The Network: A financial firm headquartered in the Midwest U.S. with several hundred servers and workstations.
The Expectation: Workstations are less critical; most critical data is on their servers.
The Catch: EventTracker Intrusion Detection inspecting all north/south traffic detects browser traffic from a workstation indicating a phishing attack; a title page says “Dropbox Login Page” but it’s not via https. The absence of monitoring at the workstation level limits visibility.
The Find: The workstation user was potentially a victim of an attempt to harvest credentials for Dropbox via a bogus login page.
The Fix: Quarantine the workstation and run a deep scan. For maximum safety, re-image the hard drive. Check the local DNS cache for possible poisoning of dropbox.com. If this user has a Dropbox account, they should change their credentials.
The Lesson: Workstations are often the weakest link and should be monitored. Attackers establish a beachhead on the least well defended machine in the network and spread laterally from there.