SC-113: Compliance Audit Evasion & Policy Bypass¶
Operation HOLLOW COMPLIANCE
Actor type: Privileged insider (Compliance Manager) Dwell time: 334 days Primary impact: Regulatory fraud -- SOC 2 Type II attestation invalidated, HIPAA violations concealed, estimated $8.4M in penalty exposure Detection source: External auditor rotation (new Big Four firm) Status: Adjudicated -- insider terminated, criminal referral pending
Executive Summary¶
Between 2025-05-02 and 2026-04-01, a Compliance Manager at acme-health.example.com systematically rewrote audit evidence, suppressed DLP alerts, and forged attestation reports to conceal dozens of PHI handling violations. The insider possessed legitimate access to the GRC platform, SIEM audit workflow, and evidence repository -- every action used authorized credentials.
Detection occurred only when a rotated external auditor compared archived cloud-native logs (which the insider could not reach) against the sanitized GRC evidence bundle and identified a 47-event delta.
Why this scenario matters
Most insider threat programs focus on data exfiltration. HOLLOW COMPLIANCE demonstrates a harder class: insiders who never move data but instead edit the record of reality. Without immutable, out-of-band evidence, detection is effectively impossible.
Environment¶
| Asset | Value |
|---|---|
| Tenant | acme-health.example.com |
| GRC platform | grc.acme-health.example.com (192.0.2.40) |
| SIEM | siem.acme-health.example.com (192.0.2.41) |
| Evidence repo (S3) | s3://acme-health-soc2-evidence |
| Immutable archive (unknown to insider) | s3://acme-health-security-cold (object lock, compliance mode) |
| Insider workstation | wks-compliance-04.example.com (10.42.14.88) |
| Insider account | testuser-compmgr@acme-health.example.com |
| Password vault record | REDACTED |
ATT&CK Mapping¶
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Defense Evasion | Indicator Removal: Clear Windows Event Logs | T1070.001 | PowerShell Clear-EventLog on GRC server |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | DLP quarantine entries deleted via SDK |
| Defense Evasion | Indicator Removal from Host | T1070 | SIEM audit trail rewritten via API |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | DLP policy set to "monitor" then reverted |
| Defense Evasion | Impair Defenses: Disable Windows Event Logging | T1562.002 | Event log service restart with clean slate |
| Impact | Data Manipulation: Stored Data Manipulation | T1565.001 | Evidence PDFs re-rendered with altered timestamps |
| Impact | Data Manipulation: Transmitted Data Manipulation | T1565.002 | Attestation JSON modified in transit to auditor portal |
| Persistence | Valid Accounts | T1078.004 | Legitimate GRC admin role |
Timeline¶
Phase 1 -- Preparation (2025-05-02 to 2025-05-28)¶
Reconnaissance of controls
The insider spent 26 days mapping which controls were attested via automated evidence versus manual screenshots. Manual-evidence controls became the primary target because they lacked cryptographic attestation.
- 2025-05-02 09:14 UTC -- Insider exports SOC 2 control catalog from grc.acme-health.example.com.
- 2025-05-07 11:40 UTC -- Insider queries SIEM for DLP alert retention policy. Discovers 90-day hot storage, no cold archive visible to Compliance role.
- 2025-05-14 to 2025-05-28 -- Insider documents evidence workflow for 142 controls, identifies 38 with manual screenshot evidence.
Phase 2 -- First Manipulation (2025-06-09)¶
- 2025-06-09 02:11 UTC -- DLP alerts fire on unauthorized PHI email from wks-billing-17.example.com to personal@mail.example. 17 alerts generated.
- 2025-06-09 08:44 UTC -- Insider logs into GRC, marks incident as "false positive -- test data." Closes without forensic ticket.
- 2025-06-09 09:02 UTC -- Insider uses DLP admin API to delete the 17 quarantine records.
- 2025-06-09 09:08 UTC -- Insider runs PowerShell on GRC server:
Clear-EventLog -LogName "DLP-Audit".
The critical gap
The 17 events were archived to s3://acme-health-security-cold within 60 seconds of generation via a separate Lambda function created by the DevSecOps team 8 months earlier. The Compliance role had no read access to this bucket. The insider never knew it existed.
Phase 3 -- Pattern of Evasion (2025-07 through 2026-02)¶
Across 8 months, the insider performed 47 discrete evidence-tampering actions:
| Month | Manipulations | Dollar exposure concealed |
|---|---|---|
| 2025-07 | 5 DLP suppressions | $140K |
| 2025-08 | 4 access review forgeries | $220K |
| 2025-09 | 7 PHI email suppressions | $1.1M |
| 2025-10 | 6 BAA violation concealments | $1.4M |
| 2025-11 | 3 vendor risk rewrite | $400K |
| 2025-12 | 9 change mgmt backdates | $820K |
| 2026-01 | 8 incident closure forgeries | $2.1M |
| 2026-02 | 5 encryption attestation lies | $2.2M |
Phase 4 -- SOC 2 Attestation Fraud (2026-03-15)¶
- 2026-03-15 13:22 UTC -- Insider generates final SOC 2 Type II evidence bundle.
