“Privilege Misuse is the third most prevalent cause of data breaches.” – Verizon 2017 Data Breach Investigations Report.
This post details a post-mortem investigation scenario after a third-party administrator was accused with a data theft. We also show how an advanced Privileged Access Management solution helped security analysts conduct the forensic investigation.
The victim is a government contractor with a national security profile. Therefore, they monitor and record all third party access to their internal systems. Unexpectedly, they received an urgent warning that one of their third-party administrators was suspected of stealing a classified document one week prior. The incident was being investigated by law enforcement which required evidence stored in the government contractor’s IT systems. The investigation occurred in two phases.
Figure 1. Replay of a Windows (RDP) session in a PAM tool
The first phase of the investigation took just 30 minutes! Without the fast search and easily accessible evidence of the PAM tool, aggregating and investigating logs would have likely taken days or weeks. The video-like audit trails clearly showed the administrator’s malicious activity. Thanks to the tamper-proof nature of the network-based PAM technology the authorities accepted the audit trail as an authentic source of evidence.
The investigators still have two important questions to answer. Were the system administrator’s credentials stolen and was the document theft the only malicious activity? To answer these two questions, the company could run historical data through an analytics tool.
The second phase of the forensics answered two important remaining questions. The system admin’s credentials were not stolen and he was he at fault. Secondly, this incident is the only session that shows abnormal behavior, in the form of a file transfer so the scope of the investigation does not need to be expanded.
Using Privileged Access Management, the security team was able to quickly verify the third party administrator’s malicious activity with tamper-proof audit trails. Moreover, they were able to confirm that the administrator’s credentials had not been compromised, nor had there been any other suspicious activity.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
When a child goes near something hot, a parent will ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser