Situation
An NCC Group customer, a payment provider within the financial sector, was a suspected victim of an Insider Threat. Detection and Response capability, including NCC Group Security Operations Center (SOC) Analysts, identified the threat and managed the incident in a swift and confidential investigation with the client.
Following a thorough review, no explicit insider threat was identified, but recommendations were made around processes and security culture.
At a Glance
Organization: Payment provider in the Financial Sector
Industry: Financial Sector
Challenge: Responding to a suspected insider threat
Solution: NCC Group triaged the alert in Sentinel and provided the client with comprehensive evidence to conduct their own internal investigation
Result: The incident was resolved and highlighted a flaw in the client's management and security culture. NCC Group recommended an auditable process for them to prevent such alerts going forward
Challenge
During routine monitoring, the NCC Group SOC received an alert from the customer’s Azure platform. The alert was triaged in Sentinel using data automatically provided by Azure Active Directory. It was immediately apparent that Azure Multi-Factor Authentication (MFA) had been disabled for the user in question.
This was deemed suspicious, so further investigations were conducted. It was discovered that the user was a former cyber security analyst who had until recently been employed by our client. Further investigation uncovered that MFA had been knowingly and deliberately disabled for the ex-employee by a member of the IT team.
Solution
NCC Group analysts provided comprehensive evidence to the client, who then conducted their own internal investigation. This incident had all the hallmarks of a typical insider threat. However, in this case, it transpired that the motivation was not malicious. Instead, the ex-employee had informally agreed to log into his former employer’s system to provide some business-critical information that he had stored in an area that only he could access.
Result
Despite there being no malice in this case, it is a worrying incident that showcases a poor information management and security culture. Our analysts advised in the strongest possible terms that such practices should not be allowed to take place. NCC Group further recommended that the client implement an auditable process for changing privileges and revoking MFA so that it was not possible for one individual to action such tasks without close scrutiny.
Get Started on Your Cyber Security Journey
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.