Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and exploited several avenues of Sifers-Grayson's network. This is an excellent opportunity to gather vital forensic evidence that can be used to train Sifers-Grayson's incident response team and help create a formal incident response plan.
Engineering Center's R&D Servers
The engineering center's R&D servers were hacked through an unprotected network connection, resulting in 100% of design documents and source code for the AX10 Drone System being stolen.
It is possible to determine and prove all the files transferred off of the servers by looking into the audit logs, assuming auditing was enabled before the penetration test. Unfortunately, auditing isn't enabled by default in Windows 10, so proving these data transfers might only be possible by a professional data forensics analyst if auditing wasn't enabled. As soon as an attack is detected, it is essential to take snapshots. "System snapshots are a core component when conducting forensic analysis on a live machine. They provide critical insight into what was going on at the time they were taken (Kramer, 2017)." These snapshots can be examined to determine what data changed since a last known good snapshot or backup. Remember that snapshots are taken at the moment in time, so if the snapshot is taken after the servers restart, the data in volatile memory, such as cache memory and RAM, will be lost.
It is also possible to determine where these files were sent to by viewing the server's router (gateway) logs. Once again, this is assuming router logging is enabled. If router logging isn't enabled, getting a hold of the internet service provider (ISP) might be helpful. The ISP might provide a log of outgoing connections assuming the "unprotected network connection" came from the internet. The internet is the most likely source of the attack due to the lack of a firewall in-between the internet and the R&D Center, according to the network diagram.
20% of employee passwords were stolen using keylogging software installed on USB keys left on the lunch table in the employee lounge in the headquarters building.
Evidence of the keylogging software can be gathered from the USB keys themselves and from the computers that had the USB keys plugged into them. Gathering this evidence is also accomplished with auditing software and data forensics analysis.
If security cameras (CCTV) are installed in and around the installation(s), this can provide evidence that the attackers left the USB keys. "Closed Circuit Television Cameras (CCTV) have become an important crime prevention and security measure. Cameras collect images and transfer them to a monitoring-recording device where they are available to be watched, reviewed and/or stored" (Secure Community Network, n.d.).
Sifers-Grayson employees were quite friendly and talkative as they opened the RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers). Therefore, CCTV could provide evidence of trespassing. However, if this was an actual attack, it might not hold up in a court of law since employees willingly let the attackers on the premises. Regardless, reviewing CCTV footage is excellent training and learning opportunity to prevent future tailgating. "Tailgating attack is a social engineering attempt by cyber threat actors in which they trick employees into helping them gain unauthorized access into the company premises" (Kratikal Tech Pvt Ltd, 2020).
The Red Team used the stolen logins to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab. This malware made its way onto a PROM installed in an AX10 test vehicle undergoing flight trials at the Sifers-Grayson test range. This resulted in the red team taking complete control of the test vehicle.
Once again, evidence can be gathered through audit logs and data forensics analysis on the infected computer(s) and even the test vehicle itself. CCTV may have footage of the test vehicle flying around, which should provide evidence that the test vehicle was compromised.
The Red Team used three stolen logins to send Phishing Emails to employees. Resulting in the collection of email addresses and IP addresses for over 1500 external recipients within 24 hours.
Evidence of the phishing emails will be on Sifers-Grayson's email server. It is possible to prove what accounts sent the emails and what accounts received the emails through non-repudiation. In addition, Internet browser history on the local computers can provide information on who clicked the emails and where the links lead to. Combine this information with the data from the keyloggers to prove that internal employees did not send the phishing emails but rather the attackers.
The Red Team's penetration test showcases the weaknesses of Sifers-Grayson's network. It highlights several successfully attacked areas, including at least one unprotected network connection and all kinds of social engineering. Social engineering led to stolen passwords through USB keyloggers and phishing emails, which in turn led to malware populating throughout the network, stolen files, and the complete takeover of an AX10-a test vehicle. This penetration test provides an excellent learning opportunity to gather forensic evidence, build an incident response team, develop a formal incident response plan, and strengthen Sifers-Grayson's security posture.
Kramer, A. (2017, May 11). Turning a snapshot into a story: Simple method to enhance live analysis. SANS. https://www.sans.org/blog/turning-a-snapshot-into-a-story-simple-method-to-enhance-live-analysis/
Kratikal Tech Pvt Ltd. (2020, April 20). Tailgating attack: A physical social engineering crime. Medium. https://kratikal.medium.com/tailgating-attack-a-physical-social-engineering-crime-f63da4195536
Secure Community Network. (n.d.). CCTV. https://securecommunitynetwork.org/resources/model-security-policies-procedures/cctv