DFIR Case Studies

Fictional case studies for incident response investigations, including third-party supply-chain attacks, ransomware incidents, business email compromises, and insider threat investigations.

The following case studies are purely hypothetical and do not reflect any narratives from actual client engagements.
LockBit 3.0 Ransomware
RW

Incident: In mid-2024, a mid-sized financial services company experienced a ransomware attack, initiated through the FortiOS SSL VPN vulnerability CVE-2024-21762. This critical vulnerability allowed unauthenticated attackers to execute arbitrary commands, leading to unauthorized network access. Once inside, the attackers used Mimikatz to harvest administrative credentials, followed by using Cobalt Strike to exfiltrate data from the company’s file servers. The culmination of the attack involved deploying LockBit 3.0 ransomware through the domain controller, encrypting critical data and demanding a ransom.

Detection and Initial Response: The company’s SIEM detected unusual VPN activity indicative of CVE-2024-21762 exploitation, alongside irregular lateral movements within the network. The company’s response included isolating the compromised VPN gateway and affected network segments and mobilizing the incident response team to assess the breach and mitigate its spread.

Investigation and Analysis: Investigations were conducted using network monitoring tools, advanced threat detection systems, and forensic analysis software. These revealed that attackers had exploited the CVE-2024-21762 vulnerability to gain unauthorized access, used Mimikatz to extract administrative credentials, employed Cobalt Strike for reconnaissance and data exfiltration from the company's primary file server, and dropped a LockBit 3.0 ransomware executable on the primary domain controller to facilitate a network-wide encryption.

  • Network Monitoring and Traffic Analysis:
    • Utilized network monitoring tools to trace the origin and pathway of the attack within the network.
    • Analyzed VPN logs to confirm the exploitation of CVE-2024-21762, identifying the entry point of the attackers.
  • Forensic Analysis with Advanced Threat Detection Systems:
    • Deployed forensic analysis software to scrutinize affected systems and uncover the methods used for credential theft.
    • Advanced threat detection systems scanned for anomalies indicative of Mimikatz usage and Cobalt Strike activities.
  • Credential and Access Examination:
    • Investigated system and security logs to identify the use of stolen credentials.
    • Monitored administrative access patterns to pinpoint unusual activities and potential breaches in protocol.
  • Data Exfiltration Assessment:
    • Reviewed network traffic data to determine the scope and scale of data exfiltration carried out using Cobalt Strike.
    • Employed data loss prevention tools to detect sensitive information that might have been transmitted outside the company’s network.
  • Ransomware Deployment Analysis:
    • Identified and analyzed the scripts and payloads associated with LockBit 3.0 found on the domain controller.
    • Assessed the impact and reach of the ransomware within the network to guide the containment and eradication efforts.

Mitigation Strategies: In response to the attack, the company patched the affected VPN software to address CVE-2024-21762 and undertook a comprehensive reset of passwords and credentials across the organization. They also enhanced network traffic surveillance and tightened firewall rules to prevent further unauthorized access. Ongoing mitigation efforts included regular vulnerability assessments focused on patch management and strengthening of perimeter security.

Resolution and Lessons Learned: The company opted not to pay the ransom, instead relying on recent, unaffected backups for data restoration. Systems were methodically cleaned and restored to operational status, ensuring no remnants of the attack nor malware remained. The incident underscored the critical importance of maintaining up-to-date security patches and robust detection systems to quickly identify and respond to initial exploit attempts and unauthorized movements within the network.

Technologies Used:

  • SentinelOne Singularity
  • Elastic's ELK Stack
  • Velociraptor

Outcome: Though the attack caused initial operational disruptions, the company managed to recover without financial loss to the attackers. The incident led to significant investments in cybersecurity improvements, including staff training and the deployment of advanced threat detection capabilities, thereby enhancing the organization’s defenses against future cyber threats.


Other major players in the game: Parallels emerge with tactics deployed by other notorious ransomware groups. For instance, the double-extortion tactic used in this case mirrors strategies employed by both Conti and Maze, highlighting a prevalent trend among top-tier cybercriminal entities. Furthermore, the use of tools like Mimikatz and Cobalt Strike for lateral movement and data exfiltration shares similarities with methods documented in attacks by REvil and Ryuk, underscoring the shared arsenal often employed by these actors.

  1. Conti - Known for its fast encryption speed and double-extortion tactics, where they not only encrypt the victim’s files but also threaten to release stolen data if the ransom isn’t paid.
  2. REvil (Sodinokibi) - Famous for high-profile attacks and demanding large ransoms, REvil has targeted a range of organizations from small businesses to large enterprises.
  3. DarkSide - Gained notoriety for the Colonial Pipeline attack, causing major fuel supply disruptions on the East Coast of the USA.
  4. Ryuk - Often targets large, public-entity networks such as hospitals, schools, and government institutions, with a focus on organizations that can afford to pay large ransoms to quickly restore services.
  5. Maze - One of the first groups to combine data encryption with data theft, threatening to leak the information publicly if the ransom is not paid.
Business Email Compromise Investigation
BECPhishing

Incident: In early 2024, a mid-sized U.S. manufacturing company fell victim to a business email compromise (BEC) attack. The incident began when a high-ranking executive’s email account was compromised through a sophisticated phishing attack. The threat actors used social engineering tactics to gain access to the executive’s credentials, allowing them to infiltrate the company’s email system.

