This blog is more of a success story than anything else. I want to bring to light a small business with less than six employees who properly implemented auditing. As you may or may not know, Windows allows a user to audit Logon and Logoff events. This is extremely important especially when you are trying to figure out who is using, or has attempted to use, your system.
In early December 2010, I was contracted by a small business owner who believed he was breached. Critical software applications vital to the operation of the business were missing. Based upon initial assessments and timelines, preliminary signs pointed to a malicious individual gaining unauthorized access. I mainly was brought in to identify that a compromise had occurred, how it occurred, and when it occurred. The main challenge involved a large gap in time from the initial observation of the suspected compromise to when I responded. The longer it takes to respond to a suspected compromise, the more chances there are for evidence pertinent to the investigation to be lost, decreased, modified, or overwritten. In general, the integrity of the data may be in question.
Upon arriving, I was able to locate logs that monitored successful Logon and Logoff attempts. Through these logs I discovered two IP addresses which attempted to log on to servers during off-duty hours within the timeframe of the suspected attack. By correlating the IP addresses with other devices such as perimeter and system logs, I confirmed unauthorized access led to a successful compromise. I also determined the suspected initial location of the attacker’s IP address: a local university. The fact that this level of logging was enabled at a small business is incredible: there are billion dollar corporations that have no auditing policy in place.
Once the IP addresses were traced to the local university, they were contacted to see if they could provide further information on the attacker. Shortly after contacting the university, they responded with extremely detailed information on the attacker. The university also maintained detailed logs of network access and logons, and had a policy to maintain that data for over a month. This information was used by the small business to contact the proper authorities in the hope of tracing the MAC address to the culprit. I was able to coordinate the cooperative investigations between the small business and the university, correlating the information from both parties, to provide information on the actual hardware device used to gain unauthorized access.
This is a perfect example of what SecureState recommends to clients in pretty much every Incident Response (IR) Assessment and Network Architecture Review: the proper auditing, collection, storage, and correlation of alerts and logs. Even though the gap in time from incident to response was significant, the client did follow proper policies and procedures to collect, maintain, and keep applicable data related to Logons and access that could be used to help correlate events.