Skip to content

Security Incidents

WEBEX MEETING RECORDING EXFILTRATION

Investigation Summary

Incident: Insider threat actor exfiltrated 47 confidential Webex meeting recordings containing merger & acquisition discussions.

Detection: XDR correlation detected abnormal Webex API activity from compromised admin account.

Impact: 47 M&A meeting recordings downloaded (127 GB), potential insider trading risk.

Outcome: Compromised admin account disabled, recordings moved to legal hold, insider identified and terminated.


Step 1: Detection via XDR

Detection Timestamp: 2026-01-27 16:45:23 UTC

Alert Source: XDR Correlation Engine

XDR Alert: Abnormal Webex API Activity
User: admin-webex@abhavtech.com
Activity: Bulk recording downloads
Recording Count: 47 downloads in 15 minutes
Data Volume: 127 GB
API Endpoint: /v1/recordings/{id}/download
Source IP: 10.252.90.78 (Mumbai office)
Risk Score: 92/100 (Critical)

Initial Response:

CASE_ID="CASE-2026-009-RECORDING-EXFIL"

curl -X PATCH "https://webexapis.com/v1/people/admin-webex@abhavtech.com" \
  -H "Authorization: Bearer $WEBEX_TOKEN" \
  -d '{"status": "inactive"}'

## Create incident
curl -X POST https://abhavtech.service-now.com/api/now/table/incident \
  -d '{
    "short_description": "Data Exfiltration - Webex Recordings",
    "urgency": "1",
    "impact": "1",
    "category": "Security - Insider Threat"
  }'

## INC0012352

Step 2: Export Webex Audit Logs

## Export admin activity logs
curl -X GET "https://webexapis.com/v1/admin/auditEvents?actorEmail=admin-webex@abhavtech.com&from=2026-01-27T16:00:00Z&to=2026-01-27T17:00:00Z" \
  -H "Authorization: Bearer $WEBEX_TOKEN" \
  > /mnt/evidence_vault/EVD-20260127-001-webex-audit.json

## Filter for recording downloads
jq '.items[] | select(.eventDescription | contains("recording"))' \
  /mnt/evidence_vault/EVD-20260127-001-webex-audit.json

## Results show:
## 47 recording downloads
## All recordings belong to "M&A-Strategy" space
## Timeframe: 16:30 to 16:45 (15 minutes)

Step 3: Identify Exfiltrated Recordings

## Get recording details
for REC_ID in $(jq -r '.items[] | select(.eventDescription | contains("recording")) | .targetId' \
  /mnt/evidence_vault/EVD-20260127-001-webex-audit.json); do

  curl -X GET "https://webexapis.com/v1/recordings/$REC_ID" \
    -H "Authorization: Bearer $WEBEX_TOKEN"
done > /mnt/evidence_vault/EVD-20260127-002-stolen-recordings.json

## Analyze recording metadata
jq '.[] | {
  topic: .topic,
  created: .created,
  duration: .durationSeconds,
  size: .sizeBytes,
  hostEmail: .hostEmail
}' /mnt/evidence_vault/EVD-20260127-002-stolen-recordings.json

## Sample output:
{
  "topic": "Q1 2026 Acquisition Strategy - Company X",
  "created": "2026-01-15T14:00:00Z",
  "duration": 3847,  # 64 minutes
  "size": 2847392847,  # 2.7 GB
  "hostEmail": "ceo@abhavtech.com"
}

## All recordings contain confidential M&A discussions

Step 4: Track Data Exfiltration Path

## Check endpoint for downloaded files
curl -k -X POST "https://orbital.amp.cisco.com/v0/jobs" \
  -H "Authorization: Bearer $ORBITAL_TOKEN" \
  -d '{
    "query": "SELECT path, size FROM file WHERE path LIKE \"%recording%\" AND ctime > 1738000000;",
    "connector_guid": "<ADMIN-LAPTOP-GUID>"
  }'

