Something we try to emphasize throughout the competition is the importance of taking care of customer data. After regionals, we had a situation occur which forced us to tap into our creativity, and into Splunk, to figure out what happened and what we were going to do about it. Also, make sure you check out blog series Parts 1 and 2 if you haven't already!
Breach Investigation and Response
Google Apps Usage
One administrative task I handle for CPTC is managing our Google Apps for business account. Each team is provisioned a Google Drive and Gmail account for use during the event. Email is used to communicate with teams during the event and Google Drive allows them to store evidence they need to build their report.
After the regional events, I noticed some interesting activity in the Google Drive involving a number of files being downloaded by a team account after the conclusion of the awards ceremony. Since this seemed a bit strange, we decided to import all of the Google Drive audit logs into Splunk and investigate.
Coming up, we will be releasing a blog post that goes more in-depth with the investigation of this issue.
We immediately noticed that several teams that had qualified for the national event had downloaded a large number of files from their Google drive. These included, in some cases, copies of our core API and the entire customer database for DinoBank.
We expanded this search to review the data for all teams that were attending the national competition, looking for occurrences where PII was downloaded during the reporting period or after the event. We found both of these situations happened across various teams.
Determining the best way to handle this situation was a challenge.
In the spirit of the CPTC mission, we wanted to approach this from an educational perspective, while also emphasizing the significance of this type of action in the context of a professional pentesting firm working with a client.
After substantial internal discussion and reviewing the issue with other professionals (both in the pentesting and banking industries), we made the following decisions:
- This type of removal of sensitive information would have to be treated as a breach.
- This type of action would be a serious issue for an employer, and it would potentially lead to a termination of employment for those responsible.
- Not every team took this action; however, it was a significant enough number where we were confident this wasn’t a one-off problem, but a fundamental issue in our industry.
- Any National CPTC action would need to address the situation but also allow for an educational opportunity for those involved.
- Team coaches, as the faculty and advisors supporting and mentoring each team, would be critical in supporting this objective.
We began with an out-of-character call with each team coach that was subject to the breach investigation to discuss what happened, how we were addressing it, and how they can help their team navigate what was coming next.
We immediately sent a strongly-worded (angry customer) email to the team, demanding a response and providing evidence that our information was removed from their systems. We followed up with a conference call–both in and out of character–with each affected team, and we had an in-person meeting with each team and Krissy Safi from IBM (playing the role of a Gotham City Regulator) at the event.
We received a wide range of responses to our email, some of which were excellent (accepting responsibility and working with us to resolve) to very poor (arguing with us about the terms of our NDA).
Ultimately, with some prodding, we were able to address most of these replies and help guide the teams to address the client’s issue. Teams were ranked on their responses, and those that handled the situation best were given the smallest penalty–a 45-minute reduction of their access to the environment. Those with the poorest response were given the greatest penalty–a reduction of up to 90 minutes or more.
Good Reminder: Take Care of Customer Data
Overall, I’m proud of how we were able to approach this. Our goal from the beginning was to emphasize the importance of protecting customer information and encourage everyone to exercise due care when working with this data. I believe we were able to accomplish our teaching objectives for the majority of the teams, and this is something that will continue to be a point of emphasis in future events.
Stay tuned for the fourth and final installation of our CPTC series for details on the research we’re making available and for our plans for 2020!