CrowdStrike Alert Details
Alert ID: CS-BLUETOOTH-EXFIL-1011-7842 Alert Time: 2024-03-02 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Bluetooth File Transfer Detected – Potential Data Exfiltration” MITRE ATT&CK: T1011 – Exfiltration Over Other Network Medium: Bluetooth
Alert Details:
Detection: Large file transfer over Bluetooth from corporate laptop
Host: RND-WS-045 (Research & Development) User: alexchen@company.com (Alex Chen, Researcher) Time: 09:15-09:30 EST
Bluetooth Activity:
Device Paired: “iPhone 14 Pro” (attacker’s device)
Pairing Time: 09:10 EST
File Transfer Start: 09:15 EST
Files Transferred: 47 files
Total Size: 234 MB
File Types: .py, .ipynb, .docx, .pdf, .kdbx
File Transfer Log (CrowdStrike):
09:15:22 – quantum_algorithm.py (2.3 MB) transferred to iPhone
09:16:45 – research_data.ipynb (4.5 MB) transferred
09:18:12 – model_weights.h5 (15.2 MB) transferred
09:20:05 – patent_draft.docx (1.2 MB) transferred
09:22:33 – customer_list.xlsx (3.4 MB) transferred
09:24:18 – source_code_backup.zip (45.6 MB) transferred
09:26:45 – passwords.kdbx (1.8 MB) transferred
… (47 total transfers)
Detection Logic:
Bluetooth file transfer (unusual for this user)
Large volume of data (234 MB)
Files include source code, research data, password database
User has no history of Bluetooth transfers
Pattern matches data exfiltration via Bluetooth
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed Bluetooth file transfer activity
2. User Interview
Contact alexchen
Teams, Phone
User did NOT transfer files via Bluetooth (account compromised)
3. Physical Security
Check badge access
Security Logs
Unauthorized individual in R&D area at 09:00
4. Immediate Action
Isolate host
CrowdStrike
RND-WS-045 quarantined
5. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-156 Summary: T1011 – 234 MB of R&D Data Exfiltrated via Bluetooth Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1011, bluetooth-exfiltration, data-breach, crowdstrike, physical-access Components: Endpoint-Security, Physical-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Bluetooth File Transfer Detected – Potential Data Exfiltration”.
Host: RND-WS-045 (R&D Department, user alexchen).
Method: Bluetooth file transfer to “iPhone 14 Pro”.
Data: 47 files, 234 MB.
Time: 2024-03-02 09:30 EST.
Technique: MITRE ATT&CK T1011 – Exfiltration Over Other Network Medium: Bluetooth.
2. Technical Analysis:
Attack Chain:
08:45 – Unauthorized individual enters R&D area (piggybacked)
08:50 – Individual sits at alexchen’s desk (user at coffee break)
08:55 – Attacker logs into unlocked workstation
09:00 – Attacker pairs iPhone via Bluetooth
09:05 – Attacker navigates to sensitive folders
09:15-09:30 – Attacker transfers 47 files (234 MB)
09:30 – Attacker leaves; CrowdStrike alerts
09:31 – SOC investigates
Files Exfiltrated:
Source Code: quantum_algorithm.py, model_weights.h5, source_code_backup.zip (63 MB)
Research Data: research_data.ipynb, experiment_results.csv (28 MB)
Patents: patent_draft.docx, patent_figures.pdf (12 MB)
Customer Data: customer_list.xlsx, client_contracts.pdf (15 MB)
Passwords: passwords.kdbx (corporate password vault – 1.8 MB)
Other: Various documents, spreadsheets (114 MB)
Physical Security Breach:
Attacker entered via badge tailgating (no badge scan)
Workstation was unlocked (user left for coffee)
No security in R&D area
User Status:
User was on coffee break, unaware
Account not compromised (physical access only)
3. Investigation Findings:
Timeline:
08:45 – Attacker enters building
08:50 – Attacker at workstation
09:00-09:30 – Bluetooth pairing and file transfer
09:30 – CrowdStrike alert
09:31 – SOC investigates
09:32 – Security dispatched
09:35 – Attacker fled (not found)
09:36 – Host isolated
Indicators of Compromise (IoCs):
Physical:
– Unauthorized individual, male, 30s, dark hoodie
– Entered at 08:45 via badge tailgating
Device:
– “iPhone 14 Pro” (attacker’s device)
– Bluetooth pairing at 09:00
Files:
– 47 files, 234 MB exfiltrated (list attached)
4. Containment Actions:
Immediate Actions:
Isolated RND-WS-045 via CrowdStrike.
Disabled Bluetooth on all corporate workstations (policy push).
Reset alexchen password (precaution).
Security increased in R&D area.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (PII exposure).
Rotated all corporate passwords (password vault compromised).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: Physical security breach (tailgating) + unlocked workstation.
Contributing Factors:
No mantraps at entrances.
Workstation left unlocked.
Bluetooth enabled and allowed for file transfers.
No security cameras covering R&D area.
6. Business Impact:
Operational Impact: R&D workstation offline; password reset for all users.
Data Exposure: 234 MB of IP, source code, customer data, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (IP theft, incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Bluetooth disabled.
Passwords rotated.
Breach response initiated.
Technical Controls Enhanced:
Disabled Bluetooth file transfer via GPO.
Enforced screen lock after 5 minutes.
Implemented mantraps at all entrances.
Added security cameras in sensitive areas.
Deployed USB/Bluetooth device control.
8. Conclusion:
An attacker gained physical access to an unlocked R&D workstation and exfiltrated 234 MB of intellectual property, customer data, and corporate passwords via Bluetooth. CrowdStrike detected the Bluetooth file transfer, but exfiltration had already occurred. A full data breach response was initiated, and all corporate passwords were rotated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 10:30 EST