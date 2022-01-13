On the first day of the threat hunting engagement, the client showed Grifter detailed documentation. It listed every server, database and other asset connected to the network, in addition to protocols being used, how traffic flowed in and out, the egress and ingress points, how the network was segmented and recent changes to the environment. The level of detail was a rarity for most organizations. It also saved Grifter a day’s work.

He began hunting.

Within minutes he spotted something unusual. Data was leaving the environment, and it looked like personally identifiable information (PII). It included names, addresses, social security numbers, tax identification codes and other highly sensitive information. All of it was unencrypted. Grifter looked at the source of exfiltration, or, in other words, how the PII was leaving the environment.

“Should data ever go out that way?” he asked.

“No, it shouldn’t. That data shouldn’t go anywhere,” the client replied nervously.

Grifter discovered the data was being exfiltrated from a web server that was not included in the inventory documentation. When he mentioned it to the client, it sparked a memory. Nearly a year ago, the company had spun up a test server, which was never decommissioned. For months, the server remained publicly accessible on the internet. To the security team, it didn’t exist. They had forgotten about it. Also within that time frame, the Apache Struts exploit was released. The client had patched its known vulnerable systems, but because the test server was unknown it was overlooked.

Grifter tracked down the destination of the PII and discovered the data was going to a nation-state. For four months, 10 records were taken every two to 10 seconds. The attack flew under the radar. The attackers weren’t noisy. They didn’t exfiltrate a chunk of records at one time daily. To the security team, it looked like normal web traffic, although the traffic wasn’t coming from a ‘normal’ location. The server sat in the research and development department, an unusual place to transmit PII. That’s how Grifter knew something was strange. With some quick math, Grifter concluded the attackers must have slowly stolen millions of records.

Grifter and the client switched from threat hunting to incident response mode.