Craig Cook <[email protected]> wrote:
>>"The Security team had discovered it, was confirming it, but they have suddenly been locked out of the exfiltration servers and the key KVM over IP switch. " > >First, I am impressed that your company has a security team. At the 68K employees level it is not that unusual to have this level of specialization. Notably, we are a constant APT target. Chinese New Year starts, attacks drop dramatically. New year is over, they shoot up back to normal levels. In this world, it's no longer an option to have such a team, it's a de riguer requirement. > Also, the fact that they discovered an incident in progress is also very > promising. Also not that unusual. We have a metric called dwell time, which is how long an intruder got in and went undetected. Shutting off the C2 traffic creates a Roach Motel effect - you got in, but you can't get out. >This is also impressive "They found that you were working after hours". This may be the more impressive aspect of the scenario. Badge reader databases tend to be legacy. In my experience, if you acquire a company, the IP networks will be integrated long before the badge reader databases are integrated.They are typically purchased and managed by Physical Security people (sometimes an outsourced function), not Network Security. Assuming a SOC could get access to these systems,a standard query they should be able to make is "who is currently badged in", and should be able to filter based on several criteria (location, Disaster preparedness role, organization one works for, etc). But remember, this is a _contrived_ no-win scenario. It's realistic to the extent it is a composite of facts based on actual events - not all of which have occurred at the same time. RSA is going to be here tomorrow for one of our employee Security Awareness events, to give a presentation about their real life breach. They had detected it too, and were watching it in real time but were unable to react and shut it off in time. We'll see what new details I hear about it. >Moving on... > >Craig > >_______________________________________________ >Discuss mailing list >[email protected] >https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >This list provided by the League of Professional System Administrators >http://lopsa.org/ > > > _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
