Situational Intelligence - Multinational Corporation

Background

A multinational corporation received reports that specific systems had been breached. However specific evidence was not available, and the information that was available was vague at best. The corporation operates in a number of high profile areas and faces multiple potential threat actors.

"We need to answer two key questions for the board, first, did this happen? second, is it still going on? If the answer to either of those is “yes” we need to have a plan to deal with it."
Client CISO

The Challenge

A multi-faceted approach was taken by the client in dealing with this issue. One component was an investigation into whether the targeted systems were being discussed by threat actors across various mediums. Also, there was a suspicion that access may be available for purchase to the targeted systems.

Uncovering information online is akin to finding needles in needle-stacks. Forums can easily be spun up for private discussion and a variety of messaging platforms can be used. Data can be hidden in websites in various ways, only known to the initiated. This is one reason why the majority of “threat intelligence” is nothing of the sort.

Budgets for investigations such as these are limited so any work undertaken had to be targeted and cost effective.

 

The Solution

Our automated collection system was used to gather data on the targeted system. The collection system comprises of various elements which work across different areas to gather data. This data is then collected in a central system where analysis is conducted on it, turning data into intelligence.

At the same time a manual investigation was conducted. OccamSec personnel work across a variety of areas to gather information. In addition, our considerable reach-back capabilities give us access to additional resources.

As data was collected the team performed analysis to identify further avenues for investigation. Several leads were identified which ultimately led to a forum being accessed where target system access was being sold. Information was passed to law enforcement as well as measures being implemented by the client to remediate the vulnerability providing unauthorized access.