The investigation process for tracking data breaches needs to be handled with discretion, especially if a malicious employee is suspected.
Data Leak Prevention (DLP) and Security Information and Event Management systems will provide evidence for the investigation and eliminate avenues of inquiry, but only if they are appropriately configured -- and in many instances, this is not the case.
There will be avenues of inquiry in your control -- like internal emails, gateways and logs that can be examined -- and others that may not, if, for example, data is exfiltrated though tethered mobile networks or internet cafés.
“It is very hard to conduct a fully assured audit,” Scott Mann, veteran forensics professional and founder of Inves-te-gate said. “Electronic avenues of inquiry exist though, like gateways and proxy logs, though staff may be using personal webmail accounts.”
Most investigations will begin with some form of evidence which forms the basis of inquiry.
Innocuous logs can contain troves of information. For example, Microsoft Exchange server logs can be used to match email address to initial evidence of the breach.
“If you don’t have DLP, there are logs around for troubleshooting that can contain some really useful monitoring information,” Mann said.
“Exchange logs, set correctly, contain all incoming and outgoing messages so if you’re concerned about intellectual property loss, you can search these for email addresses that relate to competitors and the like.”
In this instance, you should also set up monitoring and alerts for suspected keywords. This should be well considered: you may overlook important high risk terms or put too much importance on irrelevant keywords.
Proxy logs could contain suspect usernames that have been used internally, although staff can bypass them.
Netflow logs can be an overlooked gem, Mann said. “A 20Gb database doesn’t up and go. It should show up on Netflow logs.”
But staff can be crafty, and lax security practices in place at many organisations could make your investigation difficult.
Research and development teams are often air-gapped from the internet, so will install a sneaky access point or simply tether a personal device. This commonly happens under the nose of the IT department.
Mann has created a brief map of the possible avenues of data leakage that could be outside of the control of an investigator.
“If intellectual property is leaked, you’ll need to outline your own avenues of inquiry. Consider non-authorised WiFi points, tethered internet access for networks you thought airgapped, use of internet cafés at lunch breaks.”
The human element
Interviewing staff can be tricky business. Once news of the breach breaks in the office, furphies told around the water cooler become indistinguishable from the truth.
“The biggest danger is individuals misremembering,” said Dr Helen Paterson of the University of Sydney’s School of Psychology. “They can be at risk of contaminated memories.”
A series of experiments run regularly at the school illustrate the point. Two people are separately shown footage of a crime on a computer.
They are each told that both have seen the same footage, when in fact there are subtle differences – the perpetrator may wear a differently coloured hat, for instance.
They talk about what they witnessed, and are separated for questioning.
“Even if you warn them that they have had discussions that may have influence their recollection, and to only report what they really remember, they still can’t distinguish truth from hearsay.”
The best techniques Paterson says are the tried and tested methods employed by police. Separate employees for questioning and do your best to keep news of the breach quiet.
When you’ve got an employee in a room, ask opened-ended questions. “Don’t give leading ideas. Keep them quite generic, like ‘what do you remember’ and so on.”
And if you are inclined to accuse an employee of the leak, make sure you have your ducks in a row. Mann, a former police detective, said witnesses tend to say “no comment” down under, so it is vital that evidence is clear.
“I used to go into most interviews in possession of enough information, expecting a ‘no comment’. You need to have enough evidence to treat the interview as a formality.”
Every effort must be made to disprove evidence so it will stand up, should it go to court.