It’s been a banner year for hackers. Besides Special Counsel Robert Mueller’s investigation of possible Russian hacking, several other high-profile hacks made the headlines this year. Certainly not least among them was the Equifax hack, affecting an estimated 143 million Americans. And who can forget the massive Yahoo breach? A few months after Yahoo was acquired by Verizon, the public was informed that every single Yahoo account in existence in 2013 was compromised– some 3 billion accounts in all, possibly including security questions and answers.
It turns out that discovering that a cyber- intrusion occurred is a lot easier than finding out who did it. As I explain to students taking my digital forensics class at the University of Utah, there are a variety of reasons that tracing the activity to a specific malefactor can be extremely difficult and sometimes impossible. For one thing, there are a lot of potential culprits out there, from sophisticated state sponsored actors to equally talented hacktivists like Anonymous. Experienced hackers have powerful tools at their disposal, for example the NSA’s cyber hacking tools that were published earlier this year by Shadow Brokers. They also know how to cover their tracks and might even leave a trail of misdirection in an attempt to frame other parties.
These widely publicized hacks and data breaches remind us of other ways, much closer to home, that important company data can be lost. I have recently worked on a series of cases related to misappropriation of intellectual property, which we call in the digital forensics business, “data exfiltration.” From a security standpoint, these are considered Insider Threats, and account for a significant share of security incidents.
Studies suggest several motivations for taking company data, from factors as innocuous as pride of authorship, to more nefarious designs, chief among them financial gain. We work in an information economy, and whether out of spite or greed, a company’s proprietary intellectual property (IP) can cause significant competitive damage if it falls into the wrong hands. Typical company IP includes customer, supplier, and employee lists; budgets, forecasts, and other business planning documents; and operational data such as formulations, processes and designs.
Often, when I am called in on a case, the client wants to know “Was any data copied, and if so, what?” The answer is usually “It depends.” In digital forensics, there is no silver bullet, no “Thight recorder” we can extract that will tell us exactly what happened. Rather, we reconstruct user activity by interpreting available electronic artifacts, and the key is knowing what to look for.
Common Methods of Copying Company Data
- Thumbdrives and other portable external drives
- Smartphones, whether connected to the computer, or simply by taking photos
- Cloud services such as OneDrive, Google Drive, or Dropbox.
- Public webmail accounts such as Gmail or Yahoo.
Digital forensics relies on the Locard’s transference principle, that “every contact leaves a trace” and any of the activities above can leave behind trace evidence. Based on that trace evidence, it is often possible to determine the USB devices used (manufacturer, model, and serial number), files and folders that were recently opened, websites visited, internet searches completed, and so on. So long as the data has been preserved, digital artifacts can paint a picture of what the user was doing; it may not be comprehensive, but it’s often sufficient.
Companies can reduce the risk of data exfiltration by being aware of clues that someone is likely to copy company IP.
Employee Behaviors Companies Should Watch Out For
- Copying company data to external devices without authorization.
- Seeking proprietary information on topics outside the scope of their responsibilities.
- Working odd hours, when they can more easily conduct covert activities.
- Remotely accessing company computers while out sick, on vacation, or at other unusual times.
If an employee exhibits these behaviors, it may be a red flag. Another red flag may be an employee who resigns and goes to work for a competitor. If they had access to sensitive company information, a review of their computer activity may be called for. Some companies cover the handling of company information during exit interviews, which can be a good time to inquire about external devices or other possible repositories of proprietary information that should be returned or wiped.
Finally, many firms quickly recycle a former employee’s computer by handing it down to a lower-level employee or assigning it to the replacement. While efficiency is admirable, this practice could cause problems later, should a question arise as to the departing employee’s handling of company IP, because important trace evidence can be overwritten by subsequent computer activity. The best approach to take when a key employee leaves is to preserve possible evidence, and the cheapest way to do that is often to simply remove and safeguard the hard drive and replace it with a new one.
In information security, as with life, an ounce of prevention is worth a pound of cure. Risks can be mitigated by instilling a culture of IP awareness and respect. However, should an incident arise, remember to preserve the evidence! H. Scott Tucker