A Day in the Life of a Breach – With Cisco Meraki

Ted, IT Manager at Simpson & Jones Law, has been doing well lately. A recent overhaul of the organization’s security and network infrastructure helped him rest easy, knowing that there was seemingly nothing that the Cisco Meraki security ecosystem couldn’t handle.

While at home, watching Netflix and sipping a Heineken, Ted was interrupted by his phone.

It’s an email alert from Meraki, notifying him that Advanced Malware Protection has blocked two malware attempts. AMP had blocked a few phishing attempts in the past, so he thought nothing of it at first.

However, minutes later, he received a notification that a client profile had been deleted from their CRM.

Confused, he shot an urgent message to those with access privileges to the database, asking if anyone had accidentally deleted anything from the CRM.

While waiting for their replies, Ted logged into the Meraki dashboard from his phone to investigate.

On top of AMP, Meraki’s intrusion protection provided him with a great deal of relevant data on suspicious events—much like the one that had just occurred.

As the replies trickled in letting Ted know none of his coworkers had been in the CRM that night, Ted gathered information about the incident. Using Meraki, he generated an IPS report on the known malware AMP had thwarted. They looked like they might have
been rootkits.

Next, he navigated to the real-time network map view. Turns out, both malware attempts originated on a laptop belonging to the organization’s Charleston office. He opened the event log for the device and realized this device had been active on the CRM two minutes after Meraki had blocked the malware.

From the looks of it, two hack attempts had been blocked, but the third had gotten through. Ted immediately quarantined the device from the network to prevent the malware from spreading any further and used Meraki’s Systems Manager to lock the computer remotely. He placed a temporary lock on the CRM to prevent any other changes from being made.

Ted sighed, closed his phone and ran through his estimation of events. The laptop belonged to Taylor, the office manager in Charleston. Ted didn’t know him very well, only having had briefly introduced himself during orientation. And even though the most likely explanation was a third-party attack, the possibility of an employee committing sabotage turned his stomach.

Ted Regroups Over Wings

Ted needed to clear his head. Like many late millennial men, buffalo wings were his comfort food of choice.

He put his laptop in his bag and headed to the nearest acceptable wing place.

At 8:30 p.m. on a Tuesday, he was well past the dinner rush. After placing his order, he sat down, opened his laptop on the thin metal table and thought through his next move.

How could he make sure Taylor hadn’t been behind the breach? He didn’t want to bring up personnel concerns if he didn’t have to.

Then, it occurred to him: the Charleston office had recently installed several security cameras that were directly integrated into the Meraki dashboard. If Ted found any footage around the time of the event, he could see whether Taylor had been captured on camera.

Ted opened the Meraki dashboard again and navigated to the motion alerts page. Motion alerts allow him to jump to images captured when the camera sensed movement. The cameras were configured to focus on specific spots of interest in the camera’s view, too, so that irrelevant motion (like people walking by outside the window) would be filtered out.

Ted cross-referenced motion alerts with the timing of the infection. Nothing. He even filtered through all the footage from that evening to make sure he hadn’t missed anything. But, sure enough, no one had been in the office after 5:00 that night.

He breathed a sigh of relief. Taylor hadn’t been involved in the breach.

As Ted logged into his cloud backup of the CRM and restored the deleted profile, he guessed a rootkit had been unknowingly installed on Taylor’s computer days or weeks earlier. Luckily, Ted had managed to lock it, quarantine it from the network and freeze the CRM from further changes before it was able to cause any damage.

No harm done.

As he sat back and finished his wings, he idly wondered what might have happened if Simpson & Jones Law didn’t have Meraki.

But that’s a whole other story.

What would have happened to Ted if he hadn’t had Meraki?

Watch the video to find out.

If you, like Ted, worry about the increasing likelihood of cyberattacks, ROVE is available as a true consulting partner. Through our collaborative approach, we help your organization navigate the complexity of modern security, assisting you in discovering the best tech beneath the hype.