The Second Investigation: Detection without Effective Containment
Introduction:
In the first instalment of our series, we discussed the first investigation at Joe’s Retail, which failed to detect a critical piece of malware and left the breach unaddressed. This second post will delve into the next chapter of the story: the second investigation almost a year later, which uncovered the missed malware but struggled with effective containment, allowing the breach to persist.
Uncovering Missed Threats and Containment Failures
Almost a year later, Joe’s Retail was approached once more in regards to another CPP alert from a card brand. They chose a different listed PFI firm to investigate this time around; but once more it was only an Independent Investigation. This time the investigation team performed a more thorough investigation by obtaining a full disk image of the respective server.
Three Key Findings and Failures following a new Common Point of Purchase (CPP) report from a card brand:
-
Discovery of Missed PHP Backdoor:
Using a full disk image for analysis, the team identified the second PHP backdoor that had been missed during the initial investigation. This backdoor had provided the attacker(s) with persistent access to the network. The use of a full disk image allowed for a more thorough data set for examination of the server.
-
Improved but Insufficient Security Measures:
Post-investigation, Joe's Retail implemented several security measures, such as updating plugins, changing passwords, implementing Multi Factor Authentication (MFA) on the administrative panel via email, and moving the admin panel from its default location. However, these measures were still insufficient to fully secure the environment. Without a comprehensive security strategy, the attacker found ways to reintroduce the malware.
-
Incomplete Log Analysis:
Despite the improved evidence collection, the team failed to analyse all relevant log data, including the Web Application Firewall (WAF) logs. These logs, dating back to May 2022, contained critical information about the attacker(s) activities. The omission of these logs left significant gaps in understanding the attack timeline and methods.
Four Lessons Learned from the 2nd investigation :
-
Thorough Log Review:
A complete review of all available and relevant logs, including WAF logs, is essential. Overlooking such logs can result in missing critical indicators of compromise and attacker(s) activities. Implementing log aggregation and analysis tools can streamline this process and ensure no crucial data is overlooked.
-
Effective Containment Strategies:
Identifying malware is only the first step. Effective containment requires ensuring no avenues for re-infection remain. Incident response plans should include detailed containment procedures to minimise the risk of ongoing compromise. Conducting regular security audits can help in early detection and containment of threats.
-
Ongoing Monitoring and Analysis:
Continuous monitoring and analysis of network activity are crucial for detecting persistent threats. This helps in identifying ongoing attacker activities and responding promptly. Utilising tools like ThreatView can enhance detection capabilities.
-
Containment Follow Through:
Despite having been given thorough containment actions and recommendations by both PFI companies, the hesitation that Joe’s Retail had in following through with them cost them dearly.
Conclusion:
The second investigation at Joe’s Retail highlighted the importance of thorough log analysis and effected containment strategies. While some progress was made in identifying missed threats, the failure to fully contain the attacker(s) foothold allowed the breach to continue. In the final instalment, we will detail our comprehensive investigation, which finally brought the breach under control, and discuss the measures implemented to prevent future incidents.
Stay tuned for the next post in our series.
