I am sorry, the title is a bit misleading, but once you have read the article, I am sure you will see how we – and the Security Operations Centre – could have caught a thief. Additionally, it is not about the Hitchcock movie; however, some of the action does take place in France, just like in the film.
Anyway, back to the cyber security…
Setting the Scene
For the past few weeks, I have been away working, so I have been using my laptop on a variety of “unverified” Wi-Fi networks – and for those of you who have been following my cyber security news for a while, you will know that means I have been using a VPN to keep my internet access private and secure. For more details about that, have a look at this article:
Yesterday
Yesterday was my first day back in the office. I started early, and when I was finished, I got up to make some tea. In passing, I shut my computer down and thought that was it for the day. However, it wasn’t.
Cyber Security Alert from the Security Operation Centre
The next part of the story did not involve me, but Martin, our operations manager. He got a call from the Security Operations Centre as there was high-risk activity associated with a senior member of our team – namely me. We get a call rather than an email alert when the activity is ranked as high risk – we even give the Security Operations Centre the authority to log into our systems, before alerting us, to stop certain types of high-risk suspicious activity before it can impact our data and operations.
The Suspicious Activity
I had been monitored during the day working from the UK, and then suddenly I was trying to login from Paris – an action that the monitoring software registered as suspicious and when escalated, the human staff knew a phone call to us was required.
So what happened?
Not wanting to ignore a high alert from the Security Operations Centre, Martin immediately changed my daily driver M365 password – as per our incident response plan – then contacted me. I then investigated what was happening using my iPhone, not my laptop.
We had not caught a hacker… or a thief. It was a false positive.
A review of the logs and some simple googling showed that the login had come from a Paris IP address associated with the VPN service I use.
I had not switched the VPN service off when I got back to the office – I had simply forgotten – and it had not impacted my work during the day. Then, for reasons I do not know, the VPN connection had reset from UK servers to French servers, and that had triggered the alert.
One more thing…
Whilst I was making my tea, I received an MFA request to the authenticator app on my phone, but because I was not expecting it – and the phone was on my desk – I did not notice it at the time.
A false positive – isn’t that annoying?
It was a false positive, but I am not worried by that – neither was Martin – it is better to know that the Security Operations Centre is a valuable cyber security tool that works and is worth the investment we make in it.
Is it time you upgraded your cyber security to 24/7 continuous monitoring?
Clive Catton MSc (Cyber Security) – by-line and other articles
