing is one of the major types of social engineering attacks. It is executed through emails or malicious websites with the intention of persuading individuals to provide personal information by posing as a trustworthy party or entity.


3.1.8.1 Email Phishing.

The APT threat actor constructed the email structure based on the target employee's data of interest and RavenCorp's business profile in order to create a sense of legitimacy through a falsified Outlook email. [14].


3.1.8.2 Pharming.

A pharming attack could hijack the social media domain and redirect visiting users to a fraudulent social media website, or blogs that appear to be legitimate to cajole them financially [15].


3.1.8.3 Watering hole.

The observance and reconnaissance strategy is used to stalk the internet and social media activities of the victim [16].


3.1.8.4 Spear Phishing.

Spear phishing also targets specific individuals in the company to penetrate enterprise layers of security and carry out a targeted attack [17]. In this incident, the attacker deceived a RavenCorp employee into entering their login credentials via a fake domain, which they then utilized to gain access to the network infrastructure. Once inside the network, they employed customized tools to identify vulnerabilities in the software components and elevate privileges, enabling them to create additional accounts with administrator rights in the corporate's Active Directory System. Subsequently, they exfiltrated sensitive data through these compromised accounts.


3.1.8.5 Office 365 Phishing.

This attack represents a prominent form of targeted attacks aimed at specific employees with the goal of gaining access to an enterprise email account. In this case, the threat actor utilized this method to lure the victim [18].


3.1.8.6 Domain spoofing.

The domain spoofing attack is performed through social media websites and URL spoofing techniques [19].


3.1.8.7 Vishing.

Vishing is a technique known as the "art of conversation" performed over the telephone network, aimed at scamming victims and stealing their personal identifiable information (PI/PII) data. [20].


3.1.8.8 SMSishing.

In this form of attack, A threat actor drops a SMS with suspicious links [21].


Advanced Persistent Threat (APT)

Social engineering and APT based attacks are directly relevant to this study. However, it is crucial to understand the underlying models and how their interconnections are used to differentiate between the objectives of cybercrime, cyberwarfare, and cyberterrorism [22–23]. APT groups employ sophisticated techniques in their reconnaissance missions to gain unauthorized access to various targets. They primarily rely on a range of social engineering tactics to infiltrate victims' networks and exfiltrate sensitive data. In the present case, the exfiltrated data encompassed personal information about the organization's employees and customers, as well as technical drawings of a drone with potential military applications. The cyber offenses committed within RavenCorp strongly indicate the involvement of state-sponsored actors and/or indirect support from government entities with vested interests. The cyberattacks and offenders can be classified into five types, as depicted in Figure 3.


1. The obtrusive corporate reconnaissance.

2. Political ideology.

3. Intellectual property (IP) theft.

4. Cyber fraud caused by data exfiltration of terabytes of data.

5. Information disclosure.


Figure 3. RavenCorp was targeted by Figure 3. RavenCorp was targeted by Advanced Persistent Threat (APT).


III. Identification Legal and Regulatory Considerations

In this case, RavenCorp experienced a severe data breach involving customer and corporate data. As a result, the company must address numerous legal and regulatory requirements, particularly regarding data privacy and cybersecurity. One crucial step is to notify affected customers and military bodies whose data has been compromised. Since RavenCorp has a branch office in Munich, Germany, it falls under the purview of the General Data Protection Regulation (GDPR), which mandates reporting data breaches within 72 hours of discovery [24]. Concurrently, the company needs to ascertain the nature of the breach and the associated legal implications, such as handling personally identifiable information (PII) of customers and employees, as well as the sensitive technical drawings of drones with potential military applications. The company must take prompt measures, including breach notification and providing assistance to affected individuals within the organization, while also taking steps to mitigate the breach within the specified timeframe.


Given the potential legal battles concerning data privacy, intellectual property rights, and national security disclosures, RavenCorp should act swiftly to comply with relevant national laws, regulations, and industry standards. This may involve notifying affected parties, implementing quarantine measures on compromised assets, and demonstrating to external entities and stakeholders their commitment to compliance.


