A major financial institution received an anonymous email with insider knowledge that sensitive customer data was leaving the company’s environment. If the company didn’t fix the breach, the email threatened, the writer would go public with the information.
After an initial investigation, the company determined that data from business loan applications was being stolen. Worse, the data included confidential business financial details and personally identifiable information (PII) like Social Security numbers. That kind of loss could have disastrous financial and legal consequences for the company and its victims.
How was the data getting out? Given their strong security posture, the internal security team suspected an insider threat. Aware that they needed expert support not only to detect the source of the leak but also to handle a sensitive situation, the organization brought in Palo Alto Networks Unit 42.
With such high stakes, the client needed Unit 42 to uncover the source of the issue — and fix it — as quickly as possible.
Because the client suspected an insider threat, two things were essential: First, the investigation had to include granular visibility into user activity on any and all endpoints, a capability the client lacked. And second, it was critical that Unit 42 act stealthily, in a way that didn’t disrupt the workforce or the business.
At first, Unit 42 approached the investigation as an insider threat, and there was evidence to support this theory. For example, data was being exfiltrated at the same time daily. So, the team began looking at user machines for illicit activity.
“Initially, we deployed Cortex XDR, our endpoint detection response product,” Brewer says. “It shows us everything a user is doing — their browser history, applications, processes.”
Cortex XDR® gave Unit 42 the ability to see a wide range of activities in user behavior, including whether employees were uploading data to file sharing sites or plugging in USB drives and copying data onto them. The answer, surprisingly, was no. There was nothing malicious happening on the inside.
If this wasn’t an inside job, who was executing the attack? Even though the client had strong security and application controls in place, Unit 42 went back to basics, checking the frontend of the company’s website. And when the team looked at how accounts were accessed, they discovered what is actually a common vulnerability: an insecure direct object reference (IDOR).
Brewer explains, “On some websites, you can have a user ID that’s a numerical value. And in this case, you could just change a number in that user ID and access another person’s account information.” The glitch was the result of a change in code that the client had made but hadn’t tested sufficiently. “They just missed that piece,” Brewer says.
Once discovered, the resolution was straightforward, but pinpointing the breach was a formidable task. The client’s website was massive, with dozens of servers and a number of integrated software-as-a-service (SaaS) platforms.
“The dataset we looked at was very, very large,” Brewer recalls. “To paint a picture of the environment, we had to coordinate the data from the website logs with the logs from the SaaS platforms and firewalls.”
That complexity of analysis required unique skill sets and additional people power, so Unit 42 scaled up, bringing in experts on particular applications and log sets. “To keep things lean, we always start with a focused team,” Brewer says. “But when the situation demands it, Unit 42 can scale instantly.”
The result? A quick pivot to a resolution. “The client was actually surprised that we were able to pick up on the uniqueness and the intricacies of their code,” Brewer remembers. “But we have experts with a high level of technical skill, and they can adapt quickly.”
Vital to any Unit 42 investigation is its Threat Intelligence team, which works to identify the attacker’s tactics, techniques, and procedures (TTPs), including where they’re operating from and the IP addresses they’re using. The team also determines whether the illicit activity is tied to a known threat actor group, which could be statesponsored. In the case of the loan data breach, it wasn’t.
Another angle Unit 42 uses in investigating a breach is offensive security. “Their job is to find the vulnerabilities and attempt to exploit them in ways that could compromise an entire company,” Brewer says. From there, Unit 42 can look for evidence of similar malicious activities inside the log. “That really helps speed up an investigation.”
Unit 42 always collaborates with clients in an equal partnership. In this case, because the source code for the financial institution’s website was so complex, the work was truly side by side.
“We worked very closely with the client’s security engineering team,” Brewer explains. “We were looking at custom PHP, custom database entries, custom error-checking and security measures. Collaboration was essential.”
Given the nature of the breach and the impact on the business, communication with the C-suite was also vital. The CEO and board of directors were duly concerned. The Unit 42 team provided daily updates on phone calls and video conferences, walking them through what was discovered and how it was being handled.
Once the vulnerability was identified — a missing security check that should have disabled one account from logging in to another — the client demonstrated to Unit 42 that they had fixed it. But fixing a vulnerability and proving that the fix works are two different things.
Unit 42 tested the code to make sure that the attack had been stopped and the vulnerability secured against future attacks. And as they reviewed the code, they checked to make sure that the same vulnerability wasn’t present elsewhere on the website.
A critical lesson for the financial institution: Even the smallest chink in protections can compromise an otherwise robust security posture. “Everything else on their website was safe and secure,” Brewer says. “It was just one little change they had made that inadvertently allowed this attack.”
After Unit 42 resolved the threat, the team provided the client with a series of recommendations for fine-tuning their security posture going forward. Chief among them: Conduct a code review any time a code or application change is made to frontend systems. And for internet-facing assets, do a web application penetration test on that side of that domain to ensure that no inadvertent vulnerabilities are accidentally introduced.
For many organizations, regardless of size or maturity, a breach underscores how complex security can be, with so many small actions that can have outsized repercussions. At the end of the engagement, Unit 42 looks to build a long-term partnership and help the client align on clear steps to be more secure in the future.
About Unit 42
Palo Alto Networks Unit 42® brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that is passionate about helping you proactively manage cyber risk. Our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.
If you’d like to learn more about how Unit 42 can help your organization defend against and respond to severe cyberthreats, visit start.paloaltonetworks.com/contact-unit42.html to connect with a team member.
If you’re concerned you’ve an insider threat or data has been illegally stolen, Unit 42 is ready to help assess your risk and remediate the incident. Call us at North America toll free: +1.866.486.4842 (+1.866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200, or get in touch by visiting start.paloaltonetworks.com/contact-unit42.html.