- 2026-03-15 13:47 UTC -- Insider uses Adobe Acrobat SDK on wks-compliance-04.example.com to re-render 12 evidence PDFs with altered timestamps to match attestation window.
- 2026-03-15 14:02 UTC -- Insider signs bundle with legitimate compliance officer certificate and uploads to auditor portal at auditor.example.com.
Phase 5 -- Detection (2026-04-01)¶
- 2026-04-01 -- New Big Four auditor begins rotation review. Requests raw cloud-native logs directly from AWS account (bypassing GRC workflow).
- 2026-04-01 16:10 UTC -- Auditor runs delta analysis: cold archive shows 1,847 DLP events for attestation window; GRC bundle shows 1,800. The 47 delta is investigated.
- 2026-04-02 -- All 47 missing events are PHI-related. Forensic hold initiated on testuser-compmgr account.
Detection Queries¶
KQL -- DLP quarantine deletion by admin account¶
DLPAuditLog
| where TimeGenerated between (ago(90d) .. now())
| where Operation == "QuarantineRecordDelete"
| where AccountType == "Admin"
| summarize DeletionCount = count(),
UniqueRecords = dcount(RecordId),
FirstDeletion = min(TimeGenerated),
LastDeletion = max(TimeGenerated)
by Actor, bin(TimeGenerated, 1d)
| where DeletionCount >= 3
| join kind=leftouter (
IncidentTickets
| where TimeGenerated between (ago(90d) .. now())
| project RelatedActor = Creator, TicketTime = TimeGenerated
) on $left.Actor == $right.RelatedActor
| where isempty(TicketTime) or TicketTime !between (FirstDeletion - 1h .. LastDeletion + 1h)
| project Actor, DeletionCount, UniqueRecords, FirstDeletion, LastDeletion
| order by DeletionCount desc
KQL -- GRC evidence file hash drift¶
let BaselineHashes = EvidenceRepoAudit
| where TimeGenerated > ago(30d)
| where Operation == "Upload"
| project FileName, BaselineSha256 = Sha256, UploadTime = TimeGenerated;
EvidenceRepoAudit
| where TimeGenerated > ago(7d)
| where Operation == "Download"
| join kind=inner BaselineHashes on FileName
| where Sha256 != BaselineSha256
| project TimeGenerated, Actor, FileName, BaselineSha256, CurrentSha256 = Sha256, UploadTime
| order by TimeGenerated desc
SPL -- Event log clear correlated with prior DLP alert¶
index=windows EventCode=1102 OR EventCode=104
| rename host as cleared_host, user as cleared_by
| join type=left cleared_host, cleared_by [
search index=dlp sourcetype=dlp:alert earliest=-2h@h
| stats count as prior_alerts
min(_time) as first_alert
max(_time) as last_alert
by host user
| rename host as cleared_host, user as cleared_by
]
| where prior_alerts > 0
| eval minutes_since_last_alert = round((_time - last_alert)/60, 1)
| where minutes_since_last_alert < 120
| table _time cleared_host cleared_by prior_alerts minutes_since_last_alert
SPL -- PDF re-rendering indicator¶
index=endpoint sourcetype=sysmon EventCode=1
(Image="*AcroRd32.exe" OR Image="*Acrobat.exe" OR CommandLine="*pdfrw*" OR CommandLine="*reportlab*")
ParentImage!="*outlook.exe"
| where host IN ("wks-compliance-*")
| eval suspicious_window = if(date_hour >= 2 AND date_hour <= 5, 1, 0)
| stats count by user host Image CommandLine suspicious_window
| where count > 2 OR suspicious_window == 1
Indicators of Compromise¶
IOC inventory
All IOCs below are synthetic per Nexus SecOps safety rules.
File hashes (synthetic SHA-256)¶
e4b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9
Synthetic network IOCs¶
| Indicator | Value | Notes |
|---|---|---|
| Internal staging IP | 10.42.14.88 | Insider workstation |
| GRC API endpoint abused | 192.0.2.40:443 | Legitimate endpoint, abused |
| Forged auditor callback | 198.51.100.77 | Attacker-controlled mail relay |
| DNS anomaly | auditor-portal.example | Typosquat of auditor.example.com |
Behavioral IOCs¶
- PowerShell
Clear-EventLogexecuted outside change windows. - DLP admin API
DELETE /quarantine/{id}calls without incident ticket reference. - Evidence PDF metadata shows
Producer: Adobe Acrobat 21.007but creation timestamp reads 2024. - Attestation JSON hash mismatch between GRC-signed version and cold-archive version.
