Executive Summary
Timeline
On <date>, the SOC received notice from the Network Team about unusual behavior on the internal network. Upon further investigation, the SOC found successful logins after multiple brute force attempts. The SOC determined that there was malware present on the system to create a backdoor. A backdoor allows for unauthorized personnel to easily get back onto the network. After finding this malware, on <date> the internal website development team was authorized to revert the corrupted file to remove the malware.
There were multiple brute force attempted logins initially. Some of the successful logins were able to update the file in question.
| Timestamp | IP Address | Action |
| 06/Dec/2016:17:29:13 -0500 | 199.168.99.18 | Brute force successful login |
| 06/Dec/2016:1729:17 -0500 | 199.168.99.18 | Update to the file |
| 07/Dec/2016:11:13:22 -0500 | 199.168.99.18 | Brute force successful login |
| 07/Dec/2016:11:13:23 -0500 | 199.168.99.18 | Brute force successful login |
| 09/Dec/2016:12:30:41 -0500 | 142.54.189.162 | Brute force successful login |
| 09/Dec/2016:04:18:40 -0500 | 142.54.189.162 | Update to the file |
| 10/Dec/2016:05:00:00 -0500 | 142.54.189.162 | Brute force successful login |
| 10/Dec/2016:05:00:00 -0500 | 142.54.189.162 | Update to the file |
| 10/Dec/2016:05:00:00 -0500 | N/A | Network team notifies SOC of the unusual behavior |
| 10/Dec/2016:05:30:00 -0500 | N/A | SOC begins investigation into logs |
| 10/Dec/2016:14:15:00 -0500 | N/A | SOC identifies the malicious code in the file |
| 10/Dec/2016:15:00:00 -0500 | N/A | The network team receives approval for removing the infected server off the network. |
| 11/Dec/2016:04:45:00 -0500 | N/A | The website development team reverts the infected file removing the malware from a version of the file from before December 6th, 2016. |
Actions Taken
The SOC found the file with malware through searching the network logs. The network team removed the server hosting the infected file off of the network until restoration could commence.
The website development team took the action to restore the compromised file to a version before the first change by an unauthorized user. Then, the network team was able to place the server back online.
Based on external IP reporting tools, the IPs that successfully logged in after brute force attempts are not known blacklisted IPs. Therefore, the SOC believes these IPs are a part of a botnet, but not themselves malicious and will not be blacklisted from the network.
Financial Impact
Below is a table representing the costs associated with this incident.
| Item | Cost |
| Lost Revenue (1) | $560,000 |
| Server Downtime for Restoration (2) | $140,000 |
| Labor of Investigation (3) | $36,000 |
| Total | $736,000 |
1 Loss of revenue is calculated by lost productivity for users and customers. This is done through average users in an hour over the timeframe the server was down (400/hour) and a flat rate of $100 per hour for productivity of customers/users. (400 x $100 x 14 hours)
2 Downtime cost is determined by a flat rate of $10,000 per hour that the server is down. The server was taken off the network for restoration for 14 hours.
3 Labor is determined through the average wage of investigators and the amount of time they worked the investigation. $45(average wage) x 20(number of investigators) x 48(number of hours worked)
Lessons Learned – Successes
- The internal teams were able to coordinate an effective investigation and implement proper responses.
- The Network team was able to identify the issue and alert the right parties to continue to investigate further.
- The SOC was able to use purchased tools to determine the issue and work with the website development team to remediate.
Opportunities for Improvement
The following improvements will be tracked through JIRA to ensure completion.
Issue: The SOC was unable to identify the successful logins by the IPs brute force attacking. Recommendation: The SOC shall implement a new alert that will fire if a successful login occurs after over 5 failed logins. Additionally, the team will develop a playbook with this alert to allow team members to learn what steps to take when this alert fires. Action Item Owner: The SOC Manager
Issue: The SOC was unable to identify the successful logins by the IPs brute force attacking. Recommendation: The SOC team will develop a playbook with this alert to allow team members to learn what steps to take when this alert fires.
Action Item Owner: The SOC Manager
Issue: There was no immediate server backup to revert the system immediately. Recommendation: There should be hot and cold sites developed to have older versions of the files ready to take over when an issue arises to allow for less downtime.
Action Item Owner: The Network Team Manager
References