Logo
RSS Feed

👈🏼 Back to
💼 Sample Cases

IR Cases 💼

Case 1. Famous Retailer Data Breach

Case Overview

The Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis, Minnesota. It’s the second largest discount retailer in the United States. Target operates 1,916 stores in the United States, and also began operations in Canada in March of 2013. In December 2013, a data breach of Target’s systems effected up to 110 million customers. The attackers stole around 110 million customers’ PII. They had all the IDS/IPS and stuff and were PCI-DSS compliant.

Case 2. Watering Hole Attack

Case Overview

Watering hole is an attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected [1].

July, 2012. Several high-profile institutions (financial and tech sectors) were victimized by a watering hole attack.

Layout

Step 1. Stake out watering hole

Insert an iframe that redirects users to a 0-day malware download (Trojan Gh0st RAT).

Case 3. Phishing against Google and Facebook

Case Overview

In summary, according to the US attorney’s office for the Southern District of New York, scammers stole over $100 million from Facebook and Google in a creative way. Basically, they e-mailed the tech giants and asked for it. The scheme that included setting up a fake business and sending phishing e-mails to employees of Facebook and Google. The scheme ultimately duped those multi-million dollar companies out of more than a hundred million in total between 2013 and 2015.

Case 4. SANS Mock Case

Case Overview

Arya Stark gets an email presumably from Direwolf with an attachment. It looks suspicious and she forwards it to the Security.

Environment

Winterfell Server Network (192.168.10.0/24) consisting of DNS (192.168.10.230) Centos7 with bind ns1.winterfell.local and Mail server (192.168.10.140) mail.winterfell.local, Centos7 with Postfix and Dovecot.

Winterfell Desktop Network (192.168.11.0/24), having IPs: 192.168.11.101, 192.168.11.102, 192.168.11.103, 192.168.11.104, 192.168.11.105. 192.168.11.105 is Security’s IP. All desktops have Win7 SP1 with MOffice 2010 installed. For the machine to be vulnerable for the below attack steps, Windows Firewall should be disabled and macro turned on for Office Docs (Trust Center > Trust Center Settings > Macro Settings). Also, PsExec requires the DWORD called LocalAccountTokenFilterPolicy in the registry under

Case 5. IBM Example

Case Overview

Arya Stark gets an email presumably from Direwolf with an attachment. It looks suspicious and she forwards it to the Security.

Identify possible threats. Identify attack vectors: Website hosting malicious content waiting for a vulnerable browser. This can be countered with: Qradar, McAfee ePolicy Orchestrator, Next generation firewall.

In Qradar we have several alerts: Malicious URL detected, three possible DDoS and OAS denied access and continued preceded by file infected.

Case 6. Home Depot PoS Attack

Case Overview

This attack started from stealing credentials from a vendor, using them to install malware on around 7500 self-checkout POS terminals and then stealing data. Went unnoticed for 5 months (April - Septemper 2014) and grabbed the data from 56 million credit and debit cards (useful for identity theft) and 53 million emails (useful for phishing). Investigation started on September, 2nd and on 8th indicated that the system was breached. They also offered free credit services to affected customers who use their payment card as early as April of 2014, and apologized for the data breach.

Case 7. Atlanta Ransomware Attack

Case Overview

22 March, 2018 the City of Atlanta suffered from a ransomware attack. Many devices at City Hall were shutdown. SamSam Ransomware was to blame. Demanded $51000 and the city refused. Shutdown the main devices for 5 days. Many of the operations returned to the traditional handwriting 😊. Atlanta disabled WiFi at the airport up until the 2nd of April.

Timeline

22 March, 2018 - ransomware strikes.

May - online water bill payment restored.

Case 8. Kaseya Supply Chain Ransomware Attack

Case Overview

Timeline

Lessons Learned

References

[1] Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload

[2] Case updates and general informaiton.