The Environment
A precision components manufacturer operates across three geographically distributed sites: a headquarters and engineering office, a machining facility, and a quality assurance lab, each connected by a private WAN. The engineering office hosts high-value intellectual property — proprietary component designs representing years of R&D investment. The machining floor uses CNC controllers running embedded Windows. The firm’s supply chain involves frequent file exchanges with tier-1 customers through a managed file transfer (MFT) portal shared with several partner organizations. There is no internal security team; IT is managed by a small department reporting to operations leadership.
Frostbow Deployment
Frostbow was deployed across all three sites simultaneously with site-specific ontologies per location. A single Windows-based collector service at each site ingested events from all local endpoints via Windows Event Forwarding — eliminating the need for per-endpoint agents. The MFT portal was integrated directly via API, providing visibility into all file transfer activity with external partners. Total managed endpoints: approximately 190 across three sites.
The Scenario: Intellectual Property Exfiltration via Trusted Partner Credential
A senior engineer’s credentials were compromised through a phishing attack targeting a supply chain partner with shared portal access. The attacker used the valid credential to authenticate to the MFT portal from an overseas IP, downloaded a significant volume of CAD files over a 40-minute session, then connected to the corporate VPN using the same credential and began navigating engineering file shares.
How Frostbow Responded
The MFT portal authentication from an unfamiliar overseas IP was the first signal. The engineer’s account had exclusively authenticated from two known IP ranges over the preceding three months. Frostbow scored the geographic anomaly as medium-confidence in isolation — access from new locations is common enough to warrant caution rather than immediate action.
Within eight minutes, the same account appeared on the corporate VPN, and the file share navigation — moving directly to folders the account had not accessed in over six weeks — elevated the composite confidence to high. Frostbow had built a concept it called CredentialReplayAfterExternalAccess, recognizing that external portal authentication followed rapidly by internal network access from the same account is a strong indicator of credential misuse. The concept carried a confidence score of 0.83, reinforced by similar patterns across the deployment network.
Frostbow revoked the active VPN session, locked the account, and generated a detailed incident report citing the MFT download session, the files accessed, the VPN authentication, and the file share navigation pattern — all within 30 seconds of the composite threshold being reached. The attacker had exfiltrated files through the MFT portal before detection; the subsequent VPN intrusion was stopped before any additional IP was accessed. The incident report provided forensic detail sufficient to meet the firm’s cyber insurance notification requirements.
Key Deployment Characteristics
- Single collector per site; no per-endpoint agent installation
- MFT portal API integration for supply chain boundary visibility
- Multi-site deployment with independently maintained site ontologies
- Incident report generated in format suitable for insurance and regulatory notification