— Case Study: Incident Response
Confidential Client — International Life Science Manufacturer
A website at a international Life Science Manufacturer became compromised and was redirecting users to websites that were hosting malware. Did the malware successfully cause any data loss? Was “sensitive information” (i.e. customer credit card data) obtained during the time frame that the website was at risk? Will this result in a major news-making and potentially brand-damaging incident leading to significant business loss and unforeseen costs? Dealing with incidents, and performing effective incident response can make the difference in mitigating damage or completely avoiding a potentially catastrophic customer and public relations event.
IANS, a leading decision-support and consulting firm in the information security industry, was called in to respond to this incident. This started by first establishing the timeline and details of the event leading up to the malware infection. The malicious software was identified via public sources and then analyzed in order to determine the specific actions to be taken. IANS was able to find multiple instances of the same family of malicious software, and identified its activities, and behaviors. After examining the sequence of accessed time stamps of the files, combined with other data, IANS further uncovered the ongoing activities of the malware.
Timeline of Events
- An attacked logged onto the website with no failed login attempts logged and modified the index.php file that redirected users to a website that hosted malware.
- The organization received an email alert from Google indicating that the website had been compromised.
- The organization identified and performed initial remediation by restoring the appropriate files from a known source that existed prior to the compromise.
- Scans were performed to identify the potential source of compromise. Numerous vulnerabilities were found. The website was moved to a new hosting provider.
- IANS performed an analysis of the related digital information to determine the source of the security incident and whether any sensitive information was obtained.
- IANS determined that alterations to the website were caused by the same attack that plagued more than 20,000 Internet web servers.
- Throughout the investigation, IANS found no indication that sensitive data had been obtained through this security breach, or that the organization was specifically targeted.
- IANS delivered its findings which included an executive summary and key findings with a detailed timeline, location of where the attack came from, technical evidence, and remediation steps.
IANS believed the company had a low overall risk rating relative to the information found during the investigation, no loss of sensitive data, and the nature of the organization’s business. However, IANS did discover instances in which sensitive information was being transmitted in clear text (FTP) rather than using encrypted communications (SFTP), and that webserver was not being assessed and remediated on a regular basis. As a result, the organization changed hosting providers, infrastructures, and file transfer mechanisms.
While this result is very positive, the ability to forensically determine the event timeline provided the manufacturer management team the ability to downgrade the incident. This aided immensely in avoiding a tortuous and costly compliance-laden process that could have resulted in improper alerting of customers and the media. Instead, the proof points regarding their selection of malware protection and incident response process were validated by the avoidance of costly PR business impact.