Blog Post

Effective Investigations to Contain the Breach

If cyber security was a game, then cyber attackers had quite a winning streak in the month of September – with high-profile breaches at Equifax, Deloitte, the SEC, Sonic, and Whole Foods.

The Deloitte breach is one of the more interesting attacks – but has seemingly gone under the radar.

While the original announcement seemed to make this breach sound quite timid by breach standards, early details suggests quite the opposite. Brian Krebs reported that the breach involves “a compromise of all administrator accounts at the company, as well Deloitte’s entire internal email system.”

This is a nightmare scenario for the security analysts. The firms hired to clean up the mess will be digging through mountains of logs and cross-referencing spreadsheets of devices and subnets to discover the full timeline, initial access vector, how the breach moved about the network, and the entirety of the affected customers and platforms. This will take weeks – if not months, no doubt.

However, the truth is in the network if you know where to look. Security analytics on full packet capture data can identify and track devices, associate email addresses to those devices and allow you to quickly query that information – all of this without the need for complex integrations, log gathering or agents. This will help you rapidly pinpoint the point of breach origin.

find personal email usage and potential spearphish victims

Additionally, if any lateral movement occurred, the users and accounts that were used would have been highly visible on the network as well. For instance, seeing repeated login attempts to access a file share with sensitive files.

look for repeated access to sensitive documents and lateral movement

Just like the expert investigators probably pieced this incident together, the most interesting behaviors for these devices and users often manifest themselves on the network as well.

notable artifacts pulled by security analytics

For instance, the network sees all domains visited and by which devices.

search for personal email and view domains visited

And finally, analysts have the option to dive into the raw PCAPs if more in-depth forensic analysis is needed.

download pcap for security investigations

This is how Awake automates the critical parts of a breach investigation, tasks that normally take weeks or months. This investigatory process is the primary driver of analyst fatigue – the meticulous analysis of IP addresses and minutiae to find the needle in a stack of needles.

David Pearson
David Pearson

Principal Threat Researcher