Digital forensics is the use of analytical and investigative techniques to identify, collect, examine and report on digital evidence or information. Digital evidence can provide valuable insights during investigations of theft of intellectual property involving multi-party collusion and the misappropriation of organizational assets and resources.
During this session participants will learn various methods of mitigating the “insider threats” to an organization’s digital data and methods of investigating digital evidence contained on computer and mobile systems during internal investigations.
Main points covered:
• Learn how to mitigate and investigate the theft of Intellectual Property from your company by adding digital forensic components into your Risk Management and Compliance programs.
• Learn and understand how Digital Forensics can augment your internal investigations.
• Learn where you and your organization fit into the Digital Forensic workflow, and when to call for help.
Presenter:
Our presenter for this webinar, Ryan Duquette is a seasoned digital forensic examiner with many years of experience in law enforcement and the private sector. He took his zest for “focusing on the facts” from his days in Law Enforcement and founded Hexigent Consulting, a firm focusing on digital investigations, cyber security consulting services and litigation support.
Ryan works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation and data breaches. During his days in Law Enforcement, he conducted digital investigations on a variety of criminal cases including homicide, child pornography, fraud, missing persons, and sexual assault cases.
He is a Sessional Lecturer at the University of Toronto teaching digital forensics, holds a Master of Science degree in Digital Forensics Management, and several digital forensics and fraud certifications.
Ryan is a Director for the Toronto chapter of the Association of Certified Fraud Examiners, has been qualified as an “expert witness” on numerous occasions, and is a frequent presenter at fraud, digital forensics, cybersecurity and investigative conferences worldwide.
Link of recorded webinar:
18. Your IP / information
• Customer information
• Staff information
• Business plans
• Trade secrets
• Operational information
• Proprietary Software
What needs protecting, and how is it at risk…
19. Your IP / information
• Customer information
• Staff information
• Business plans
• Trade secrets
• Operational information
• Proprietary Software
Common Internal Theft Vectors
• Email
• Webmail
• Portable media
• Instant messaging
• Cloud storage
• Secure web sites
What needs protecting, and how is it at risk…
20. How does internal theft factor into the current business landscape?
Numbers of incidents are rising for companies year on year…
Had a
significant
incident in 2017
Had more then
50 incidents
# of ALL
incidents related
to intellectual
property theft
22. The Cause of IP Theft
Accidental
Rarely part of an
investigation
Should be
addressed via
organizational
control(s)
23. The Cause of IP Theft
Accidental
Rarely part of an
investigation
Should be
addressed via
organizational
control(s)
Intentional
Financial
motivation
Disgruntled
Coercion
26. Example #1
C-Suite Employee suspected of wrongdoings
Employee Terminated
Employee Hands in Devices 2 days after termination
Forensic Analysis
Hard Drive Forensically wiped
27. Example #2
Employee (IT) suspected of wrongdoings
Employee Terminated
Forensic Analysis going back 3 years, across many devices – No “Smoking Gun”
Deleted Important Information, Removed Devices (USB’s)
28. Government initiatives to protect IP
• https://www.fbi.gov/news/stories/2015/jul
y/economic-espionage/economic-
espionage
29. Example #2 – FBI Behavioral Indicators
Without authorization, takes proprietary home via thumb drives or e-mail.
Inappropriately seeks or obtains proprietary or classified information on subjects not related to
their work duties.
Interest in matters outside the scope of their duties, particularly those of interest to business
competitors.
Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
Disregards company computer policies on installing personal software or hardware, accessing
restricted websites, conducting unauthorized searches, or downloading confidential information.
Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or
unusual schedules when clandestine activities could be more easily conducted.
30. What Can Be Done
Mitigation and Investigation through digital forensic techniques
31. What are the relevant DF techniques
Identification
Capturing
ProcessingAnalysis
Reporting
42. Considerations
Ensure you have authority to proceed
Check corporate policies
Determine compliance requirements
Focus the scope of the investigation
43. Considerations
Ensure you have authority to proceed
Check corporate policies
Determine compliance requirements
Focus the scope of the investigation
Check privacy laws and legislations
44. What Can Be Done
Start with IT department
Understand the devices and systems that are issued
Learn what technology controls are in place
Understand your retention policies
Try to understand employee behaviours (digital and non-digital)
45. What Can Be Done
Form an “Insider Threat” team which is made up of
various people within or outside of your company
IT
Security
Digital Forensics
Fraud
HR
Legal
54. ISO/IEC 27032
Training Courses
• Computer Forensics Introduction
1 Day Course
• Computer Forensics Foundation
2 Days Course
• Lead Forensics Examiner
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-
individuals/computer-forensics/lead-forensics-examiner
www.pecb.com/events
I recently had a chat with a friend who is fairly senior in a large, well known software company (they obviously had some very significant Intellectual Property (IP)). Someone in the company was being fired for cause, and my friend and other co-workers suspected that he may take, or already had taken ‘IP’ from the business. Given their line of business, this was a concern. I mentioned that digital forensic companies can take a look at an employee’s computer or mobile phone and try to see if they are in fact walking out the door with company data and said that it was easier to deal with this type of thing before the person leaves, rather than waiting until they are gone. This message was taken to the leadership of the business, and in return an interesting, yet possibly short sighted, message came back, “We trust our employees not to take company data with them when they leave.”
