CDAF Get CDAF
Home / Case Study
Concentric Defense Analysis Framework

Case Study: Contractor Phishing Incident

How CDAF revealed a 4.2:1 security asymmetry in contractor access controls—uncovering 13 critical gaps that traditional security assessments completely missed.

Organization
Financial Services
User Population
150 Contractors
Attack Vector
MFA Phishing
Asymmetry Ratio
4.2:1
Critical Gaps
13 (Score 0-1)
Risk Reduction
70%+

Executive Summary

A mid-sized financial services organization experienced a phishing attack that compromised a remote contractor's credentials. While the organization's authentication controls (Okta MFA, Zscaler Browser Isolation) prevented unauthorized system access, the incident revealed a critical blind spot: the organization had virtually no visibility into what an authenticated attacker could do with access once inside the perimeter.

Using the Concentric Defense Analysis Framework (CDAF), the security team conducted a comprehensive bidirectional assessment of the contractor attack path. The analysis revealed a stark 4.2:1 asymmetry ratio—the organization was more than four times better at preventing intrusion than detecting data exfiltration.

2.5
Avg Inbound Score
0.6
Avg Outbound Score
13
Critical Gaps (0-1)
225K
Emails at Risk

🎯 Key Finding

The organization invested heavily in authentication controls but had almost zero capability to detect or prevent data exfiltration by authenticated users. This security asymmetry created a critical vulnerability that traditional security assessments had completely missed.

Background & Context

The Organization

The organization maintained a workforce of 150 remote 1099 contractors who required access to sensitive financial data and customer information. These contractors worked from personal devices and home networks, presenting unique security challenges.

Security Architecture

The contractor access environment was architected with several security controls:

  • Okta MFA: Multi-factor authentication for all contractor access
  • Zscaler Browser Isolation (ZBI): Remote browser isolation for secure web access
  • Outlook OWA: Email-only access via web interface
  • Business Portal: Web-based portal for accessing company documents and resources
  • Personal Devices: Contractors used their own laptops and home networks (not managed by the organization)

💡 Initial Security Posture

Prior to the incident, the organization considered their contractor access environment "secure" based on traditional security metrics:

  • ✓ 100% MFA coverage
  • ✓ Zero-trust browser isolation deployed
  • ✓ No direct VPN access to internal networks
  • ✓ Regular security awareness training
  • ✓ Passed recent compliance audits (SOC 2, PCI DSS)

The Incident

Attack Timeline

Day 1, 9:23 AM — Phishing Email Received

Contractor receives sophisticated phishing email with subject line: "URGENT: Your password expires in 24 hours - Action Required"

The email appeared to come from IT Support and included the organization's branding and logo.

Day 1, 9:31 AM — Credential Compromise

Contractor clicked the phishing link and entered credentials on a fake Okta login page that perfectly mimicked the organization's SSO portal.

Day 1, 9:32 AM — MFA Bypass

Contractor approved an MFA push notification without verifying the number match (feature was not enabled). Attacker gained valid authenticated session.

Day 1, 9:35 AM – 3:47 PM — Unauthorized Access Period

Over a 6-hour period, the attacker:

  • Accessed Outlook OWA from an IP address in Eastern Europe
  • Opened 78 emails containing customer financial data
  • Accessed the Business Portal and viewed 23 documents
  • Session remained active until automatic timeout

Day 1, 4:15 PM — Detection

SIEM alerted on unusual geographic login location. Security team began investigation.

Day 1, 4:30 PM — Response

Contractor account disabled. Password reset forced. Incident response team activated.

Critical Questions Security Could NOT Answer

✓ What We Knew

  • WHO: Contractor username that was compromised
  • WHEN: Exact login time (9:32 AM)
  • WHERE: IP address (Eastern Europe)
  • DURATION: 6 hours of active session
  • SCOPE: 78 emails accessed, 23 documents viewed

✗ What We Didn't Know

  • WHAT data was actually read or comprehended
  • WHAT was copied using copy/paste (not logged)
  • WHAT was printed (no print logging)
  • WHETHER data was exfiltrated to external systems
  • HOW MUCH data left the organization
  • WHICH specific customer records were compromised

⚠️ The Critical Gap

The organization had strong authentication controls that prevented the initial breach from being worse. However, once the attacker had valid credentials, the organization had virtually zero visibility into what the authenticated user was doing with data.

This is the classic "Out Beats In" problem that CDAF was designed to identify.

