This is a guest post by Rapid7 customer, Tom Brown. Faced with a possible data breach after customers reported malicious spam appearing to come from his company, Liberty Wines, he called in the experts.


The cyber incident came when I was on a trip to eastern Europe. Staff back at the office said our email had gone into meltdown. They claimed we were under attack – that customers were calling in to report that they were receiving emails from us with an unusual attachment, which turned out to be malicious. In just a short space of time we'd also been bombarded by a backscatter of hundreds of thousands of non-delivery receipts related to the original offending email. We had to be sure an internal breach wasn't to blame. That's when I called in the experts at Rapid7.

A bit of background: Liberty Wines is a multi-award winning UK based Wine Importer and Wholesaler headquartered in London. The Desktop Support Engineer and I have around 130 endpoints to look after – a mix of desktops, smartphones and laptops – as well as hosted email and a mix of around 30 on premise and hosted servers. With globetrotting Sales and Buying teams logging-on to the network from locations all round the world, and a heterogeneous IT estate, there's plenty to keep us busy.

I had used Rapid7 software in the past and knew of them as a leader in the security space. When I heard that they had released UserInsight [now InsightUBA] I was intrigued. I soon arranged a live demo and was so impressed with it I allocated budget to get it installed the next (this) financial year.

We had previously identified a need for something to help us track user behaviour and logins but couldn't find anything suitable. Until UserInsight [now InsightUBA] was launched there really wasn't anything on the market that could easily scale from an SME like us right up to a large Enterprise deployment. The architecture of the InsightIDR system allows it to fit any size organisation while remaining at a realistic “per endpoint” cost for smaller setups like us.

Anyway, the incident had brought matters forward somewhat and we rapidly purchased and installed InsightIDR to give us the visibility and tools we needed to deal with the crisis at hand. InsightIDR is an expanded version of InsightUBA, it is an integrated detection and investigation solution that leverages user behaviour and endpoint analytics to spot and contain a compromise quickly and effectively, just what we needed.

Down to business

With time of the essence, the Rapid7 team worked closely with me, across three different time zones, to resolve the issue. After using Rapid7's Quick Start service to get set-up, the product began collecting and analysing data almost straightaway to provide us with the real-time intelligence it needed to spot if Liberty Wines had been breached or not. It scoured our systems looking for traversal, privilege escalation, unusual service account usage, logins from unexpected locations or devices, and so on. We also set Rapid7's vulnerability management product Nexpose to work identifying any potential security weaknesses in our systems which may have needed urgent attention.

Fortunately, InsightIDR found no suspicious user login or process activity on the network. From analysis of the spoofed email and email logs we worked out that the breach had actually come from a customer. The hackers had cloned a genuine email sent from Liberty Wines to a customer and then mass emailed it out to millions of internet users – some of whom were our customers – with the addition of a malicious JavaScript attachment.

Still, the Rapid7 team reverse engineered and analysed the malware in question to double check it had not penetrated the network. It was a couple weeks before we could say we had collected enough data to be absolutely sure that there was no suspicious activity going on internally. I have to say that without InsightIDR there is no way that we would have been able to confidently assert that our network was, and continues to be, clean.

With the real-time visibility provided by Rapid7, I was also able to draw up a clear and detailed graphical timeline of events for the Liberty Wines board, and inform customers what had happened.

A lasting confidence

Rapid7 pulled out all the stops to help when the call first came through from us, and together we managed to get InsightIDR set-up in a matter of hours.

It's a great system. It gives you that warm feeling inside by catching any suspicious behaviour on the network months before you'd otherwise discover it. Most IT managers accept that something will get through – that there will be a hole somewhere. So it's about finding out where it is quickly and being able to take action and that's what InsightIDR gives you.

Although there was no sign of a breach, the new user and process visibility it gave us did highlight a few areas where we needed to tighten up – particularly on user account security, which was quickly actioned. It allows me to see if a user is trying to access work emails on an unsanctioned mobile device, for example, or if they're logging on from a foreign country.

We also used Rapid7 Nexpose, which highlighted a number of areas where our patching was falling short. We found plug-ins in unused browsers that were not being updated and it also resulted in us shutting down some legacy systems we had kept running for reference purposes. The risk they posed internally was greater than the need for quick access to old data. Nexpose allowed us to demonstrate this to the business.

Going forward, we're embarking on a big website rebuild. We are going to make sure it's bomb-proof before going live. That's why I've already put Rapid7 pen testing into the budget for next year.