Minimising damage

MEET BOB, he logs into his workstation at 7:00am every morning and is in his e-mail by 7:02am, Much of his day consists of accessing and editing files, sending e-mails, and the rather mundane task of office banter. His computer is typically logged out by 4pm every night or 4:06pm by the latest! His account, like many others, works like clockwork. 

Today something different has happened and Bob’s account has logged into his e-mail account at 3:00am from a country that Bob hasn’t mentioned visiting and certainly didn’t ask for time off for. Minutes after logging in, a test e-mail goes out to a generic e-mail address and minutes after that a torrent of e-mails start being sent from Bob. Bob asks the accounting department if they are available, the administrative assistants are receiving notices that there was an issue with their mailboxes which is certainly confusing to those of us who know Bob because he doesn’t work in the Information Technology department, and his own account has stopped receiving e-mails.

Bob logs in at 7:00 and is in his e-mail by 7:02. No new e-mails which is slightly unusual but nothing new. Around 11:30, Andrea from the accounting department asks about the deposit and wanted confirmation everything went through. Bob is confused, he doesn’t deal with deposits at which point Andrea reminds him of the e-mail last night asking for $10,000 to be sent to a vendor because they were threatening to turn off the software. Again, Bob has no idea what she is talking about but Andrea insists Bob sent it since, after all, it came from his e-mail.

The resulting damage was $20,000 sent to a bank account which was quickly emptied and closed, 6 administrative assistants providing their credentials to determine what was wrong with their mailboxes, and further down the chain of events, sensitive documents being encrypted and held for ransom, a hacked company Twitter profile, and details of a proprietary product being released. Because Bob sent out a few e-mails.

This scenario is a typical attack on a company when malicious actors are able to obtain credentials inside of a company. If you are Bob, you are being subjected to questioning to determine if you were the perpetrator of this attack followed by another line of questioning to figure out when you provided your credentials to someone to impersonate you (knowingly or unknowingly) followed up by the consequences. For your IT department, the hours following the discovery of an attack become crucial due to having an unknown person in the environment, volatile forensic data disappearing, and the integrity of data being compromised.

Metropolitan State University of Denver

At Metropolitan State University of Denver, we follow the defence in depth security model, a model that ensures our traffic is monitored by several different services along with physical threat hunting for bad actors no matter where they reside. When an account begins to show signs of a compromise, we immediately disable the account and start work to determine the scope of the compromise and start mitigation. 

By tracing the messages generated by the account, it will provide information about how the account was used. If the messages were created to target internalusers, a Security Alert is generated to users and the offending message is then deleted from their mailboxes along with the compromised users’ mailbox. If there were URLs displayed in the e-mail message, they are checked to determine if they are malicious and then blocked on the different services so as not to infect other users who received the message.

While this helps to mitigate internal risk from the initial attack, there are several more steps used to determine if there are other risks involved. In the world of Single Sign On, a user’s account credentials not only log in to e-mail but also many other services in your organisation. Because of this, when there is a compromise, the IT Security team will need to review the logs to determine user logins to see if any other services were compromised and based on what those services are, they will have to determine the integrity of the data in the service and also if any of the data was exfiltrated. If the data was exfiltrated, based on the compliance policies of the company, a breach notification procedure may need to be followed which can lead to larger headaches.

With the internal risk mitigated and hopefully without any sensitive data breached, the last step involves re-securing the originally compromised account. While the compromised account has been disabled and thus does not allow logins, there are still several ways that the malicious user can keep the account compromised so a sweep has to be done. During the sweep, the Incident Response team will check the integrity of the user’s e-mail signature, will look at all e-mail rules to make sure that nothing is set to attach malicious e-mail addresses onto the user’s mail or automatically send e-mails to the trash folder, and turn off any forwarding that may have been set up during the compromise. At this point, the message is considered secure but there will still be aftershocks from the compromise felt by the user for several days after the fact.

Blacklisting

The two main problems that a user will see after the compromise is over is usually blacklisting and undeliverables. Blacklisting is when a domain or service believes that a domain is sending malicious e-mails and will either outright block or filter all messages from the domain to the Spam or Junk folder. Whole domain blacklists can take several days to weeks of manual work to get removed which can affect business continuity for an organisation. Managed e-mail services usually have rules in place that block the compromised user’s account from doing damage before a blacklist can be made and also because services use site-wide mail settings, other services tend not to do a blanket block as that would risk blocking the entire service from being able to send an e-mail to another service (IE: Microsoft Office 365 to Google Gmail). If your organisation has a manage e-mail provider and you are curious to their policies, contact them for the specifics of account blacklisting.

Undeliverable is the term when for when a mail message, in this case a malicious mail message, is returned from the resulting e-mail address as undeliverable to the recipient. Based on how many messages were sent to e-mail address that either did not exist or failed to reach the recipient, these undeliverable e-mails can flood an account for several days after the initial compromise and usually mail rules will need to be created to filter the messages out and keep them from interrupting the end users day to day operations. This rule can usually be deleted after a few weeks but should be specific enough to not filter out any false positives from the mailbox.

The last step for the compromised user is an interview and training. If the user is still in the organisation, the Incident Response team will interview them to determine a root cause for the compromised account. Many end users do not recall how their account was compromised but anything that they can remember is usually helpful for writing the final report. It should be explained to the user exactly what happened and how they could avoid this issue in the future either via Security Awareness training. The analysis can also help the IT teams to determine if there would be a way to avoid this compromise in the future.

Everybody has a Bob in their organisation. Security awareness for all users is key but knowing how to respond to an incident is just as important. Be prepared by practicing incident response and understanding the policies and procedures of your organisation so that if there is a time that Bob accidentally gives up his credentials, you’ll be prepared and it hopefully won’t feel as if the sky is falling. 

Ben Ledoux is Information Security Administrator at Metropolitan State University of Denver. You can contact him at bledoux1@msudenver.edu