Got an email late last night from a vendor saying a self-hosted service we use had signs of compromise. Hmm, I thought, as the icy fingers of panic started gripping me...it's on an RFC1918 network so if that's true we have bigger problems. So after kicking off a full IR procedure with absolutely no results, we get mailed 3 hours later saying they made a mistake. Fuckers. #infosec
One thing this did encourage me to do is find out exactly what $VENDOR can fetch off the server. If it can't talk to their infrastructure it nags about it, but I now want to know what they're collecting that led them to even make a determination what's happening on the file system of an internal server.
@sullybiker happened to me once where a massive industry critical vendor insisted we were compromised and sending them large amounts of traffic. After a solid day of research and finding zero evidence of a breach, the vendor discovered they were accidentally running an automated test on themselves in the wrong environment.
@SecureOwl It is immensely stressful and frustrating.
Now I have to remove the network isolation and get it all working again so we can actually use it.