Follow

Got an email late last night from a vendor saying a self-hosted service we use had signs of compromise. Hmm, I thought, as the icy fingers of panic started gripping me...it's on an RFC1918 network so if that's true we have bigger problems. So after kicking off a full IR procedure with absolutely no results, we get mailed 3 hours later saying they made a mistake. Fuckers.

· · Web · 5 · 0 · 4

Now I have to remove the network isolation and get it all working again so we can actually use it.

To be fair our CISO was skeptical from the off, but enjoyed the exercise. I did not.

One thing this did encourage me to do is find out exactly what $VENDOR can fetch off the server. If it can't talk to their infrastructure it nags about it, but I now want to know what they're collecting that led them to even make a determination what's happening on the file system of an internal server.

@sullybiker happened to me once where a massive industry critical vendor insisted we were compromised and sending them large amounts of traffic. After a solid day of research and finding zero evidence of a breach, the vendor discovered they were accidentally running an automated test on themselves in the wrong environment.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!