In our recent blog post, we discussed a hypothetical situation where the General Counsel of “Alpha Chemicals” approached you and requested a whole bunch of information about “Allen Carey,” including documents he accessed and email messages he read related to the company’s blockbuster product, “Transparent Aluminum”, and a list of permissions that “Allen” had to various IT resources. Well, in parallel to his request for this information, the General Counsel also questioned the HR department and discovered that though “Allen Carey” had performed malicious activities, according to the HR department, “Allen Carey” didn’t exist!!
While not directly relevant to IT Security (but directly relevant to this scenario), in 1973, the most popular show on television was M*A*S*H. In one episode the lead character, Hawkeye Pierce, created a fictitious character, “Captain Tuttle.” During the episode, Captain Tuttle’s persona morphed from imagination to legend within the hospital, as “Captain Tuttle” was responsible for a number of very heroic actions, yet no one ever saw him. The episode ends with “Captain Tuttle” dying in a tragic accident, the only proof of his existence the dog-tags found near the accident site. That was the extent of forensics performed in this very funny comedy.
While our hypothetical situation may seem like it was created for a Hollywood comedy, what would you do if it was determined that a fictitious person named “Allen Carey” performed malicious activities that resulted in the loss of your companies trade secrets? What type of information would you require to perform an investigation? Minimally, you would require the ability to answer the following questions:
- Who created Allen Carey’s user account, and when?
- Was Allen Carey’s user account added to or removed from any group or Access Control List, and by whom?
- Can you provide a record of any email accounts where Allen Carey might have had send-as or send-on-behalf of privileges, when he got those permissions, and who granted them?
- Which, if any, other user accounts accessed files from the workstation that Allen Carey used?
In order to provide the General Counsel with the answers to the above questions, you would need to be auditing administrative access to Active Directory and Exchange. You would also need to correlate access activities from a specific workstation to the user accounts that used that workstation. Most importantly, you would require a product that would provide historical reporting with the ability to correlate all relevant variables. AND, you would need to provide this information quickly. Of course, the General Counsel also requires the previous information he requested, as he still needs to know about the documents that Allen Carey accessed, the email messages that he read, and a list of the permissions that he had to various IT resources.
In the next blog, we will dissect the forensics process in detail.