Information security incident response and investigation

1
Incident response and investigation
One of the largest Eastern European banks asked us to help them to meet the requirements of the international payment system SWIFT. To do this, it was necessary to implement and test the regulations and procedures for information security incident response.

To achieve this goal, the following tasks were completed:

  • General preparation work: we coordinated with the customer the investigation regulations based on the existing customer's information security policies, as well as the relevant requirements and norms. We prepared a team of experts for remote investigations and investigations at the customer's premises.
  • Preparing for remote investigations: we established remote access and instructed the customer's specialists.
  • Conducting a test investigation. The scenario of the test incident and the amount of our information about it was entirely at the discretion of the customer.
  • Conducting investigations when real information security incidents occur. Interaction with the customer in accordance with the regulations.


We offered the customer the following set of typical security events and incidents, and the procedures for their handling:

  1. Abnormal activity in the system or transaction logs
  2. Compromised access credentials (short-term)
  3. Identity theft (long-term APT attack, one-time attack, reconnaissance, etc.)
  4. Privilege escalation
  5. Violation of access zones or resource sharing between critical and general IT systems
  6. Leak of confidential or internal information, or the threat of its disclosure
  7. Virus attack (onsight or remotely, depending on the consequences and degree of damage)
  8. Violations of traceability, integrity of event logs, and violations of non-repudiation
  9. Other integrity violations (tampering or unauthorized modification)
  10. Denial of service attack
  11. Other incidents


During two months, we developed and agreed with the customer on the regulation and response procedures. After we allocated resources for response and investigation, the customer initiated a test incident and gave us memory and hard disk dumps without any details about the incident. The "compromised" server was disconnected from the network, and a backup server took its place.

During one working week, we analyzed the dumps and found a test infection with a computer virus. We performed reverse engineering and developed a full report, in which we showed the method and progress of the infection, as well as made a conclusion about the danger of the virus and gave the recommendations for its removal.

The customer was satisfied with our work, reported to SWIFT, and purchased an annual subscription to our managed security incident response service. Then we offered the customer our service of PCI DSS implementation, but this is already a different story.
2
Hacker attack on the government of an Eastern European country
A representative of a major government organization of an East European country asked us for help in responding to and investigating a hacker attack. From 5 AM Saturday, the official website of this organization was unavailable due to the hacker attack Drupalgeddon 2, which was carried out automatically by malicious scripts all over the Internet.

As a result of the analysis, it was revealed that the attack did not impact important data and did no harm, except for the downtime of the website. However, this downtime caused some damage to the organization’s users, operations and reputation.

We quickly cleaned the website of malicious files, restored it, and collected event logs and other evidence to pass on to the police.

We conducted the investigation by analyzing the event log files of various server services. It was established that the last successful request with return code 200 was from a certain IP address, and after that, there were no logged events. Next, the website scripts were analyzed, and we found that a fragment of PHP code was inserted at the beginning of all executable files, which first turned off logging and then, in a surreptitious way, launched a shell that could accept remote commands. Malicious insertions were also found in the database.

After cleaning the website and collecting evidence, the server was hardened (configured for security), the CMS Drupal version was updated, additional controls for preliminary testing and security updates were introduced. Additionally, a web application firewall (WAF) was deployed to protect the website in real-time, and a host-based intrusion detection system (HIDS) was implemented to monitor the integrity of critical files on a daily basis. We also offered the organization our comprehensive Continuous Website Protection services, including, but not limited to, full protection against DDoS attacks. The organization subscribed to this service.

Even though the police did not find the perpetrators, we helped the state organization gain a new level of security for their server, which has allowed them to detect intrusions successfully and withstand both small and large-scale malicious attacks.

Learn more about cybersecurity incident response and forensic investigations.