InfoSec Beat Podcast: Anatomy of an Investigation Pt 1

InfoSec Beat Podcast: Anatomy of an Investigation Pt 1


JASON LEWKOWICZ: We can usually find enough
artifacts on the computer that are going to give us the information that we need. KRIS BURKHARDT: Alright, it sounds like CSI
Accenture? JASON LEWKOWICZ: It is. KRIS BURKHARDT: Hi everyone. Welcome to another edition of the InfoSec
Beat Podcast. I’m your host, Kris Burkhardt. We’re broadcasting from the Nick Price Memorial
Underground Subterranean Faraday Cage in a top secret location. And my guest today is Jason Lewkowicz. Jason leads our Instant Response Team here
at Accenture and we are going to talk about investigations. So, Jason, welcome to the program. JASON LEWKOWICZ: Thanks, Kris. KRIS BURKHARDT: So, let’s just start at
the top. Tell us a little bit about what you do at
Accenture and kind of maybe a short version of a day in the life of Jason? JASON LEWKOWICZ: Sure. So I have responsibility for our Cyber Response
Program. I’m a Managing Director. I report into our Chief Information Security
Officer. I have oversight of any of our cyber response
activities which sounds kind of generic, so I’ll kind of just go into it. So data loss prevention, forensic investigations
of our end point or our network, working with our SOC to make sure that we have the right
rules and controls at our perimeter, red team and hunt team. So if you think about bad guys trying to get
in, I have a team of individuals who are actively always trying to breach and break into Accenture. And then upon doing that, to see if our defense
mechanisms work. So does the SOC detect it? Does our SIM instances start alerting? Do my forensic team, do they pick it up? And then I also have a hunt team. So as we gain intelligence based on known
threat actors, they will horizontally and vertically scan our environment to see if
there are any historic things that we may want to investigate further. And then the last piece, this function called
the A SOC. It’s kind of a 911 where people can call
into and let us know that there’s been some type of security event that needs further
investigation. So it could be something as simple as I’ve
lost a phone to, hey, I think my account has been breached and that somebody is actively
on my system. So that’s my role. A day in the life. Most of my day is spent on phone calls either
interacting with clients, talking about our security program, the things that we have
going on. KRIS BURKHARDT: That doesn’t nearly as sexy
as what you just described. JASON LEWKOWICZ: It’s not as exciting, lots
of phones from early in the morning to late at night and then the rest is really working
with the team, making sure they have the right tools, tech, etc. KRIS BURKHARDT: Well, that’s great. I mean it sounds like you’ve got your hands
full with all sorts of interesting cyber activities. Let’s zoom in a little bit on investigations. JASON LEWKOWICZ: Sure. KRIS BURKHARDT: I’ll start at the start. So how does an investigation actually begin? So when does an investigation become an investigation? JASON LEWKOWICZ: Sure. So any of the number of systems that we have
that monitor and manage Accenture’s health in our environment could trigger. So we may see something that comes from our
Antivirus Council. It could be a firewall or it could be anything
or any one of our individuals can call something in. So anything that comes in as an alert, we
start investigating it to really understand what it is that has transpired and if we see
that there has been unauthorized access or somebody doing something that they shouldn’t
be, maybe password sharing, perhaps a fraud situation, we would then start investigating
and going through the formal process of kicking off an investigations. KRIS BURKHARDT: I see. So there sounds like there’s many triggers. And once one starts, you are the Computer
Incident Response Team, so presumably computers are involved. So how do you go about investigating one of
these incidents? JASON LEWKOWICZ: Sure. So, I’ll give two examples. In the event it’s a situation where we believe
an individual is acting on their own and has done something wrong. They’re obviously leveraging some component
of technology. Let’s just say it’s they’re provided
or provision workstation. We will go through the process of getting
approvals through our corporate investigations team which is a division of our legal group,
as well as Human Resources. And from there we have numerous tech that
we could use. They all look at different things, some look
at memory, some look at the disk itself. And we will build a hypothesis around the
allegations that’s been made and we’ll start investigating. So one of the things that’s always cool
that I get asked, not to feed myself a question. KRIS BURKHARDT: Please do. JASON LEWKOWICZ: What kind of stuff can you
get off of a computer? What kind of stuff is available? And the reality is if it’s digital media,
we can pretty much get anything off. There are ways to go about making it so it’s
more difficult to get, but we can usually find enough artifacts on the computer that
are going to give us the information that we need. KRIS BURKHARDT: Alright, it sounds like CSI
Accenture. JASON LEWKOWICZ: It is. It’s very CSI. We’ve got the matrix writing on the wall. It’s cool. KRIS BURKHARDT: So if I understood correctly,
it’s really policy approval first to start an investigation. You don’t just go look first and ask questions
later and then once you get approval, then you can look at all these forensic details? JASON LEWKOWICZ: It’s even more defined
than that. So there’s a whole approval process. So in the event it’s a person that sits
in a privacy country, we have to go and get data privacy approval. We have to submit almost like a search warrant,
like here’s what the allegation is, here are the steps that we’re going to take to
investigate it and here are the things that we’re looking for. And we have to stay in the bounds of whatever
is requested. So if we find something or we want to make
a right turn and go deeper in an area, we have to go back and ask for permission to
do those – to carry those pieces out. KRIS BURKHARDT: I see. So I think that’s great. I know in this day and age of pervasive security,
monitoring is a big concern for many people. So I’m sure it’s a welcome fact that you