## Results show recordings saved to:
## D:\Downloads\Webex-Recordings\*.mp4
## Total: 127 GB (47 files)

## Check for external upload activity
curl -X GET "https://securex.abhavtech.com/api/investigate/observables/user/admin-webex@abhavtech.com/sightings" \
  -H "Authorization: Bearer $XDR_TOKEN"

## XDR shows:
## - 127 GB uploaded to personal Dropbox account
## - Upload timestamp: 16:50-17:15 UTC (25 minutes)
## Data exfiltrated to external cloud storage

Step 5: Insider Identification

## Correlate admin account with actual user
curl -k -X GET \
  "https://ise.abhavtech.com/ers/config/endpoint?filter=ip.EQ.10.252.90.78" \
  -H "Accept: application/json" \
  -u "forensics-api:$ISE_PASSWORD" \
  | jq '.SearchResult.resources[0] | .description'

## Output: "insider-employee-rahul-sharma"

## Query HR database
curl -X GET "https://workday.abhavtech.com/api/v1/employees?email=rahul.sharma@abhavtech.com" \
  -H "Authorization: Bearer $WORKDAY_TOKEN"

## Employee details:
## Name: Rahul Sharma
## Title: Senior Financial Analyst
## Department: M&A Strategy
## Manager: CFO
## Access: Has legitimate access to M&A meetings
## Termination Date: 2026-02-15 (resigned 2 weeks prior to exfiltration)

## Insider threat: Employee exfiltrating data before departure

## Move all M&A recordings to legal hold
curl -X POST "https://webexapis.com/v1/recordings/legalHold" \
  -H "Authorization: Bearer $WEBEX_TOKEN" \
  -d '{
    "spaceId": "M&A-Strategy-Space-ID",
    "reason": "Insider threat investigation CASE-2026-009",
    "indefinite": true
  }'

## Notify legal
cat << EOF | mail -s "URGENT: Data Exfiltration - M&A Recordings" legal@abhavtech.com
Insider threat detected. 47 M&A recordings exfiltrated by departing employee.

Employee: Rahul Sharma (Senior Financial Analyst)
Data: 127 GB of confidential M&A meeting recordings
Destination: Personal Dropbox account
Risk: Potential insider trading, competitor intelligence

All recordings placed on legal hold. Recommend immediate legal action.

SOC Team
EOF

Step 7: Forensics Report

report = {
    "case_id": "CASE-2026-009-RECORDING-EXFIL",
    "incident_type": "Insider Threat - Meeting Recording Exfiltration",

    "executive_summary": """
    Departing employee (Senior Financial Analyst) exfiltrated 47 confidential
    Webex meeting recordings (127 GB) containing M&A strategy discussions.
    Employee downloaded recordings using compromised admin credentials and
    uploaded to personal Dropbox account 2 weeks before planned departure.

    Impact: HIGH - M&A confidential information exposed
    Risk: Insider trading, competitor intelligence leak

    Response: Admin account disabled, recordings on legal hold, employee
    escorted from premises, legal action initiated.
    """,

    "recommendations": [
        "Implement recording DLP policies (prevent external upload)",
        "Remove admin access 24 hours before departure",
        "Deploy UEBA for abnormal download patterns",
        "Encrypt recordings at rest and in transit",
        "Implement Webex eDiscovery for legal hold automation"
    ]
}

END OF PART 2C: WEBEX FORENSICS


This completes Part 2C with all 3 scenarios: 1. ✅ Toll Fraud Investigation - $12,000 Loss 2. ✅ SBC/CUBE PSTN Gateway Attack 3. ✅ Webex Meeting Recording Exfiltration

Total Evidence Items: 13 blockchain-registered artifacts Total Steps: 27 across 3 scenarios Word Count: ~18,000 words

Next: Part 2D - FTD Firewall Forensics (2 scenarios)?