The difference between two different continents-Legal and Regulatory battle

Both Australia and Munich have specific laws, regulations, and standards concerning data privacy and intellectual property. The Australian Privacy Act of 1988 and the Federal Data Protection Act (BDSG) in Munich offer guidance on how RavenCorp should handle sensitive data, including customer information and employee personal information. The Australian Privacy Act requires adherence to the 13 Australian Privacy Principles (APPs) when handling personally identifiable information (PI/PII). Similarly, the BDSG mandates that companies align their data handling practices with European Union (EU) law [25].


In the event of a data breach, such as the incident in question, organizations are legally obliged to notify the relevant authorities and affected individuals within specified timeframes. In this case, RavenCorp would need to report the breach to the appropriate authorities in both Australia and Munich. Additionally, the company should inform their customers and employees who have been impacted by the breach, providing details about the exfiltrated data during the attack.


Laws related to data protection and Privacy principles:


Criminal implications:

  • GDPR: Article 83 outlines the administrative fines for non-compliance, which can be up to 4% of the annual global turnover or €20 million, whichever is higher.
  • Telecommunications and Other Legislation Amendment (Assistance & Access) Act 2018: Section 317B specifies the criminal offences for unauthorised access to, or modification or impairment of, telecommunications data.


Credit card protection:

  • GDPR: Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which can include encryption of personal data.
  • Privacy and Personal Information Protection Act 1998: Section 15 imposes obligations on credit providers to take reasonable steps to ensure the security of personal information, including credit card information.


Data security:

  • GDPR: Article 5 outlines the principles of data protection, including that personal data shall be processed in a manner that ensures appropriate security.
  • German Federal Data Protection Act (BDSG): Section 9 requires the implementation of appropriate measures to safeguard personal data from unauthorised access or disclosure.
  • German Telecommunications Act (TKG): Section 88 requires providers of telecommunication services to ensure adequate security measures are in place to protect user data.

Lists of data protection and privacy laws in Australia, EU, and Germany:


EU Member States:

• General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).


Australian States and Territories (National Level)

• General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

• Information Privacy Act 2014 (Australian Capital Territory).

• Information Act 2002 (Northern Territory).

• Privacy and Personal Information Protection Act 1998 (NSW).

• Information Privacy Act 2009 (Queensland).

• Personal Information Protection Act 2004 (Tasmania).

• Privacy and Data Protection Act 2014 (Victoria).

• Telecommunications and Other Legislation Amendment (Assistance & Access) Act 2018

• Consumer Data Right (CDR).


Limited to Germany:

•German Federal Data Protection Act (BDSG).

•Telecommunications-Telemedia-Data Protection Act (TTDSG).

•German Telecommunications Act (TKG).

•The German Telemedia Act (TMG).


Limited to State and Territory

•German Federal Data Protection Act (BDSG).

•Telecommunications-Telemedia-Data Protection Act (TTDSG).

•German Telecommunications Act (TKG).

•The German Telemedia Act (TMG).

•Telecommunications Act 1997.

• the Criminal Code Act 1995.

•the National Health Act 1953.

•the Health Records and Information Privacy Act 2002 (NSW).

• the Health Records Act 2001 (Vic).

  • the Workplace Surveillance Act 2005 (NSW).

Payment Card Industry Data Security Standard (PCI DSS).

Breach notification:

In the context of both regions, it is crucial to follow the necessary actions in accordance with the guidelines of the Australian Notifiable Data Breaches (NDB) scheme and Germany's Federal Data Protection Act (BDSG). The NDB scheme mandates that legal entities notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of a data breach. On the other hand, the BDSG governs the processing and protection of personally identifiable (PI) and personally identifiable information (PII) data, imposing rigorous requirements for ensuring the security of personal data protection.


