Zscaler Alert Details
Alert ID: ZSCALER-CLOUD-EXFIL-1567-7842 Alert Time: 2024-03-13 09:30:15 EST Severity: CRITICAL (95/100) Source: Zscaler Internet Access (ZIA) – Cloud App Control Rule: “Sensitive Data Upload to Personal Cloud Storage” MITRE ATT&CK: T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
Alert Details:
Detection: Large upload of sensitive files to personal Google Drive account
User: kwilson@company.com (Karen Wilson, Finance Manager) Source IP: 192.168.45.112 (FIN-WS-078) Destination: https://www.googleapis.com/upload/drive/v3/files Time: 09:15-09:30 EST
Upload Details:
09:15:22 – Authentication to Google Drive (OAuth) – personal account “finance.manager.kw@gmail.com”
09:16:45 – Upload: “Q1_Financial_Results.xlsx” (8.2 MB)
09:18:12 – Upload: “Q2_Projections.xlsx” (7.5 MB)
09:19:33 – Upload: “Customer_Payment_History.csv” (12.3 MB)
09:21:05 – Upload: “Merger_Agreement_Draft.pdf” (4.2 MB)
09:22:28 – Upload: “Executive_Bonus_Plan.xlsx” (3.1 MB)
09:23:50 – Upload: “VPN_Configs.zip” (2.8 MB)
09:25:15 – Upload: “passwords.kdbx” (1.8 MB)
Total: 7 files, 39.9 MB
Detection Logic:
Multiple sensitive files uploaded to personal Google Drive
User kwilson has corporate OneDrive, no business need for personal Google Drive
Files contain financial data, PII, confidential documents
Destination is personal account (not corporate)
Pattern matches data exfiltration to cloud storage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed upload to personal Google Drive
2. User Interview
Contact kwilson
Teams, Phone
User did NOT upload files (account compromised)
3. Google Drive Investigation
Check file access
Google Workspace Admin
Files uploaded to attacker’s personal account (finance.manager.kw@gmail.com)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
5. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
6. Legal Action
Contact Google for takedown
Legal Team
DMCA takedown request submitted
Jira Incident Report
Ticket: SOC-2024-211 Summary: T1567.002 – 39.9 MB of Sensitive Data Exfiltrated to Personal Google Drive Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1567, cloud-exfiltration, google-drive, zscaler, data-breach Components: Data-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (Cloud App Control).
Alert: “Sensitive Data Upload to Personal Cloud Storage”.
User: kwilson@company.com (Finance Manager).
Destination: Personal Google Drive (finance.manager.kw@gmail.com).
Data: 39.9 MB (7 files) uploaded.
Time: 2024-03-13 09:30 EST.
Technique: MITRE ATT&CK T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage.
2. Technical Analysis:
Attack Chain:
08:30 – kwilson account compromised via phishing
08:45 – Attacker logs into FIN-WS-078 via RDP
08:50 – Attacker collects sensitive files from local and network shares
09:00 – Attacker accesses personal Google Drive via Chrome
09:15-09:30 – Upload of 7 files (39.9 MB)
09:30 – Zscaler detects
Files Exfiltrated:
Q1_Financial_Results.xlsx (8.2 MB) – detailed revenue, expenses
Q2_Projections.xlsx (7.5 MB) – forecast, budget
Customer_Payment_History.csv (12.3 MB) – customer names, payment details (PII)
Merger_Agreement_Draft.pdf (4.2 MB) – confidential acquisition details
Executive_Bonus_Plan.xlsx (3.1 MB) – sensitive HR data
VPN_Configs.zip (2.8 MB) – network access details
passwords.kdbx (1.8 MB) – corporate password vault
Google Drive Account:
Email: finance.manager.kw@gmail.com
IP: 185.143.221[.]89 (attacker)
Status: Files uploaded and accessible
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50-09:00 – Data collection
09:15-09:30 – Upload to Google Drive
09:30 – Zscaler alert
09:32 – SOC investigates
09:33 – Host isolated
09:34 – Account disabled
Indicators of Compromise (IoCs):
Network:
– Destination: Google Drive API
– Attacker IP: 185.143.221[.]89
Files:
– 7 files, 39.9 MB exfiltrated (list attached)
Account:
– kwilson (compromised)
– finance.manager.kw@gmail.com (receiving account)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Blocked Google Drive uploads for compromised account.
Disabled kwilson account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (PII exposure).
Submitted DMCA takedown request to Google.
Rotated all corporate passwords (password vault compromised).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Cloud storage allowed (not restricted).
6. Business Impact:
Operational Impact: Finance host offline; password reset for all users.
Data Exposure: 39.9 MB of financial data, PII, strategic documents, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (IP theft, incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Takedown request submitted.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted cloud storage to corporate accounts only.
Enhanced DLP for cloud uploads.
8. Conclusion:
An attacker compromised a finance manager’s account and exfiltrated 39.9 MB of sensitive data to a personal Google Drive account. Zscaler detected the large uploads, but exfiltration had already occurred. A full data breach response was initiated, and all corporate passwords were rotated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 10:30 EST