Detection and Initial Response: The company detected the breach when several employees received unexpected email requests from the executive’s account, asking for urgent wire transfers to unfamiliar accounts. The immediate response included disabling the compromised email account, notifying the IT department, and mobilizing our team to assess the extent of the breach.

Investigation and Analysis: The investigation involved a triage of the company's email environment, including forensic analysis and network monitoring to trace the attackers’ activities and understand the scope of the compromise.

  • Email System Audit:
    • Reviewed email logs to identify unauthorized access and suspicious email inbox or forwarding rules.
    • Analyzed the executive’s email account for signs of phishing and other malicious social engineering attempts.
  • Forensic Analysis:
    • Utilized forensic tools to examine the compromised account and identify the methods used to harvest credentials.
    • Deployed endpoint monitoring to scan for anomalies indicative of unauthorized access.
  • Network Monitoring:
    • Monitored network traffic for unusual patterns and potential data exfiltration.
    • Investigated system logs to trace the attackers’ movements within the company's environment.

Mitigation Strategies: The company implemented several measures to mitigate the attack and prevent future incidents.

  • Email Security Enhancements:
    • Enforced multi-factor authentication (MFA) for all email accounts, including hardening conditional access policies.
    • Implemented advanced email filtering and threat detection systems.
  • User Training and Awareness:
    • Conducted mandatory cybersecurity training for all employees, focusing on phishing and social engineering awareness.
    • Regularly tested employees with simulated phishing attacks to improve vigilance.

Resolution and Lessons Learned: The company managed to block all fraudulent transactions, minimizing financial losses. The compromised email account was secured, and affected systems were thoroughly cleaned. This incident highlighted the critical need for robust email security measures and employee training to detect and respond to phishing attempts quickly.

Technologies Used:

  • Azure AD Identity Protection
  • Microsoft Defender for Cloud
  • Velociraptor

Outcome: Despite the initial disruption, the company successfully mitigated the attack and avoided significant financial losses. The incident led to significant investments in email security and employee training, strengthening the organization’s defenses against future BEC threats.


Other major players in the game: Similar tactics have been observed in attacks by other notorious cybercriminal groups. The use of social engineering and phishing mirrors strategies employed by groups such as:

  1. Anthropoid Spider/EmpireMonkey: Conducts phishing campaigns spoofing financial regulators in France, Norway, and Belize.
  2. Royal Ransomware: Utilizes callback phishing attacks to initiate ransomware infections.
  3. Scattered Spider: Employs credential phishing and social engineering attacks to capture OTPs, avoiding malware by using living-off-the-land binaries (LOLBins) to maintain persistent access.
  4. Scatter Swine: Engages in various forms of phishing and social engineering attacks.
  5. UNC3944: A threat actor cluster known for phone-based social engineering and SMS phishing to gain access to organizations.
Insider Threat
Insider Threat

Incident: In 2021, a US healthcare company suspected a whistleblowing employee was exfiltrating sensitive data. The company’s internal security team mobilized our digital forensics team to conduct a deep-dive investigation to identify the rogue insider and prevent further data leaks.

Detection and Initial Response: Initial suspicions arose when confidential information appeared on news outlets. The company’s security team contacted our team to conduct an investigation, which included reviewing firewall logs and browser artifact logs for indicators of data exfiltration.

Investigation and Analysis: The investigation involved a thorough review of network traffic, forensic analysis of browser artifacts, and close monitoring of user activity to identify the source of the data leaks.

  • Firewall Log Analysis:
    • Analyzed firewall logs to track outbound data traffic and identify any unauthorized data transfers.
    • Reviewed connection logs for unusual or unauthorized access attempts.
  • Browser Artifact Examination:
    • Conducted forensic analysis of browser history and cache to identify visits to suspicious websites.
    • Identified repeated access to sites commonly associated with whistleblowing activities.
  • User Activity Monitoring:
    • Monitored activities of employees with access to sensitive information.
    • Employed advanced threat detection systems to scan for anomalies and suspicious behavior.
  • Network Traffic Analysis:
    • Utilized network monitoring tools to trace data flow within the network and detect unauthorized data movement.
    • Investigated email logs and file transfer activities for signs of data exfiltration.

Identification of the Whistleblower: The investigation successfully identified the whistleblowing employee through browser logs, which revealed access to suspicious websites known for data exfiltration activities. The identified employee had visited these sites frequently, engaging in unauthorized data transfers.

Mitigation Strategies: In response to the incident, the company implemented several measures to enhance internal security and prevent future breaches. These included strengthening monitoring of network traffic and user activity, deploying data loss prevention (DLP) tools, revising data access and handling policies, implementing stricter access controls, and utilizing multi-factor authentication (MFA) to secure access to critical systems.

Resolution and Lessons Learned: The company revoked access and pursued legal measures against the identified employee. Additionally, file servers were thoroughly audited and secured to prevent further leaks. The incident highlighted the importance of robust internal monitoring and the need for regular audits to detect insider threats early.

Technologies Used:

  • WireShark
  • Barracuda WAF (Web Application Firewall)

Outcome: The company successfully identified and mitigated the insider threat, preventing further data exfiltration. The incident led to significant improvements in internal security protocols and employee training, strengthening the organization’s defenses against insider threats.