Incident Response Reminders from a Mouse
On Sunday morning, I was faced with a situation all of us in this industry fear the most; a confirmed breach. Unlike many breaches, I was not made aware of this one thanks to a call from Brian Krebs. Instead, I became acutely aware of my predicament when preparing some cereal on behalf of my son. A mouse jumped from the box, and ran along my arm, before finally making an escape to parts unknown.
That's right. I was compromised by a mouse. A mouse that was subsequently about the house.
What followed was as you’d expect. Panic, confusion, shame, concern and a hungry toddler. How had this happened? How had a mouse gotten deep into the core of my home, into our pantry where it was happily exfiltrating Panda Puffs? After the initial shock had subsided I decided to approach the situation as I would any incident in the digital realm, and the parallels between both approaches were staggering.
Initial identification of the incident had occurred rather rapidly at the moment the rodent emerged from the cereal box. There was no question about that. My challenge now was to identify the scope of the incident. Was this a single mouse in the house, or was this indicative of a larger incident? Obviously, mice are everywhere outside. Indeed, I’d known that mice had been an issue in my basement previously, but had built perimeter controls to keep them outside of the firewall. I treated the basement as a DMZ. There were controls, but I assumed I had enough of a buffer between it and the internal parts of my home.
Forensic evidence in the form of mouse droppings lead me to believe that in this case, only one mouse had breached. There weren’t very many droppings in the pantry. In fact, I was forensically able to trace the path taken by the mouse to the Panda Puffs. The droppings were my log files. These log files lead me to discover that prior to the compromise of the Panda Puffs, a box of Elmo crackers had been totally compromised.
I would have to update my stakeholders, and they wouldn’t be happy.
Satisfied that only one mouse had entered the house to this point, I needed to make sure the situation was contained, and couldn’t get worse. Worse would’ve included more mice of course but would’ve also included my family getting extremely sick because of all those aforementioned log files in the pantry.
Tackling the log files in the pantry was a case of airing the area out, removing all the food, throwing 80% of it away (only sealed food was kept if it was free of log files), and bleaching the vicinity. Essentially a re-imaging of an infected host. I then wanted to find out where the mouse had entered, so that another couldn’t follow suit. I conducted a perimeter scan, a scan deeper than any I’d performed before and identified a couple of weak points.
The first was an electrical box that was exposed at the back of a cupboard. Never noticed that one before. A patch (in the form of a blanking plate) was promptly applied. The second potential vulnerability was a gap at the back of the kitchen sink.
As it happened, the prior day I’d been performing some maintenance on said sink in order to repair a leak. While the area was drying out, the under sink doors were open. A direct path into the innards of my home. I’d punched a hole in my firewall, only briefly, and the mouse had taken advantage. I’d have more patching to do to ensure containment.
At this point, it was worth noting that there was still a mouse somewhere in the house, and it needed to not be there. I had to eradicate the source of the incident. The mouse had a foothold in my environment and was able to move laterally, and blend in since I had very little internal segregation between rooms.
One by one I cleared the rooms like a swat team member, shutting doors behind me as I declared the rooms ‘clear’. I couldn’t find the mouse. I had some humane traps in the basement, so collected them, and filled them with delicious peanut butter. One was placed near the suspected entry point, the other at the source of the breach, the pantry.
Fast forward a few hours, and the attacker (mouse) was lured into the honeypot (trap). The picture atop this post is the actual mouse in the actual trap. Attribution at its finest.
The mouse was later released, unharmed, several miles away in a wooded area, where it would be better suited.
In order to return my house to a state of normal business operations, work needed to be done. The food had to be replaced, and those impacted by the incident needed to be informed. My wife who had been upstairs to this point was briefed.
“Here at the Sheward house, we take mouse security incredibly seriously, which is why we are saddened to inform you that we recently learned of a compromise involving a mouse. Some of your personal food supply was accessed, and therefore you should take steps to protect yourself. We’re working with an incident response company on the next steps.”
I then happened to float the idea that the mouse used similar TTP’s to a North Korean mouse I’d heard about. It couldn’t hurt.
Finally, I needed to perform a review of the incident with all those involved. A few lessons were discussed.
Our primary detection and containment tools had failed. In this case, it was our two dogs, who’d simply stared uselessly at the mouse once it jumped out of the box. The dogs are absolutely wonderful at generating false-positive barks when a neighbor several houses away starts up a leaf blower, but an actual threat, they just derped out. I needed to re-evaluate their role and how much faith I placed in them.
My threat model needs updating. My controls and efforts to this point had been focused on tackling what I’d consider the single biggest threat to my environment, a break-in by another human being. I still consider that to be a risk of course, but it’s worth adjusting my scope to include other types of threats such as mice. Often times we're guilty of focusing on one risk. I have several preventative controls for human entry, but mouse entry was altogether a different issue.
Some controls can be reused for both situations of course. The 5 D Cell Maglite I keep close by would likely have the same effect on a mouse as it would a person's head should it come to that.
Process improvements. We’ve already purchased more sealed cereal containers for the pantry, and you can rest assured that I’ll be keeping a closer eye on things during future maintenance events. Also, we’re getting another dog. A dog that grew up on a farm.