IV. Technical mitigation and controls:

RavenCorp should adhere to industry best practices and regulations to effectively mitigate the security incident and prevent future occurrences. This entails implementing measures such as two-factor authentication (2FA) and multi-factor authentication (MFA), limiting access to sensitive information on a need-to-know basis, utilizing data labels, conducting vulnerability assessments, and performing penetration testing to identify vulnerabilities in the security layers. Additionally, establishing comprehensive incident response plans can help reduce the likelihood of incidents and facilitate swift response and recovery.


To bolster security, it is essential to encrypt all data elements at rest, in use, and in transit. This ensures that sensitive information remains protected throughout its lifecycle. Furthermore, enhancing visibility into the network through a robust security operations center (SOC) enables prompt detection of suspicious activities and timely response.


Providing up-to-date industry training to employees is crucial in promoting cybersecurity awareness and equipping them with best practices, policies, controls, and procedures to prevent phishing attacks and other forms of social engineering. By fostering a security-conscious culture, RavenCorp can significantly strengthen its overall security posture.[26–28].

Figure 4. The effective control measures.


The enterprise chain of protection


Defensive tactics, implemented through countermeasure mechanisms, are integrated into the network infrastructure to thwart APT threat actor activities. The enterprise chain of preventive controls enhances the ability to detect and mitigate social engineering (SE) attacks [29].


Network Segmentation

Implement network segmentation to restrict access between different parts of the network, minimizing the potential impact of a security breach.


Two-Factor Authentication (2FA)

Add an additional layer of security to the verification process by requiring employees to provide an extra identity input, such as an SMS code, before accessing their accounts.


Multi-factor authentication(MFA)

Configure MFA for all accounts, including those with administrator rights. Implement strong password policies to ensure users create complex passwords and regularly update them.


The two items are unequivocally distinct. 2FA and MFA are not exactly the same; they both serve a similar purpose of providing an additional layer of security to user accounts.


Intrusion Detection and Prevention Systems

Deploy IDPS to monitor and block suspicious network activity.


Security Information and Event Management

Implement SIEM technology to collect and analyze security-related data.


Regular Vulnerability Scanning

Utilize vulnerability scanning tools to identify and address potential weaknesses in the network.


Data Backup and Recovery

Regularly back up critical data and test disaster recovery plans to ensure data can be restored in the event of a security breach.


Email Filtering appliance

Deploy email filtering software and hardware components from trusted third-party vendors to detect, quarantine, and block suspicious emails.


Security Awareness Training

Provide employees with up-to-date industry training on cybersecurity best practices, policies, controls, and procedures to prevent phishing attacks and other forms of social engineering.


Regular System Patches

Frequently apply patches to operating systems, applications, and firmware to identify and address vulnerabilities.


Cyber Insurance

Consider obtaining cyber insurance to cover the cost of case investigation, operational recovery, and legal expenses associated with a security incident.


V. Conclusion

In conclusion, this incident underscores the criticality of adopting a proactive approach to cybersecurity and data protection. Social engineering and APT-based attack techniques present significant threats to organizations of all sizes. It highlights the importance of implementing comprehensive policies, controls, and procedures. Regularly reviewing and updating a robust incident response plan is essential to ensure that stakeholders are well-prepared to handle security breaches. Additionally, companies should prioritize educating employees and organizational leaders on how to identify and respond to phishing attacks. By adhering to industry best practices, organizations can reduce the risk of being targeted by cybercriminals. These proactive measures are vital in combating the escalating cyber threats and safeguarding sensitive data and intellectual property.


Quote of the day:


教えるよりも、示す方が雄弁である」(oshieru yori mo, shimesu hou ga yuu ben de aru)


Explanation: This phrase, attributed to the Japanese scholar Yōmei, translates to "Showing is better than teaching". It's a quote that emphasizes the importance of leading by example rather than just giving verbal instructions.


— — — — — — — — — — ——— —— -THE END — — — — — ——— — — — — — —


Also published here.