SAN FRANCISCO–As cyber espionage has moved from the government sector into the corporate world, enterprise security professionals have found themselves needing to become investigators to deal with the threat. But without real expertise and experience with investigations, even the best security teams can miss serious compromises in their environments.
“Cybersecurity professionals don’t have experience dealing with traditional investigations. These cases are complex because you often don’t have the data you need to tell the story. We need to find a way to help companies characterize what’s going on. It’s a problem we haven’t really thought about for a long time,” Milan Patel, a former FBI cyber investigator and current managing director of cyber investigation and incident response at K2 Intelligence said during a panel discussion on cyber espionage at the RSA Conference here Wednesday.
In one recent case, Patel was called in to a large real estate company to investigate an administrator who had given himself extra network privileges. The admin then got access to the Exchange server and began reading emails sent by the company’s executive team. During the investigation, Patel discovered that several other people had unnecessary elevated privileges, but the firm didn’t have a way to track when the employees had gotten those rights or how. The company also didn’t have any way to do forensics on the employee’s laptop or phone.
“They had no tools or expertise to do it. They couldn’t connect the access lot data to physical access logs either,” Patel said.
He told the company’s executives that the patter of behavior and details of the case closely matched espionage cases he had worked on during his time at the FBI. So Patel’s team seized the employee’s laptop and phone and then interviewed the employee. It turned out the employee wasn’t stealing company secrets but was trying to figure out why he wasn’t getting raises and bonuses he thought he deserved.
“The last thing you want is an employee being coerced by a foreign power to steal information,” Patel said.
In another case, a law firm brought Patel’s team in to look at an associate who was leaving the firm to go to a competitor. The lawyer had been sending sensitive documents to his personal email account as well as stealing physical documents. Most of the information was related to mergers and acquisitions deals the firm was involved with, and Patel discovered that the lawyer was sharing the information with a former employee who was working for the competing firm.
“This was all very proprietary information, but no one was tracking how often he was emailing himself from his work account or anything like that,” Patel said. “We had to dump his entire email database and stream search it.”
After a long interview, the target of the investigation told Patel that he and his former colleague were planning to develop a piece of software to use in the M&A industry and the documents he had taken were for research on that project.
“He was relieved of his duties,” Patel said.
Putting all of those pieces together can be difficult even for experienced investigators, and without the right tools and knowledge, enterprise security teams can are in a difficult position when these incidents occur.
“What does an insider attack look like, versus someone who is just trying to stream a baseball game on a work computer? We try not to restrict that creativity that’s there but we put enough controls around it to distinguish malicious from non-malicious behavior,” Luis Guzman, manage of security response at Uber, said during the discussion.
Image: Public domain