Sometimes when we talk about cybersecurity, it can feel a little intangible, with theory tending to dominate what we read about it. Therefore, learning from real-life instances can often be the best education. Thus, the security operations center (SOC) team of analysts at AT&T Cybersecurity makes it a priority to share certain security incidents for the greater cybersecurity community to learn from. The following story is an actual security incident uncovered by AT&T Cybersecurity SOC analysts. It is part of a larger series that aims to provide insight from the frontline of cybersecurity, including what triggered alarms for indicators of compromise, the investigation process, the APT actors behind the attack and the responses and defense tactics to remediate the threat.
Welcome to Tales from the SOC.
The third tale covers an inactive account exploitation incident. Here, the AT&T Cybersecurity managed threat detection and response SOC analyst team discovered that a malicious threat actor had gained the credentials of an ex-employee whose account was not properly deactivated. This attack method is a popular technique for hackers to gain entry into an enterprise’s network because deactivating an ex-employee’s account can be deemed unimportant; however, failure to audit this process can have huge consequences.
Sound the Alarm
Initially, the SOC team was first alerted to an incident or indicator of compromise (IOC) when a customer had a user gain access to Office365 in a foreign country. The alert itself was a custom rule created to notify the team in such cases, and these can be tailored to each specific customer requirement. It is highly advisable to put these alerts in place, as they increase the chances of early detection of abnormal activity on an organization’s network environment.
Next, the AT&T analysts carried out an extensive review of the incident. To some, seeing a successful login attempt from a foreign country might be normal. Perhaps the individual is away on a business trip or working remotely – certainly not uncommon in today’s hybrid office environment. Nevertheless, it is the security team's responsibility to perform the necessary due diligence on any suspicious activity. Further investigation was carried out by the team to obtain more information and rule out the possibility of a compromised account.
Deep Dive Analysis
As previously mentioned, the AT&T managed threat detection and response rule created for the customer was designed to flag any outside login attempt as an anomaly. When analyzing other log in behavior from the same user, no other attempts had been made in the previous 90 days. This was a red flag for the team. It was also found that the same user had nearly 1000 failed login attempts from suspicious IP addresses in almost 50 countries.
After digging more, the SOC team noticed the attacker had navigated their way onto the victim’s (a former employee’s) personal SharePoint folder but had not successfully accessed sensitive information. The next step was to determine if the attacker had made changes to the organization’s network, changed access privileges or exploited any confidential data. Upon extensive examination, there was no evidence that this took place.
Plan of Action to Respond
Once all the evidence had been obtained, the customer needed to be notified immediately with an effective response to the situation. However, shortly after notifying the customer, the SOC team noticed the attacker was attempting to gain access to the system from another country – this time from Albania – to escalate the attack.
Working together with the AT&T team, the customer quickly revoked the login credentials and completely disabled the account being used. They also confirmed the targeted user was a former staff member at the company.
While the attack didn’t manifest into a more serious threat, this scenario should act as a warning to enterprises that auditing user accounts and logins should be embedded into all security processes.