A supply chain compromise that persisted for 214 days inside a Fortune 500 insurance carrier — dissected lateral movement by lateral movement, until the one misconfigured service account that opened every door.
FIG. 1.1 — Attacker leveraged a trusted vendor VPN tunnel to reach the CI/CD build server. The svc_build_01 service account held write access to 23 production repositories it had no legitimate reason to touch.
VPN cert issued to third-party auditor 18 months prior — never revoked after engagement closed.
First lateral move: build server to artifact repository. No EDR coverage on build nodes.
svc_build_01 makes first anomalous API call outside its declared service boundary.
Malicious package injected into internal npm mirror. Hash verification disabled.
"The build server was invisible to the SOC. It had no agent, no log forwarding, and a service account with domain admin equivalent."
— INCIDENT RESPONDER, WEEK 1 DEBRIEFBetween 03:17 and 03:31 UTC, the attacker moved from a build server service account to full domain compromise. The SIEM fired one low-severity alert. No analyst triaged it until 11 days later.
"DCSync from a non-DC host is textbook. The detection rule existed. The threshold was set to suppress low-volume alerts."
— THREAT INTEL ANALYST NOTE* LOG EXCERPT — SANITIZED FOR PUBLICATION. TIMESTAMPS UTC. HOSTNAMES ANONYMIZED.
The attacker operated patiently — moving in bursts, then going dormant for weeks. The exfiltration was timed to coincide with legitimate high-volume backup windows.
"DNS-over-HTTPS rendered their exfiltration invisible to every network sensor they had deployed."
— FORENSIC REPORT, SECTION 4.3WMI remote execution to PROD-DC-01. Domain admin achieved in 14 minutes.
14.3 GB transferred over 6 hours. DNS-over-HTTPS tunneling to C2 infrastructure.
28.7 GB — policyholder PII, actuarial models, M&A documents.
DLP alert on anomalous DNS query volume. Incident response team engaged.
A water treatment facility in the Mid-Atlantic region. The OT network was assumed air-gapped. It was not. The historian note: the jump host had been installed "temporarily" in 2019.
A regional bank's core banking system encrypted on a Tuesday morning. The ransomware had been dormant for 61 days after initial deployment, waiting for fiscal quarter end.
AVAILABLE TO SUBSCRIBERS
An insurance carrier's provider portal allowed unauthenticated IDOR traversal. 2.1M patient records extracted over 8 months through what appeared to be normal API traffic.
47 issues in the archive. Every one traces a breach from first packet to final post-mortem.
One incident, dissected to the packet level — every issue.
Written for practitioners who've already sat through the vendor pitch.
Lateral movement, dwell time, and the human error that opened the door.
Forensic diagrams, annotated log excerpts, and real timeline data.
"I forwarded the September issue to my entire threat intel team. It answered questions about the Copper Thread campaign that the vendor reports never touched."
Monthly. Free. No vendor content. No sponsored sections. Unsubscribe with one click.
YOUR EMAIL IS NOT SOLD. NOT SHARED.
NOT USED TO PITCH YOU SOFTWARE.