Special "privileged" abuse.
"The greater the power, the more dangerous the abuse."
—Edmund Burke
Detection and validation
The RISK Team was called in to investigate an insider threat-related data breach. An organization was in the middle of a buyout and was utilizing retention contracts to prevent employee attrition. Based on an anonymous tip from an employee, suspicion was raised that a middle manager, hereafter referred to as "John," had access to, and was abusing, the CEO’s email account.
Response and investigation
Late one evening after the employees had left the building, we arrived to meet with the Director of IT. He had no knowledge—nor the apparent "need to know"—of the incident, but was there to provide us with access to the systems and data. We worked throughout the night to perform forensic acquisitions of the CEO’s system, the suspect’s system, web-based email logs, and sundry other evidence sources. At just past midnight, we finally received the access we needed and were ready to dig-deeper, as our IT contact took off for home in search of some zzzs.
We needed to quickly establish if there was any truth to the claim that the middle manager was reading the CEO’s email. Was it possible that the CEO’s email archive was being shared across the network? Did the suspect have access rights to the CEO’s mailbox through Microsoft Exchange? Was the suspect accessing the CEO’s email through Microsoft Outlook Web Access (OWA)? The answer to all these questions was ultimately "no." While there are many ways to view someone’s email, our cursory review of the system images and associated logs yielded
nothing.As the next day drew on, the lack of a "smoking gun," not to mention sleep, left our brains fried. After hitting the vending machine, we refocused and changed our approach. We swung back to the basics, started brainstorming, and sharpened Occam's razor by asking ourselves the simplest questions: How does email come into an organization? It usually comes from the internet through some spam filter before hitting the mail server. Did this organization have an onsite spam filter? Yes, a quick glance at a crude network diagram showed a standard spam filter setup. The appliance itself wasn't a standardized system that we could acquire forensically. With credentials provided by our IT contact, we logged in and noticed that the filter was set up to log all incoming emails including the CEO’s. This was a bit odd, but not necessarily unusual. A speedy check for the access logs to this appliance revealed that they had been recently deleted. We felt like we were onto something.
At this point, we needed to know who had access to the spam filter. Apparently, a few IT administrators had access, and none of them was John. In casual conversations with the IT director, we inquired about personal relationships between John and the short list of other employees. Bingo! It just so happened that one of the IT administrators, hereafter referred to as "Kevin," was very good friends with John.
Armed with this nugget of knowledge, we took an image of Kevin’s system. Like John’s, Kevin’s system had zero in terms of web-browsing history. Thanks to our insight gained from the spam filter, we knew exactly which text "strings" to look for. A keyword search of the unallocated clusters (currently unused space potentially containing artifacts of previous activity) on both systems revealed strings associated with logging into the spam filer and looking at the CEO’s incoming email through good ole Kevin’s administrator account. It turns out that Kevin had given John his credentials to log into the appliance and read incoming email for potentially any employee. In addition, John’s system showed signs of having used Kevin’s credentials to browse sensitive file shares and conduct other unauthorized actions.
"Ask the data"
A peek into the incident data that feeds into the DBIR shows that unlike this example, the majority (63%) of data breaches over the previous three years involving "insider and privilege misuse" were financially motivated. End-users with access to Personally Identifiable Information (PII) and bank employees with access to banking information are more prevalent than system administrators using privileged access. A pessimist would argue that this is because misuse leading to identity theft or fraudulent transactions is only identified as a result of the post-compromise fraud.
Remediation and recovery
We promptly reported our findings to the CEO, who then informed the legal and human resource (HR) departments. Soon thereafter, the decision was made to interview the two employees before moving forward. During the interviews, both employees denied any association with the spam filter, the CEO’s email and the sensitive file shares. But the facts uncovered by our investigation left no doubt of the facts. After having worked a few insider cases, you begin to learn that most people, no matter how hard they try, or how comfortable they feel, aren't very good liars.
Upon completion of the interviews, the two employees in question received personal escorts out of the building. Needless to say, after this incident, the firm revisited its spam filter policy by reconfiguring it to log only flagged messages.
"Bob, the force-multiplier"
One of the most memorable insider cases we have ever seen involved a US-based company asking for our help in understanding some anomalous activity that it was witnessing in its Virtual Private Network (VPN) logs. This organization had been slowly moving toward a more telecommutingoriented workforce, and had therefore started to allow developers to work from home on certain days. In order to accomplish this, it had set up a fairly standard VPN concentrator approximately two years prior to this event.
The IT security department decided that it should start actively monitoring logs being generated at the VPN concentrator. It began scrutinizing daily VPN connections into its environment, and before long found an open and active VPN connection from Asia! When one considers that this company fell into the designation of US critical infrastructure, it's hard to overstate the possible implications of such an occurrence. The company had implemented two-factor authentication for these VPN connections. The second factor was a rotating token key fob. The developer whose credentials were being used was sitting at his desk in the office. Plainly stated, the VPN logs showed him logged in from China, yet the employee was right there, sitting at his desk, staring into his monitor. The company initially suspected some kind of unknown malware that was able to route traffic from a trusted internal connection to China and then back. What other explanation could there be? As it turns out, Bob had simply outsourced his own job to a foreign consulting firm. Bob spent less than one fifth of his six-figure salary paying a foreign firm to do his job for him. Authentication was no problem. He physically FedEx'd his token to Asia so that the third party contractor could login under his credentials during the workday. It appeared that Bob was working an average 9 to 5 workday. Investigators checked his webbrowsing history, and that told the whole story.
A typical "work day" for Bob looked like this:
9:00 AM—Arrive and surf Reddit for a couple of hours. Watch cat videos.
11:30 AM—Take lunch.
1:00 PM—eBay time.
2:00ish PM—Facebook updates and LinkedIn.
4:30 PM—End of day update email to management.
5:00 PM—Go home.
Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the foreign consulting firm about $50K annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the past several years in a row, he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter,his performance review noted him as the best developer in the building. Nice work, Bob!