CDAF Methodology Applied

Assessment Approach

Following the incident, the security team conducted a comprehensive CDAF assessment of the contractor attack path. The assessment followed these steps:

  1. Station Mapping: Identified all security boundaries from internet to crown jewels
  2. Bidirectional Scoring: Evaluated each station for both INBOUND (intrusion prevention) and OUTBOUND (data loss prevention) controls
  3. Gap Identification: Applied 0-5 scoring system to quantify security gaps
  4. Asymmetry Analysis: Calculated asymmetry ratios to identify imbalances
  5. Risk Quantification: Determined blast radius and potential impact

Station-by-Station Analysis

Station Name IN OUT Asymmetry Key Finding
0 Internet 0 0 Threat origin - attacker with stolen credentials
1 Home Network 0 0 No visibility - unknown security posture
2 Personal Device 1 0 Not managed - unknown AV status, encryption, patch level
3 Internet Transit 3 3 1.0 TLS 1.2+ encryption in transit (symmetric protection)
4 Okta MFA 3 1 3:1 MFA bypassed via phishing - no number matching
5 Zscaler ZBI 5 1 5:1 CRITICAL: Copy/paste enabled & not monitored, print not logged
6 Outlook OWA 4 0 CRITICAL: No DLP, no monitoring, external forwarding allowed
7 Business Portal 4 1 4:1 CRITICAL: No watermarking, copy/paste allowed

📊 CDAF Scoring System (0-5)

  • 0-1 (Critical): No control exists or severely misconfigured
  • 2 (Significant Gap): Control exists but has significant weaknesses
  • 3 (Moderate): Control adequately configured
  • 4 (Adequate): Well-configured with monitoring
  • 5 (Strong): Optimally configured, actively monitored, automated response

Key Findings

Overall Security Asymmetry

2.5
Average Inbound Score
Moderate protection against unauthorized access
0.6
Average Outbound Score
Critical lack of data loss prevention
4.2:1
Asymmetry Ratio
4× better at preventing entry than detecting data loss

"F the Z's First" – Critical Gaps Identified (Score 0-1)

CDAF identified 13 critical security gaps requiring immediate remediation. These "Zeros" represent complete vulnerabilities where controls either don't exist or are severely misconfigured.

💥 Blast Radius Calculation

150 contractors × 1,500 average emails per contractor = 225,000 emails at risk

Given the complete lack of data loss prevention controls, a sophisticated attacker with contractor credentials could potentially exfiltrate the entire email repository of any compromised contractor account with zero detection.

Prioritized Remediation Plan

🔥 P1 — Immediate Remediation (0-30 Days)

Focus on closing the most critical "Zero" gaps that enable undetected data exfiltration.

  1. Implement Okta MFA Number Matching — Cost: $0 (feature flag) | Timeline: 1 week
  2. Enable ZBI Copy/Paste Logging & Alerting — Cost: Included in license | Timeline: 2 weeks
  3. Deploy Microsoft 365 DLP Policies for Email — Cost: $8/user/month | Timeline: 3 weeks
  4. Implement Behavioral Analytics — Cost: Included in Okta | Timeline: 2 weeks
  5. Enable Document Watermarking — Cost: $50K one-time | Timeline: 4 weeks

P1 Total Investment: ~$100K-$150K | Timeline: 30 days | Risk Reduction: 50-60%

Results & Impact

After completing P1 and P2 remediation efforts (90 days), the organization conducted a follow-up CDAF assessment. The results demonstrated significant improvement in security posture and asymmetry reduction.

2.5 → 4.0
Avg Inbound Score
+60% improvement
0.6 → 3.3
Avg Outbound Score
+450% improvement
4.2:1 → 1.2:1
Asymmetry Ratio
71% asymmetry reduction
13 → 2
Critical Gaps
85% reduction in "Zeros"

✅ CDAF Value Demonstrated

The CDAF methodology revealed critical gaps that traditional security assessments had completely missed. Despite passing SOC 2 and PCI DSS audits, the organization had a 4.2:1 security asymmetry that left them highly vulnerable to data exfiltration by authenticated attackers.

By quantifying the asymmetry and prioritizing remediation based on "F the Z's First," the organization achieved a 71% reduction in asymmetry and 85% reduction in critical gaps within 90 days.

CDAF Mantras in Action

This case study exemplifies all six core CDAF mantras:

🔥 F the Z's First 📤 Out Beats In ↔️ Both Ways or No Way ⚠️ Mind the Gap ⚡ Asymmetry Kills 🚫 No Free Rides

Conclusion

This case study demonstrates the power of CDAF's bidirectional, journey-based approach to security assessment. While the organization had invested heavily in traditional security controls and passed multiple compliance audits, they remained highly vulnerable to data exfiltration by authenticated attackers.

The Bottom Line

Traditional security assessments ask: "Can an attacker get in?"

CDAF also asks: "If someone gets in (or already has access), can we detect what they do with our data?"

This second question—largely ignored by traditional security programs—is often the difference between a contained incident and a catastrophic breach.

Ready to Apply CDAF to Your Organization?

Download the CDAF Excel template and start your first assessment today. Identify your critical attack paths, quantify your security gaps, and discover your hidden asymmetries.

Request the Template Back to Home