Guidelines for Writing an Effective Intrustion Detection Case Study

1. Provide an executive summary or abstract

2. Introduction

a. Introduce the subject of the case study

3. Body -- The meat of the case study should address...

a. Attribution

i. Who is the attacker?

ii. Why? What is the attacker’s motivation?

b. Technical

i. What type of attack?

ii. How did the attack work, from a technical point of view?

iii. How do you detect this type of attack?

c. Forensics

i. When did the attack occur? Timeline of the attack.

ii. Where did the attack occur? May or may not be a physical

location. Think of targets.

4. Conclusion

a. Since this is Intrusion Detection-in-Depth, I’m especially interested in

your conclusions related to the attack type, technical details, and how

to detect (and prevent).

General I:

The Capital One data breach of 2019 was a cyber attack that occurred in March of that year.
The attack compromised the personal information of over 100 million Capital One customers in
the United States and Canada. The hacker responsible for the attack, Paige Thompson, gained
unauthorized access to a cloud server rented by Capital One from Amazon Web Services
(AWS). She was able to exploit a vulnerability in the server's firewall and access sensitive
customer information, including names, addresses, dates of birth, and credit scores.
Additionally, the attacker was able to obtain approximately 140,000 Social Security numbers and
80,000 bank account numbers.

Following the discovery of the breach, Capital One worked quickly to secure its systems and
notify affected customers. The company estimated that the breach would cost approximately
$100 million to address, and the incident led to investigations by government agencies including
the Federal Bureau of Investigation (FBI) and the Office of the Comptroller of the Currency
(OCC). Paige Thompson was arrested and charged with computer fraud and abuse in relation
to the attack.

General II:

In 2019, Capital One suffered a data breach that exposed the personal information of over 100
million of its customers in the United States and Canada. The breach was caused by a former
employee of Amazon Web Services (AWS) who exploited a vulnerability in the cloud-based
service that Capital One used to store customer data.

The hacker, Paige Thompson, accessed the data by exploiting a misconfigured firewall in the
web application firewall (WAF) that Capital One used to protect its stored data. Thompson was
able to send requests to the WAF with specially crafted commands that allowed her to access
the Capital One data stored in the cloud. She then downloaded the sensitive customer data and
posted it on her own GitHub account, where it was discovered by other users who reported it to
Capital One.

Capital One reported the data breach to law enforcement and began an investigation. It was
discovered that Thompson had been able to access the data due to a misconfiguration in the
WAF, which had been set up to allow commands from any IP address. In addition, Thompson
was able to use her own knowledge of AWS to exploit the vulnerability and gain access to the
data.

The consequences of the breach were significant for both Capital One and its customers.
Capital One had to pay out over $80 million in fines and other expenses related to the breach,
and its reputation was damaged due to the loss of customer data. The affected customers faced
the risk of identity theft and financial fraud, and many of them had to cancel their credit cards
and monitor their credit reports for signs of fraud.

The breach could have been prevented if Capital One had implemented stronger security
controls, such as better access controls and monitoring of its cloud-based services. In addition,
they could have implemented more rigorous security testing and vulnerability scanning to
identify potential weaknesses in their systems before they could be exploited by attackers.

Overall, the Capital One breach was a major wake-up call for organizations that use
cloud-based services to store sensitive customer data. It highlighted the importance of
implementing strong security controls, regularly testing for vulnerabilities, and monitoring for
suspicious activity to prevent similar attacks in the future.

How it Could Have Been Prevented

There are several security controls that Capital One could have implemented to prevent the
attack of 2019, including:

1. Secure Configuration Management: Capital One could have ensured that all systems
were configured securely, including web application firewalls, intrusion detection
systems, and other network devices. This would have helped to prevent the attacker
from exploiting vulnerabilities in these systems.
2. Access Control: Capital One could have implemented better access controls to limit
access to sensitive data. This could include stronger authentication methods, such as
multi-factor authentication, as well as implementing least privilege access, which would
have restricted the number of people who had access to sensitive data.
3. Network Segmentation: Capital One could have implemented network segmentation to
isolate the sensitive data and prevent an attacker from moving laterally within the
network. This would have helped to prevent the attacker from gaining access to all of the
data stored by Capital One.
4. Vulnerability Management: Capital One could have implemented a vulnerability
management program to regularly scan and identify vulnerabilities in their systems, and
prioritize their remediation. This would have helped to prevent the attacker from
exploiting known vulnerabilities.
5. Incident Response: Capital One could have implemented an incident response plan that
would have allowed them to respond quickly to any security incidents, including
breaches. This could include regular testing of the plan to ensure it was effective and
efficient in responding to security incidents.

By implementing these security controls, Capital One could have reduced their risk of a data
breach and potentially prevented the attack of 2019.

How it happened

Paige Thompson, the perpetrator of the Capital One data breach in 2019, was able to gain
access to sensitive customer data through a misconfigured web application firewall (WAF).
Specifically, she exploited a vulnerability in the WAF configuration that allowed her to send
specially crafted requests that included commands to the server. These commands allowed her
to obtain credentials that were stored in plaintext, which she then used to access the data
stored in Capital One's Amazon Web Services (AWS) environment.

Once Thompson gained access to the AWS environment, she used a tool called "importer" to
scan for and copy data from the S3 buckets that contained the sensitive customer information.
She was able to access a large amount of data, including names, addresses, credit scores,
Social Security numbers, and other personal information of over 100 million customers and
applicants.

Thompson was able to carry out this attack by taking advantage of a series of vulnerabilities in
Capital One's security infrastructure, including a misconfigured firewall, lack of encryption of
sensitive data, and inadequate access controls. Additionally, the fact that she was a former
AWS employee and had knowledge of the AWS environment likely made it easier for her to
carry out the attack.

To prevent similar attacks in the future, companies like Capital One should implement robust
security controls, including strong access controls, proper configuration of firewalls and other
security devices, and encryption of sensitive data. Regular vulnerability assessments and
penetration testing should also be conducted to identify and remediate vulnerabilities before
they can be exploited by attackers. It's also important for companies to have incident response
plans in place, including procedures for detecting and responding to breaches in a timely and
effective manner.