Zscaler Alert Details
Alert ID: ZSCALER-WEB-EXFIL-1567-7842 Alert Time: 2024-03-02 11:30:22 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “Large Upload to Cloud Storage – Potential Data Exfiltration” MITRE ATT&CK: T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
Alert Details:
Detection: Large file upload to Google Drive from internal user
User: kwilson@company.com (Karen Wilson, Finance) Source IP: 192.168.45.112 (FIN-WS-078) Destination: https://www.googleapis.com/upload/drive/v3/files Time: 11:15-11:30 EST
Upload Details:
File: “Q4_Financial_Projections.xlsx” (12.3 MB)
File: “Customer_PII_Export.csv” (8.7 MB)
File: “Board_Meeting_Minutes.docx” (2.4 MB)
File: “Merger_Agreement_Draft.pdf” (5.6 MB)
File: “password.kdbx” (1.8 MB)
Total: 30.8 MB uploaded
Upload Pattern:
11:15:22 – Authentication to Google Drive (OAuth)
11:16:45 – Upload of Q4_Financial_Projections.xlsx
11:20:12 – Upload of Customer_PII_Export.csv
11:23:38 – Upload of Board_Meeting_Minutes.docx
11:26:55 – Upload of Merger_Agreement_Draft.pdf
11:29:15 – Upload of password.kdbx
Detection Logic:
Multiple sensitive files uploaded to personal Google Drive
User kwilson has no business need for Google Drive
Files contain financial data, PII, confidential documents
Destination is personal account (not corporate Google Workspace)
Pattern matches data exfiltration to cloud storage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed upload to personal Google Drive
2. User Interview
Contact kwilson
Teams, Phone
User did NOT upload files (account compromised)
3. Google Drive Investigation
Check file access
Google Workspace Admin
Files uploaded to attacker’s personal account
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
5. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
6. Legal Action
Contact Google for takedown
Legal Team
DMCA takedown request submitted
Jira Incident Report
Ticket: SOC-2024-158 Summary: T1567 – 30.8 MB of Sensitive Data Exfiltrated to Personal Google Drive Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1567, web-service-exfiltration, google-drive, zscaler, data-breach Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access.
Alert: “Large Upload to Cloud Storage – Potential Data Exfiltration”.
User: kwilson@company.com (Finance Department).
Destination: Google Drive (personal account).
Data: 30.8 MB uploaded.
Time: 2024-03-02 11:30 EST.
Technique: MITRE ATT&CK T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage.
2. Technical Analysis:
Attack Chain:
10:30 – kwilson account compromised via phishing
10:45 – Attacker logs into FIN-WS-078 via RDP
10:50 – Attacker collects sensitive files
11:00 – Attacker accesses personal Google Drive
11:15-11:30 – Upload of 5 files (30.8 MB)
11:30 – Zscaler detects
Files Exfiltrated:
Q4_Financial_Projections.xlsx (12.3 MB) – confidential financial data
Customer_PII_Export.csv (8.7 MB) – names, addresses, SSNs (PII)
Board_Meeting_Minutes.docx (2.4 MB) – strategic discussions
Merger_Agreement_Draft.pdf (5.6 MB) – legal documents
password.kdbx (1.8 MB) – corporate password vault
Google Drive Account:
Email: attacker@gmail.com (personal account)
IP: 185.143.221[.]89 (Bulgaria)
Status: Files uploaded and accessible
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50-11:00 – Data collection
11:15-11:30 – Upload to Google Drive
11:30 – Zscaler alert
11:32 – SOC investigates
11:33 – Host isolated
11:34 – Account disabled
Indicators of Compromise (IoCs):
Network:
– Destination: Google Drive API
– Attacker IP: 185.143.221[.]89
Files:
– 5 files, 30.8 MB exfiltrated (list attached)
Account:
– kwilson (compromised)
– attacker@gmail.com (receiving account)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Blocked Google Drive uploads for compromised account.
Disabled kwilson account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (PII exposure).
Submitted DMCA takedown request to Google.
Rotated all corporate passwords (password vault compromised).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Cloud storage allowed (not restricted).
6. Business Impact:
Operational Impact: Finance host offline; password reset for all users.
Data Exposure: 30.8 MB of financial data, PII, strategic documents, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (IP theft, incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Takedown request submitted.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted cloud storage to corporate accounts only.
Enhanced DLP for cloud uploads.
8. Conclusion:
An attacker compromised a finance user’s account and exfiltrated 30.8 MB of sensitive data to a personal Google Drive account. Zscaler detected the large uploads, but exfiltration had already occurred. A full data breach response was initiated, and all corporate passwords were rotated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 12:30 EST