Assistance interpretting Audit Log following a breach

Posted by TheKingOfSpite@reddit | sysadmin | View on Reddit | 9 comments

Pretty self explanatory, client clicked email, attacker spent a couple of weeks reading emails and likely taking screenshots of attached docs (legal company). I've got an Audit Log with a shitload of info, but nothing that's immediately useful as it's all message ID's without subjects, email addresses etc... So my question is, how exactly do I turn this into useful data, as the client has asked for a list of affected clients, and I'll be damned if I'm going through every message, looking up the ID, repeat

Reply to Post

9 Comments

[-]

SoupGuru2@reddit

Turn off the internet. Leave machines running. Call their insurance company, if they have one. Call your legal counsel. Then have a few uncomfortable cups of coffee while you wait for a response.

[-]

TheAmobea@reddit

If you had a breach, you should not look only into the mail area. Do you have a breach procedure in your company ? if not, it's a thing to put in your todo list. But like soon, not next year. You should consider, if you have the budget, to hire a security company to do the audit for you. A good security company will not only help you to audit, but also point you what you can do to improve your security posture. Because you'll have to review everything. Accounts, access, data, potential tampering, potential lateral movement, etc...

[-]

TheKingOfSpite@reddit (OP)

I'm beginning to understand that this may be a job more specialised than a small MSP can deliver hahaha. That's fine though, they're a big company with cyber insurance, and like most companies they typically expect the MSP to be able to do everything. We identified and mitigated the attack so I guess that's our end sorted

[-]

BananaSacks@reddit

Aye, it's not a dig on you or your team, but you too gotta cya not only your end, but theirs too. If it's a breach, it's a breach - and they may be too technically ignorant to know better without you firing off some flares. After this dust settles, it may be an opportunity for your MSP to expand it's knowledge, reach, and ability to better Frontline these types of issues. Look yourselves for a security partner & consultancy and set up playbooks, round tables, etc - even if the most prudent future decision is to say "not us" and put your hands up - at least ye will know HOW to proceed && how BEST to advise.

[-]

BananaSacks@reddit

This, assume the worst and ask if they have notified their cyber insurers. Many times those insurers have said security companies on retainer.

[-]

Fallingdamage@reddit

I would assume any and all data was accessed. Odds are a smart attacker would have downloaded the entire mailbox for offline review. When I was in this position (once) years ago we assumed the whole mailbox was compromised. The biggest/next logical step was to determine whether that mailbox/user had any rights to other mailboxes or administrative permissions of any sort. Audit logs are better for telling when accounts logged in and from where. Then we can correlate which other account(s) activity carried similar time stamps and what relationship with the compromised account it may have. I would also check outbound messages to see if the attacker used the account to try and email/infect other mailboxes or get them to also follow a link.

[-]

pbyyc@reddit

If they are a legal company, as in a law firm, then chances are its highly sensitive info that was compromised. Your best bet is to contact (If they purchased it) their cyber insurance company, and open a claim, pay the deductible and let their experts deal with it.

[-]

Gravybees@reddit

Unless you’re trained and competent in this arena, I highly recommend turning it over to professional security folks. You don’t want to be on the hook for anything that happens next. That’s what I would do.

[-]

dean771@reddit

All clients are effected