Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:02 PM

New Forensics Method May Nab Insider Thieves

Black Hat presentation features a new methodology that has already produced real-world results

One of the biggest challenges of forensics investigations into insider theft is that the markers computer forensics investigators use to detect most attacks are typically not present in insider cases where an employee or other authorized user has legitimate access to sensitive data. Next month at Black Hat USA in Las Vegas, a presenter will bring forward a new methodology that compares normal file access patterns against patterns present when files are copied to detect when insiders have copied data inappropriately.

Click here for more of Dark Reading's Black Hat articles.

Typically, says presenter Jonathan Grier, most forensics investigations today depend upon what are called artifacts, which are basically the markers left on a machine that leave an evidence trail. For example, if you plug in a USB drive, there will be an artifact showing the USB drive serial number. Unfortunately, when insiders copy large amounts of data, there are very few usable artifacts available to an investigator, he says. Insider data exfiltration is tricky to detect after the fact because of this and because it is very difficult to show whether the user accessed data during the normal course of business, he says.

"Most people who look at the issue just stop there and say 'There are no artifacts, there's not much we can do now,'" says Grier, who runs his own consultancy, Grier Forensics. "But necessity is the mother of invention."

A forensic examiner with over a decade of experience, Grier saw the necessity to get creative when a client of his begged him to take a case. The client had heard rumors through the grapevine that a former employee who was fired under unpleasant circumstances had stolen some very valuable company assets on his way out the door. Of course, the big problem was that this was months after the theft would have occurred and the former employee had been authorized to access the data in question in order to get his job done.

Nevertheless, the client very badly needed to know whether or not this was true and told Grier to find out no matter what it took. That's exactly what he did, and in the process he came up with was a patent-pending insider forensics detection methodology that he believes will change the way forensics investigators approach these cases.

At is root, the idea behind his method is to compare the relatively random and chaotic time-of-access file usage statistics of a typical user's machine to the orderly patterns in time-of-access made by a machine when a user makes a wholesale copy of many files at once. He calls it stochastic forensics, in homage to similar analysis used in physics to use the statistics of the random unpredictability of molecules to predict the behavior of a gas.

"If you look at how computers are used, files are not used uniformly. There is what is called a heavy tail distribution, which means that certain files are popular and used every day, every hour, every minute and then there are a large number of files that no one bothers to use," Grier says. "There will be a number of files that have their timestamps overwritten because they were well-used and many files that were never opened. Whereas when you're copying something, that's not true. You open and copy everything inside the folder, not just what's of interest. The question was, could we use this to figure things out?"

In order to answer the question, Grier built a computer simulation of a user's activity within file structures over the course of a year. Then he reworked the simulation in such a way that the user had normal activity, but also made a large copy of files on the machine. After crunching the numbers and performing some statistical clean up of the data, he created a histogram that examined timestamp activity attached the files and saw that a huge spike occurred in the copying instance.

"You could graphically note exactly where the data was copied," he says.

Real-World Reality Check Using the method discovered in his lab, Grier took it to the real-world data on the previous employee's machine. On most folders, he got the normal usage pattern on his histogram that would indicate typical behavior. But for two folders he found something else.

"I got this huge spike that look like the data was copied," he says. "When I saw that I almost fell out of my chair because one of those folders was very innocuous, but one of them was the exact foler that the rumors were about," he says. "Of course, I had to investigate the first folder and that was pretty to find out (through old-fashioned investigative work) that it was copied but for legitimate reasons. That made me even more confident that something unusual happened with the other folder."

In the end, the stochastic forensics method Grier came up with was able to inform his client with a great degree of certainty that a copy was made within a small window of time. That knowledge helped them approach the former employee and convince him that they knew of his misdeeds—and convince him with threat of legal retribution should the data ever appear anywhere inappropriate.

"They didn't say it in so many words, but they made it very clear that they would be coming after him with everything they had," he says.

Now that he's shown what stochastic forensics can do, Grier hopes to turn it into more than a one-off service he can provide his client. With more research and potentially a financial backer, he'd like to turn it into a product that could have mass appeal to the forensics community.

"I'd really like to make it a product that any trained operator could use," he says. "That's going to take about two years of additional research and funding."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...