Real Stories of the CSIRT
To illustrate the monitoring steps we’ve recommended in this book, we collected stories from security monitoring teams in peer organizations. These stories illustrate incident response and some of the limitations of enterprise security monitoring.
Note
Because we were asked to keep some stories anonymous, we’ve added small embellishments to prevent identification of affected organizations as necessary. Similarities with actual events, individuals, or corporations are neither intentional nor implied.
Stolen Intellectual Property
A customer alerted Mike, a security investigator for Wirespeed, that source code belonging to his company had been posted on the Internet. Following the leads provided, he visited a web address that confirmed the information. Mike noted that the source code was visible due to a misconfiguration of the site’s Apache web server, allowing unauthenticated directory traversal. Mike perused the code, immediately recognizing it as Wirespeed’s order processing software. He even found some embedded system credentials, database accounts, and passwords within the open directories. Mike traced the web server’s IP address to a home ISP connection, and was surprised when it correlated to the home IP address of a Wirespeed employee.
Because Wirespeed managed the Internet connections of its employees, he was able to immediately disable the employee’s network connection and investigate further. With the website now disabled, he turned his attention to ...