Placing trust in your employees is an important factor in not only attracting, but also retaining talented individuals, and for encouraging a positive and collaborative corporate culture. However…verify what those employees are doing before they potentially walk out the door with your companies valued property (and I’m not talking about staplers).
President Ronald Reagan, while discussing U.S. relations with the Soviet Union, famously would quote the Russian proverb, “Trust, but verify.” When it comes to retaining valuable intellectual property, organizations would do well to use that proverb as a mantra.
The range of threat actors are diverse, and the ‘control’ and threat mitigation landscape and options are ever growing. Knowing what and who to combat, using what tools and methods is challenging. There are 4 main groups of these threat actors
For the most part, they usually share one common goal – to get to or disrupt your data (your crown jewels). Their motivations are different, but from an external perspective they usually have the same hurdles to overcome before they get to it.
First they have to find a chink in your armor, then get a foot hold in your environment, usually elevating their privileges and getting to the ‘good stuff’. They have to fight past your perimeter security features such as firewalls, and other systems, before bending around the network security authentication and threat mitigation tools that are in place. Once they find the crown jewels, they have to infiltrate the system itself that those jewels are on and get enough access rights to allow for addition, modification and deletion activity to take place. Basically….if the security folks do their job well...it’s often tough for the bad guys to get in.
Hacker Group
Nation States
Cyber resilience or security is the current evolution of what was IT security. It went from IT security to Information security and now to Cyber security.
The ownership of Cyber security has moved from being led and operated by IT, to Board ownership, involvement, direction and support
The Risk has moved from only operational impacts to Reputational, compliance and financial losses
The Investment has moved from being technical to more of a protective culture
And the Threats have moved from external to both external and internal
Basically things have changed. Organizations take ’cyber’ seriously, and we applaud that.
One of the most common things we hear is that organizations want to stop ‘hackers’, and while that’s great, we need them to look inside their walls as well..
That all being said though…Breaches have become more frequent and larger.
Many breaches are due to insider human error – but this is NOT the insider threat we are talking about today. That is a whole other presentation.
Remember that earlier slide – External threats? The one where we talked about bad guys having to navigate their way around a variety of security controls. If you’ve got a well developed security architecture, they need to apply a significant effort to get to those crown jewels. Sometimes, that level of effort is just not worth it and so they move onto the next guy. Which is great!
However, lets look at this again.. From an internal perspective. Unlike those external bad guys who need to demonstrate all sorts of hacking ‘kung fu’ to get what they want, you’ve already equipped insiders with everything they need; a way to bypass firewalls, slide by security solutions and potentially go unnoticed by your threat identification and mitigation tools. Know what it is?
A username and a password.
Yup, you’ve given them the ability to get to those crown jewels and unlike the bad guys, they just have to worry about how to get the data out….
IP of this nature used to be paper based, however most is now digital. It’s stored electronically and accessed with the many digital devices we use on a daily basis. Since most investigations focus establishing if, and how, someone did what they are suspected of doing, knowledge of the common methods used to remove sensitive information is vital to today’s investigative professional. Some of the more common methods include:
Email exchange between a work account and a secondary email account
Use of a personal webmail account, such as Gmail or yahoo;
Use of portable media, USB’s being the most common;
Instant Messaging programs (including social media programs such as Facebook and LinkedIn);
Cloud storage such as Dropbox or ICloud;
Using a secure website;
Accessing a work computer via a remote session;
Taking pictures of IP with a personal camera or phone.
We compiled data from a number of studies that looked at not only internal theft factors, but also for business that had various cyber incidents.
In 2015 – 80% of business surveyed had a significant incident.
32% had more than 50 incidents
And 49 % of ALL incidents relate to IP theft (both External and Internal Threats)
Current employees – Have the most access to information
Former employees – may still have login credentials for things like webmail or friends inside company
Current contractors – often are given access to a wide amount of information and are not usually monitored as much as current employees
Former contractors - may still know how to get in to get info
A friend worked for a large software company that was based in the US and she worked from home for almost 9 years. She often ran out of room on her work issued laptop and asked her manager if he was ok with getting her an external hard drive. He approved and she purchased a large hard drive, and promptly downloaded tons of material from the company server over a weekend. Fast forward almost 2 years and she resigns from the company. Fast forward another year and she found the hard drive in a box. Realizing that she still had company data, she gave me the hard drive and I forensically wiped it.
