DEF CON Safe Mode Blue Team Village - corvusactual - No Question Teamviewer Police and Consequence

In the summer of 2019, I attended DEFCON for the first time and spent my days lingering around the Blue Team Village. Two weeks after I returned, our largest client was breached. A malicious actor remotely installed keyloggers on over a hundred computers. After a marathon of logs and OSINT, I traced the bad guy to his house. I offered a dossier with everything I’d found to the local Cyber Crime unit, leading to a full confession and finally, the release of the suspect for circumstances I’m not authorized to know. This talk discusses an internal breach of a non-profit organization. A delicate mix of politics, technical challenge and pressure, this event fundamentally shifted my career. A strange log file triggered a closer look at some servers. Within minutes, we had realized a massive breach had taken place. We found a keylogger installed on over a hundred computers. After a little digging, we found an unknown username referenced in a handful of Teamviewer connection logs. Teamviewer was uninterested in helping us without an international warrant of some kind. Through a day of parsing log files (no, we don’t have SIEM, IDS or IPS at this client), OSINT and the confidence I’d gained from finding a tribe at the BTV, I was able to identify the person responsible and gain insight into a real-world breach. A search warrant was executed, devices were nabbed for forensics and the detective secured a full confession. I was told there was ‘No Question', this was the person responsible, a client from the very organization that had been hit. Some time later, after some political meetings between the parties involved, it was determined that a charge would not be levied against the malicious actor for reasons I have yet to be told. The organization is still actively under attack via weekly spear-phishing and whaling. After six weeks, the organization allowed the confirmed suspect back into the fold, accessing programs within the umbrella of the agency and within reach of the very systems he used to gain his foothold. This is a vital topic to Blue Teamers. The real-world implications of a breach aren’t clear or fair and it’s all up to you.