Restore incident logic and reconstruct a complete timeline
Identify the data accessed by the adversary
Recover deleted files
Recover and analyse exploit payloads
Establish the likelihood of data having left the network, and in which quantity
Identify the employees, customers and/or suppliers that were targeted
Key Achievements
In 2016, Mossé Security was engaged to investigate the compromise of cloud accounts by an insider threat. We discovered that a disgruntled employee had created multiple backdoor administrator accounts across Google Cloud, AWS and Gsuite, and used them to sabotage the company after they had been removed from their position. The person was a senior IT director that had significant internal system knowledge and that knew exactly which systems to target, how and when for maximum effect. Our team performed forensics in the cloud to remove all his access, produced a report for the client’s legal team and then act as expert witnesses to support legal actions.
In 2018, Mossé Security was engaged by a top Australian organisation to investigate defamation emails sent from an anonymous email service to multiple board members and the press. Our team performed digital forensics across Active Directory records, Microsoft Exchanges records, email records, and access logs on file shares. We assisted the client identify the disgruntled employee, which they then confirmed with the help of a private investigator. In the end, the client’s legal team used our findings to resolve the matter out of court.
In 2020, an ASX200 organisation engaged our team to investigate mission critical systems that alerted its internal Security Operations Centre of malicious activities. Their Level 3 analysts performed digital forensics on the systems but failed to identify the adversary’s persistence mechanisms. Our team performed out-of-band forensics and discovered that the attacker was employing Windows kernel drivers to hide its presence on the systems and defeat the SOC’s enterprise forensics product and prevent the acquisition of memory dumps. We were able to devise a safe way to remove the implants from the compromised machines as well as develop network detection capabilities to identify more systems affected by this massive cyber breach.
Our Certifications
Our team undertakes 2,000+ hours of pre-deployment training per year. Here are some of the certifications we hold and maintain: