Written by: Stu Babson, Senior Forensic Examiner, DIGITS LLC – A Division of Avalon
Despite Donald Trump’s best efforts to monopolize the media with his policies and facial expressions, the Democratic party is sparking all sorts of chatter lately. First, Bradley Cooper apparently set off some Republican fans of his by attending the Democratic National Convention and daring to show his face in the crowd. Second, the Democratic National Committee (DNC) suffered a security breach that added to concerns associated with e-mail security.
Although Bradley showed off a pretty serious beard at the convention, most would say the second hot topic is more newsworthy.
WikiLeaks reportedly released almost 20,000 confidential e-mails of seven of the DNC’s staff members. Following this revelation, the DNC hired a private contractor to contain and remediate threats on their environment. According to the DNC, their private contractor “moved as quickly as possible to kick out the intruders and secure our network.”
The attack against the DNC isn’t the first of its kind. Many businesses of all sizes have faced (or will face) similar situations. DIGITS has responded to numerous comparable engagements over the years and has been able to provide our clients with cutting-edge service by working diligently to ensure full satisfaction throughout the entirety of the engagement, from initial incident to successful remediation and continuous security monitoring of the network for future attempts to gain unauthorized access to sensitive corporate data..
When we are engaged in security breach situations, we attempt to contain, investigate, and ultimately remediate the risks and losses. If the DNC had approached DIGITS with their issue, here are some steps we might’ve taken:
- Firewall Analysis: Investigators can identify anomalous traffic by reviewing firewall log activity for the environment. Signs to look for are suspicious IP addresses or significant spikes in activity.
- Intrusion Detection and Prevention Analysis: IDS/IPS systems can contain a wealth of knowledge and aid investigators in identifying potential attacks. Was an attacker attempting full network reconnaissance? Was one priority machine targeted and probed repeatedly?
- Access Control Analysis: Reviewing account activity could answer valuable questions such as: Was the attacker attempting to gain network persistence? Were there numerous failed password attempts enterprise wide? Have any suspicious accounts been created? Has there been any unexpected activity on any accounts?
- Network Traffic Monitoring: If there is an ongoing threat, network taps can capture and monitor internal network traffic as it flows in real-time. Signs to look for are suspicious traffic patterns or anomalous congestion on systems.
- Endpoint Analysis to Detect an Advanced Persistent Threat: Review of operating system and third party application logs can highlight potentially malicious behavior. If an endpoint monitoring solution isn’t being used, then a deployment such as Carbon Black should be considered to identify and track suspicious behavioral activity on every endpoint across the entire enterprise. These activities can be compared against threat intelligence feeds to also highlight potentially malicious behavior.
- Priority System Identification and “Dead Box” Forensics: Focusing efforts on high priority systems and asking the right questions (e.g., do any machines hold confidential data such as PII or PHI?; were the externally facing devices the target?; was it a breach of a third-party application?) can help investigators determine the best course of action. If necessary, dead box forensics may be performed on crucial and/or compromised systems.
Security training is an important way for your company to spread awareness and be prepared for security threats. It is essential to educate users and to be socially aware of ever-changing electronic dangers, especially if you’re Bradley Cooper.