The company authorized her to take IP, and never even tracked it.
- Intentional (which is what we are here to talk abut today)
- Financial Motivation - $, role, salary increase, contractor role
- disgruntled
- coercion (bride or threat)
On the last slide I mentioned the 3 main intentional causes of IP theft. The first two (Disgruntled and Financial) have similar timing as to when the theft of IP occurs. Most of the timing revolves around an employee either resigning or being terminated.
Resignation
One month prior to giving notice people will start to gather data,
If they stick around for a while, they might take data after resignation (not as common because people think that after resigning that the controls or monitoring on their systems will increase – often it does not).
After they leave, systems are often left open – Webmail for example
Termination
If they suspect they will be terminated - Might be gathering data prior
And again, after they leave systems are often left open
Theft for reasons of coercion often can happen at any time.
Eco.
KE
In July 2015, the FBI launched a campaign to educate businesses and industry leaders about protecting trade secrets and intellectual property. It focuses on external threats from foreign threat actors engaged in corporate espionage, but also highlights the need to develop insider threat programs. They also highlight some behaviours to look for when an insider is suspected of stealing company data
Had our client acted upon their suspicions earlier, it would have saved them the time and resources to launch a full investigation and to pursue civil litigation.
Some of these are digital behaviours and therefore you may be able to easily look into them, others are more personal in nature and you may need to work with others to figure out.
Some of the digital forensic techniques that we all use during our digital investigations can also be used to help mitigating the theft of a company’s IP before it even happens.
These standard techniques can be used as a whole, or individually.
Cross referencing of artifact allows us to quickly compare IP with potential other activity which may suggest movement of that IP. For those who do not recognize this, it is Magnet Forensics timeline view. There are however other great tools on the market that allow similar functionality.
Many digital forensic tools allow us to look at a users activity during certain times. 2 of those behavior indicators we chatted about earlier mentions activity after hours, on weekends or at other “strange times”. Again, this is IEF but there are others.
Digital forensic methods allow us to compare data over time (using hash lists, etc). This can be very valuable during IP theft investigation (will talk more about this later).
Was there any collusion within your company? Comparing data from various sources might allow you to figure out of people were working together (or if one person “used” someone else unknowingly to steal IP). There are many methods to do this. Hash analysis across systems and adding multiple systems into one case are just a few examples.
As it mentioned in that article by the FBI, Businesses should develop an Insider threat programs. These programs can incorporate many aspects; from monitoring activity, to employee training, to full investigations.
However, there are some things to consider before implementing any insider threat program.
Big brother tactics often are not the best methods.
We once again come back to this saying. Companies need to play a certain amount of trust in their employees. Many employees know that their emails and web activity can and may be monitored, however diving deeper into everything they do on their systems may breed an atmosphere of un-trust.
There are also factors to consider when you’ve been asked to review the digital activity of an employee to understand what they’ve been doing with company data, or while using the company network.
Get permission
While the business might suspect foul play, and have asked you to investigate an employee’s digital footprints, it’s important that you fully understand what’s permissible before you do anything. Just because the staff member was using a company asset, that does not always translate to an open invitation to review everything they’ve been doing.
Before you begin your investigation, get a formal request from the business, appropriate sign off from management, make sure HR is involved, and keep all communication relative to the request. You may need to have legal counsel involved from the outset as well, as the matter could end up in court at some point, and you’ll need to prove everything you did, and why.
Check company policies
Familiarise yourself with existing company policies and procedures and focus on those which detail what an employee is allowed to do (and more importantly, not do). Does content exist which deals with activity monitoring or reviews? Are employees, and specifically any which are in scope for your investigation, aware of these policies? Has the employee read the policies, or gone through awareness training, and signed off on their understanding?
We have had a few cases where we have been hired for investigations only to find out half-way through it that the company did not have an acceptable use policy (in other words…the employees were never told what they can and cannot do).
Determine compliance requirements
Depending on what business your company is in, you may find that you’re obligated to comply with something that may either limit your ability to directly review activity, or put your company’s compliance status at risk should you proceed.
Check to make sure that what you’re looking to do is achievable, and that if the role of the employee is one that may permit them privileged access to highly confidential data, that your review does not compromise the companies good standing. If your company deals with federally classified data, check to see what that employee had access to. If it’s above your own clearance level, you may need to call in someone with appropriate clearance to handle the data. While you may not be looking to review any of that data itself, just your having a copy of it, or access to the system that holds it, may cause an issue.
