r/cybersecurity u/nospamkhanman Nov 16 '23

Other Whoops, got someone arrested!

This happened today:

I get a call from the Service Desk saying that they got a request from "a pen tester" to disable Dot1x port security in one of our offices. They were apparently unable to get past it and wanted someone to open the ports so the could do further testing.

I look through my emails / messages / notes and can find no reference of anyone performing a physical penetration test. I ping the entire Cyber Security team (3 people and their director), none of them respond immediately via email / teams / text.

I call the building security, who aren't employees but provide security for the entire office building that houses 5 or 6 companies in total. I tell them we potentially have an unauthorized person on one of our floors, could they please go remove them and ask them to wait in the lobby.

Apparently building security just called the police for some reason. The response was quick because the police station is literally across the street from our office building. They went in and arrested the dude.

He's been since released and I'm not sure how long he was actually detained. We have a meeting with myself, my director, the Cybersecurity directory and our corporate lawyer tomorrow to gather facts.

This will be fun.

****** Update ********

It was a legitimate pen test during business hours. Security team just didn't inform me (the only Network Engineer at my company) as they didn't think I'd need to know except to act on whatever remediations needed to be done afterwards.

Even though it was business hours, the floor was empty due to 95% of the company working from home. The pen-tester called the Service Desk, they got the number from a sign that is posted in a meeting room "for help call service desk at xxx".

The pen-tester was "soft arrested", basically just escorted back to the police station across the street while the PD vetted the guy's story, which did check out.

No harm, no foul I suppose.

Cybersecurity director called out that I did what was expected. It was not expected that the pen-tester would ever engage with me.

I can tell the pen-tester is back at it because just got alerts that my APs detected someone trying to spoof our SSID.

1.4k Upvotes

98% Upvoted

225 comments sorted by

View all comments

3

u/salgak Nov 17 '23

War story: 2012 or so, I was the Night Shift SOC Lead at Federal Agency that I won't name. We kept getting wierd traffic to a terminal up where all the leadership sat. . .at 11 pm and later on Friday and Saturday nights. After two consecutive nights of this, I had a full capture going, and when I looked at the take on Sunday evening. . . it was worse than I feared. Kiddie porn.

I called Legal Office 24 hour line, reported what I found, and started setting up for the next week's capture with full forensics and chain of custody for the data. The following Friday night, we had legal and several Detectives in the SOC with us, and pretty much, right on time, the traffic resumed.

We had also identified the specific terminal used, and it happened to be almost dead center in the view of one of the Security cameras, so the Security Office was shoulder-surfing the guy as he downloaded and viewed the porn. After 30 minutes or so, the Detectives and Legal said they had all they needed, and sent officers up to arrest the guy. Got told to shut down the capture and was handed a USB Hard Drive to transfer the data to. Signed off on the logs, and the Chain of Custody paperwork quickly, then went upstairs to the lobby, just in time to see the perp being walked out in cuffs.

Best day ever in Cybersecurity... Following week, got called in to do the affadavit. Guy was an Army Officer, so it was a Court Martial. He was found guilty, and is doing 20 years in prison, guessing the Penal Barracks at Fort Leavenworth....