By David Pearson
If cyber security was a game, then cyber attackers had quite a winning streak in the month of September – with high-profile breaches at Equifax, Deloitte, the SEC, Sonic, and Whole Foods.
The Deloitte breach is one of the more interesting attacks – but has seemingly gone under the radar.
While the original announcement seemed to make this breach sound quite timid by breach standards, early details suggests quite the opposite. Brian Krebs reported that the breach involves “a compromise of all administrator accounts at the company, as well Deloitte’s entire internal email system.”
This is a nightmare scenario for the security analysts. The firms hired to clean up the mess will be digging through mountains of logs and cross-referencing spreadsheets of devices and subnets to discover the full timeline, initial access vector, how the breach moved about the network, and the entirety of the affected customers and platforms. This will take weeks – if not months, no doubt.
However, the truth is in the network if you know where to look. Security analytics on full packet capture data can identify and track devices, associate email addresses to those devices and allow you to quickly query that information – all of this without the need for complex integrations, log gathering or agents. This will help you rapidly pinpoint the point of breach origin.
Additionally, if any lateral movement occurred, the users and accounts that were used would have been highly visible on the network as well. For instance, seeing repeated login attempts to access a file share with sensitive files.
Just like the expert investigators probably pieced this incident together, the most interesting behaviors for these devices and users often manifest themselves on the network as well.
For instance, the network sees all domains visited and by which devices.
And finally, analysts have the option to dive into the raw PCAPs if more in-depth forensic analysis is needed.
This is how Awake automates the critical parts of a breach investigation, tasks that normally take weeks or months. This investigatory process is the primary driver of analyst fatigue – the meticulous analysis of IP addresses and minutiae to find the needle in a stack of needles.