Focus the Scope of the Investigation
Many times we hear clients ask us to find ‘anything of relevance’. That’s not something that should be readily agreed to without first knowing the facts. Network and system logs will show general activity, and an in-depth forensic review of the systems and devices that an employee used could provide a very granular view of the what they did. While this is great news for most investigators, there can be some challenges. If you were to start looking at everything that was done, your review could take weeks or months. It could also take you down a path that has nothing at all to do with the original request.
Your investigation should be focussed. There should be rationale for what you’re doing, and the evidence you seek should be well defined. You ideally want a listing of what data the employee is suspected of removing, during what time period and what common terms, phrases or language could it contain. Knowing all of this will speed up the investigation, help your legal counsel be comfortable in knowing that you weren’t going on a ‘witch hunt’ (which can be a common argument by the defense in legal proceedings).
Check Privacy Laws and Legislations
Depending on the location of your company, you may have to consider various privacy laws and legislations before starting any employee investigation. Legislation is usually relevant to the location in which the work is being performed. If you’re being asked to review user activity for someone operating from a regional office in, e.g., Germany, the fact you are based at head office in, e.g. Toronto, does not mean that Canadian privacy laws will necessarily apply. In that example, the German (BDSG) has very strict guidelines as to what can and can’t be done with employee data contained on work systems (including the transferring of any data outside of national borders). It’s always best to check with not only your HR department but also your legal and/or compliance department before conducting any investigation on employee data. Not doing so may jeopardize the validity of your findings.
‘Know thyself’ – that aphorism has been around since Plato’s time. It applies here.
You need to understand how things work and look in the environment you’re investigating. Talk to your technology teams. What’s being used, by who, for what. BYOD . What controls are there? What can a user (specifically the one your investigating) do and not do. What kind of policies are there for retaining information about user activity. Before you start digging, it’s worth understanding these basics as it’ll keep you focused on task.
We often work in our little silos and only get involved with other internal teams when there is a need (Breach, IP theft, etc). Be proactive and form working teams to help to not only mitigate the insider threat against your company IP, but whom can also act quickly if there is an incident.
“Who” has access to information? Who do you suspect is taking data?
“What” information do they have access to? What avenues do they have access to?
“Why” would someone take company data with them?
“When” do you think this happened?
“How do you think they took data?
Ryan
I just read the 2016 Verizon report and they state “Love your employees, bond at the company retreat, bring in bagels on Friday, but monitor the heck out of their authorized daily activity, especially ones with access to data such as financial accounts, PII, payment cards, medical records, etc).
Might you miss anything by ONLY monitoring employees activities? Why not acquire their devices (either fully or targeted imaging) at random times?
I mentioned earlier about being able to compare data over time. Some of our clients have us periodically (randomized times) image systems of those who has access to “the crown jewels”.
We then safeguard (or our client safeguards) the images and if needed use those images for any potential future investigation. I mentioned the example where the C-suite employee wiped their drive. Having images of his system prior to his departure might have dramatically changed the outcome of that matter.
Can use similar techniques within your company
Exit interviews are a great way to learn about why an employee is leaving, and ways that the company can improve. However they can also be used to help determine if an employee may have taken company IP with them. HR staff can ask questions to learn more about where the employee kept company data, did they take it home, on what devices and when.
While the interview is being conducted, and if warranted, digital forensic practitioners can discreetly do a quick review on the employee’s device(s) to look for any indicators of IP theft.
If needed, you can conduct a deeper dive into the evidence. This obviously will be longer in duration than the quick look.
Where possible, be proactive rather than reactive.
Make programs like this a part of corporate culture and adapt security, acceptable use, or other related policies accordingly.
Be transparent and let employees know that their systems are being monitored, and activity on those systems may be looked into at a deeper level when they are leaving the company.
Typically we ’investigate’ something after that action has taken place. Where possible, if you can pivot from post event to pre event investigations you may be able to stop something potentially from happening, AND there's the opportunity to realize collateral benefits.
The information you work with, and the subsequent findings that are given to your company from your investigation, will be more exact. With better data comes the ability to make more informed decisions. Everyone up and down the organizational chain always wants that.
It makes sense for your company. The cost of post incident investigation is always sizeable. More effort = more hours = more cost. Those operational costs can spiral. Embedding some of the things we’ve talked about into organizational workflow and culture can limit the potential for a significant IP related incident to occur. In turn, that can seriously limit the unknown expenditure required to handle insider threats, and let the company invest in the business of doing business
And finally… this can all reduce risk. The risk of IP getting into the wild. The risk of reputational damage. The risk of competitors being better informed about your business strategy. The risk to the bottom line of the company when confidence is lost.