guys have to go through this process and you can’t just kind of have a look wherever
you like. So when you say, coming back to the forensics
a little bit, when you say you can see anything on somebody’s laptop, so what does anything
really mean? So could you see, for example, their browsing
history, the websites they’ve visited, maybe banking details, for example, or what kinds
of stuff lives on our hard drives after we think it’s maybe gone? JASON LEWKOWICZ: Sure. So browser dependent if we’re looking at
different web apps that were used. Most often, we can see the pages that were
visited, but we can’t necessarily see the content. So unless you chose to make a screen shot
or it’s a page where you were perhaps writing like an email, we may see snippets of the
email that would be stored in different slack areas of the drive. So in the way that the file system writes,
there are certain allocation that are set per sector, depending on the type of drive
and depending on the operating system, we may see snippets of that and pull things together. Images. We can see image files that were there. If they’ve been deleted, we may see part
of the image. Again, operating system dependent. Most often, what we’ll find though is records
that specific things existed. So one of the things that I always really
push my team to do when we have an investigation is to understand kind of what transpired. So I want to make sure that it really was
that individual sitting at the terminal doing what it was that they said. You know, perhaps, they let their son, Joey,
use the asset. Joey should never be using a company provisioned
asset, but I just want to make sure that we’ve got the right individual sitting at the console
at the right time. We can get back most stuff. KRIS BURKHARDT: Wow, that’s really interesting. It’s interesting to hear that you can piece
these things together. I don’t think modern operating systems were
designed really with forensics in mind but, yet, here we are. We can see kind of everything that’s been
going on. That’s great. So you and I’ve worked together on a couple
of investigations over the years. One that comes to mind, I remember there was
a client and the client suddenly noticed that noticed that their IP was showing up in places
it shouldn’t. Can you talk a little bit about that one and
how we found out and how you investigated it? JASON LEWKOWICZ: Sure. So in the situation I think you’re talking
about, we were notified by the client that they had noticed download – downloading
of IP materials from employees of ours. So I got on the phone with their investigation
team and gathered the data that they had and what I had noticed was that the downloading
was taking place from individuals of ours in an alphabetical sequence, which typically
would tell me that there is a compromise of a database that has all the users involved. KRIS BURKHARDT: That sounds like a list? JASON LEWKOWICZ: It’s a list. So my suggestion of the team at the time was,
alright, well, I want to you disable those two accounts and then three following and
let’s see what happens. And sure enough, the then the sixth started
and the seventh and so forth. In situations like that, you try to build
a hypothesis and figure out all the different ways that somebody could get to this type
of data. And the good news was with this specific client,
the data that they were downloading was public marketing materials, so it kind of didn’t
matter. But, obviously, the concern was that there
was a compromise of credentials that could get farther into the specific account. So we also took steps in parallel to wall
off what was going on. From there, we built a hypothesis around what
could the culprit be and our suggestion was that it was the environment that managed this
specific, this specific IP and where it lived. And after many, many rounds with the account
because the client was convinced that Accenture had been sharing its credentials and that
they had so often sold this, we finally got the client to kind of validate and test out
our hypothesis and that actually was the case. They restored work and it actually worked
out very well in the long run to build trust between the two organizations and they felt
should something like this happen again in the future, knock wood, thankfully it hasn’t,
that they could count on us to come and do the right thing. KRIS BURKHARDT: That’s a great question. So I’m going to ask you one more question
and then we’re going to pause and leave the rest of this for Episode 2. As you described the way you’re testing
your hypothesis by disabling a few of the accounts, were you concerned about tipping
off the bad guys? Were you concerned that they were going to
disappear if you showed your hand too early? JASON LEWKOWICZ: So we were, absolutely. I mean anytime you can identify that there’s
a bad guy in the environment. And we knew that there somebody in the environment
who had credentials. The big worry is always what else do they
have access to and when you shut them out, if there are backdoors, are they just going
to come in more silently, more quietly? So in this specific situation, that was a
big concern of ours. We did have assurance though that this was
a more legacy based system. It only has single factor authentication. It did not have the same complexities that
you would typically find in the systems that you would typically see today. So we were less worried about that and it
wasn’t part of like an enterprise sign-on. So it was a different credential in its entirety. KRIS BURKHARDT: Oh, I see. Okay. JASON LEWKOWICZ: So we were relatively sure
that doing this, we would tip their hand, but at the same time, it kind of wouldn’t
matter. KRIS BURKHARDT: I see. Alright, that’s good. It was a bit of a contained space to begin
with. Fantastic. Well, look, when we come back and talk next
time. I’d love to ask you some questions about
ransomware and how to avoid being the subject of one of your investigations? JASON LEWKOWICZ: Sure. Sounds good. Talk next time. KRIS BURKHARDT: Alright, well, thanks. That’s all we have time for this week. Thanks everyone for listening in. This is Kris Burkhardt, your host of the InfoSec
Beat Podcast. And we’ll speak next time.

Leave a Reply

Your email address will not be published. Required fields are marked *