Rising to the Challenge
A popular social media site had reason to believe it had inadvertently exposed a significant amount of customer data
The company needed to bring in a third-party investigation firm to determine:
Enter Unit 42
The First Steps
The Unit 42 team validated that a database was indeed exposed
Findings:
Anyone who found the port could query the data, which contained personally identifiable information (PII).
The port was exposed following a database configuration change. The database was configured to log only errors, not successful queries.
Additionally, there were no firewalls, load balancers or other network infrastructure in place that could have logged access to the database.
In Unit 42 cases:
45%
of inadvertent disclosure events resulted in a breach determination in 2019, exposing 713K individuals’ records per incident on average.
Finding a Solution
Faced with a lack of data, the
Unit 42 team had to be creative
By “living off the land” (finding tools that already exist in the client environment), Unit 42 identified Datadog, a third-party utility used to track server metrics. Datadog tracks processor and memory usage, disk errors, and daily network bandwidth (bytes transmitted and received).
Logs are retained for this client for more than a year, covering the window of exposure and giving Unit 42 a baseline of what “normal” looks like for six months prior to the exposure.
IT Industry:
IT was the largest industry represented in Unit 42’s inadvertent disclosure cases in 2019, representing 18% of these types of cases.
In-Depth Analysis
Datadog logs showed that network usage remained consistent during the window of exposure
There was a large spike at the end, representing Unit 42’s queries into the database as they were identifying its contents. It is not uncommon for an attacker to perform this type of identification when they gain access to a database.
Unit 42 did not identify any other spikes during the period Datadog covered, leading the team to believe that a threat actor had not accessed the data. Unit 42 validated this finding using the “atop” tool included in many Linux distributions.
Conclusion
Collectively, these findings helped the client and their legal counsel draw conclusions on their breach notification obligations
Ultimately, these findings were central to avoiding a substantial data notification effort. Because of Unit 42’s “extra mile” efforts, the team was able to not only provide insight into the likelihood of a breach, but also save a company from significant disclosure and regulatory scrutiny.
Unit 42 provided the client much-needed peace of mind that their customer data was secure and helped them to become more secure in the future.
