Special “privileged” abuse.
“The more power you have, the more dangerous is the abuse.” –Edmund Burke
Validation and detection
The RISK team was called in to investigate an insider-related data breach. An organization was in the midst of a buyout, and was using retention contracts to prevent employee attrition. An anonymous tip by an employee led to suspicion that John, a middle manager, had access to the email account of the CEO and was using it.
Response and investigation
We met with the Director of IT late one evening, after the employees had left the building. The Director of IT had no knowledge or the apparent “need” to know about the incident but was available to give us access to the data and systems. We worked all night to complete forensic acquisitions of the CEO’s system, the suspect’s system, and other evidence sources. At just past midnight, our IT contact left for home to search for more zzzs.
We had to quickly determine if the claim that the middle manger was reading the CEO’s emails was true. It was possible that the CEO’s email archives were being shared across the network. Was the suspect able to access the CEO’s email through Microsoft Exchange? Did the suspect have access to the CEO’s email via Microsoft Outlook Web Access (OWA). All of these questions were answered with a definitive “no.” There are many ways to view an email address, but our quick review of the system images as well as associated logs revealed that there was only one way.
Nothing. As the day went on, our brains were fried from the lack of a smoking gun, not to mention sleep. We refocused our approach and stopped hitting the vending machines. We went back to basics, began brainstorming, and sharpenedOccam’s razor by asking thesimplest questions: How does email get into an organization? It is usually sent from the internet via a spam filter before reaching the mail server. Is there a spam filter on site at this organization? Yes, a quick look at a network diagram showed that the organization had a standard spam filter. However, we couldn’t acquire forensically any information about the appliance. We logged in using the credentials provided by our IT contact and discovered that the filter was set to log all incoming email, including those from the CEO. This was a little odd, but not unusual. It was quickly discovered that the access logs for this application had been deleted recently. We felt like we were on to something.
We needed to find out who had access the spam filter. Evidently, only a few IT administrators had access to the spam filter, but none of them was John. We had casual conversations with the IT director and inquired about John’s personal relationships with the short list of employees. Bingo! It just so happened that John was good friends with one of the IT administrators (hereafter referred as “Kevin”).
With this knowledge, we took a picture of Kevin’s system. Like John’s system, Kevin’s had zero web-browsing history. Thanks to ourinsight gained from the spam filter, we knew exactly which text “strings” to look for.A keyword search of the unallocated clusters (currently unused space potentiallycontaining artifacts of previous activity) on both systems revealed strings associated with logging into the spam filer and looking at the CEO’s incoming email through good ole Kevin’s administrator account. Kevin had given John his credentials to log in to the appliance and read any incoming email for any employee. John’s system also showed signs that Kevin had used his credentials to access sensitive files and perform other unauthorized actions.
“Ask for the data”
A look at the incident data feeds into DBIR reveals that the majority of data breaches (63%) in the past three years involving “insider or privilege misuse” was not motivated by financial motives. Access to Personally Identifiable Information (PII), and bank employees who have access to banking information is more common than system administrators with privileged access. A pessimist would argue that this is because misuse leading to identity theft or fraudulenttransactions is only identified as a result of the post-compromise fraud.
Recovery and remediation
We immediately reported our findings to CEO, who informed legal and human resource (HR) departments. Shortly thereafter, it was decided to interview the two employees before we proceed. Both employees denied any association with the spam filter and the CEO’s email. Our investigation revealed the truth. After working on a few insider cases you will discover that most people, no matter how much they try or how comfortable they feel, don’t lie very well.
After the interviews were completed, the employees in question were given personal escorts to leave the building. Needless to mention, the firm redesigned its spam filter policy to log only flagged messages after this incident.
“Bob, force multiplier”
One of the most memorable insider cases we have ever seen involved aUS-based company asking for our help in understanding some anomalousactivity that it was witnessing in its Virtual Private Network (VPN) logs.This organization had been slowly moving toward a more telecommutingorientedworkforce, and had therefore started to allow developers to workfrom home on certain days. It had already set up a fairly standard VPN concentrator two years before this event.
IT security decided to monitor logs generated by the VPN concentrator. It began to monitor dailyVPN connections in its environment and was eventually able to be
