It never ceases to amaze me that despite all the various security articles published daily about either an external attack or insider threat, there are still companies out there who aren’t doing their due diligence when it comes to leavers. A leavers policy should be agreed upon by IT and HR (among other departments), but more importantly, actioned.
Not surprisingly, had basic threat detection rules been pre-configured with alarm notifications, along with UEBA, this would have alerted the internal SOC (assuming the Canadian Pacific Railway has one) at the first sign of malicious activity, as opposed to the two days it took them to notice something had gone wrong. Auto-remediation via SAO would have also made life smoother for all.
A former IT administrator at the Canadian Pacific Railway has been jailed for 366 days for sabotaging the organization's computer network. Christopher Victor Grupe removed administrator-level accounts, deleted certain key files, and changed the passwords for other accounts on the networking hardware, a US district court jury in Minnesota heard.