Incident Response - Education Organization


A school system with a large technical footprint including multiple Internet facing systems. The environment was a mix of platforms including several legacy systems that were scheduled to be replaced (but hadn’t yet).  The environment suffered a breach due to a newly deployed application which was configured incorrectly, this allowed attackers to gain an initial foothold in the environment from which they were able to undertake attacks against the organization’s financial system.

"We’ve just deployed < Redacted > software"
Client project manager on social media

The Challenge

There were multiple challenges:

1) The incident began on a holiday weekend, much of the client team involved in the deployment were out.

2) The client had limited resources to conduct the investigation.

3) The monitoring/detection systems in operation provided only minimal information

The Solution

Our response began within the hour, as in other projects we benefited from the wide expertise of our team. Since the client’s monitoring capabilities were limited we spun up various work streams to work on the incident. Our primary goal was to contain the breach ensuring that no further damage was inflicted. 

The entry point was found and a fix applied to close it (This was helped by the fact that a client project manager had made several social media posts about the new system the client was deploying which turned our to be the initial entry vector). At the same time evidence was collected which helped our team determine how subsequent systems had been compromised. A variety of data was collected and our team was able to import it into the client’s Splunk environment and create various queries to analyze the data.

The chain of events was pieced together and a variety of evidence collected. All malicious activity that occurred was remediated. Our team subsequently worked with the client to implement some longer term fixes which would prevent similar attacks from succeeding. This included working with the client’s MSSP to implement some additional detection rules, and providing some additional response training.