Containment and Eradication¶
- Immediate credential revocation. Suspend testuser-compmgr. Rotate GRC admin API keys. Disable SIEM audit-write role for all compliance staff.
- Forensic preservation. Image wks-compliance-04.example.com to encrypted evidence bucket. Pull cold archive for entire attestation window.
- Independent re-attestation. Engage third party to rebuild SOC 2 evidence bundle from cold archive only, no GRC-derived data.
- Regulator notification. Per HHS OCR and SOC 2 guidance, disclose audit invalidation within 60 days.
- Scope expansion. Check all evidence bundles signed by the insider across the prior 3 years.
Lessons Learned¶
What worked
- Out-of-band immutable archive (s3 object lock compliance mode) survived insider reach.
- Auditor rotation policy forced fresh eyes.
- DevSecOps Lambda archive predated the insider's role elevation.
What failed
- GRC platform was a single source of truth with insider-writable audit logs.
- No cryptographic signing of manual evidence at capture time.
- DLP admin role allowed quarantine deletion without incident ticket prerequisite.
- Compliance officer background check had not been refreshed in 4 years.
Recommendations¶
- Dual-control evidence deletion. Require two-person integrity on any manual-evidence modification (see Ch13 control GOV-IC-04).
- Immutable evidence capture. Every control attestation must be hash-signed at capture, stored in object-lock storage, inaccessible to compliance role.
- Tamper-evident GRC. Deploy append-only ledger (QLDB or equivalent) underneath GRC platform.
- Insider threat program integration. Compliance role is a critical privileged position -- include in UEBA baselining.
- Quarterly auditor rotation sampling. Not full rotation, but quarterly third-party sample audits.
Cross-References¶
- Ch13 -- Security Governance, Privacy, Risk
- Ch26 -- Insider Threats
- Ch27 -- Digital Forensics -- forensic preservation methods
- SC-109 -- Cloud Forensics Tampering
- SC-110 -- Privacy Breach GDPR
Purple Team Exercise Hook¶
Recommended linked exercise: PT-201 "Compliance Evidence Tampering Drill" -- red team rewrites evidence bundle, blue team must detect via cold archive delta within 72 hours.
Appendix A -- Control Mapping¶
The insider's 47 manipulations mapped to the following SOC 2 Trust Service Criteria:
| TSC reference | Description | Manipulation type |
|---|---|---|
| CC6.1 | Logical access security | Access review forgery |
| CC6.6 | Encryption in transit/rest | Encryption attestation lies |
| CC7.2 | System monitoring | DLP suppressions |
| CC7.3 | Incident detection | Incident closure forgeries |
| CC8.1 | Change management | Change mgmt backdates |
| CC9.2 | Vendor management | Vendor risk rewrites |
HIPAA touchpoints:
- 164.308(a)(1)(ii)(D) -- Information system activity review
- 164.312(b) -- Audit controls
- 164.312(c)(1) -- Integrity (PHI)
Appendix B -- Cold Archive Architecture (the control that saved the attestation)¶
[GRC platform] [SIEM audit] [DLP]
| | |
| (writable by | (writable by | (writable by
| compliance role) | compliance role)| compliance role)
v v v
+-----------------------------------------------------+
| Compliance-reachable tier |
+-----------------------------------------------------+
|
(also) | (mirrored via Lambda
v within 60 seconds)
+-----------------------------------------------------+
| s3://acme-health-security-cold |
| - Object lock: COMPLIANCE mode |
| - Retention: 7 years |
| - IAM: no compliance role has any access |
| - Access: security, audit, break-glass only |
+-----------------------------------------------------+
The asymmetry is the point: the insider wrote to the same logical stream the cold archive read from, but could not reach the archive afterward. Any "trust the GRC" attacker would be exposed the moment the archive was consulted.
Appendix C -- Forensic Reconstruction Checklist¶
For organizations that discover a HOLLOW COMPLIANCE pattern, the following reconstruction steps are essential:
- Image all insider-touched workstations and preserve.
- Pull cold archive for the full duration of insider tenure, not just suspected window.
- Correlate every GRC audit entry against cold archive -- tag every delta.
- Re-issue every attestation signed by the insider within disclosure windows.
- Assess downstream harm: what decisions were made based on the falsified reports (acquisitions, insurance renewals, regulatory filings)?
- Legal hold on all communications during insider tenure.
- Update insider-threat UEBA baseline to include compliance role as privileged.
Scenario classification: Adjudicated -- disclosure approved for educational use. All names, IPs, and credentials are synthetic per Nexus SecOps safety rules.