Chances are Someone is Trying to Steal Your Organization’s Information
Randy Franklin Smith - March 29th, 2012
Chances are someone is trying to steal your organization’s information. Instead of expending all your effort in defensive posture controls, there are ways to actively seek out and disrupt attempts to steal your organization’s information. This is called counter intelligence and the exploits of the good old cold warrior, George Smiley, should be your hero. Seriously, John le Carré novels are a good place to start if you want to understand the concept.
Wikipedia describes counter-intelligence as “measures taken to detect enemy espionage or physical attacks against friendly intelligence services, prevent damage and information loss, and, where possible, to turn the attempt back against its originator. Counterespionage goes beyond being reactive, and actively tries to subvert hostile intelligence services”.
Employing counter-intelligence techniques is recognized as an important technique in defending against economic espionage. (Googling economic espionage and corporate counter-intelligence will provide loads of information on these important concepts.) For instance check out the FBI site’s section on economic espionage which states that “The Cold War is not over, it has merely moved into a new arena: the global marketplace. The FBI estimates that every year billions of U.S. dollars are lost to foreign and domestic competitors who deliberately target economic intelligence in flourishing U.S. industries and technologies.”
How can you implement counter-intelligence? It depends upon your role and scope within the organization. Is your mandate limited to cyber threats or information security in general? Either way, the first place to start is training employees. Wide scope training would include helping people understand elicitation techniques (aka social engineering). The bad guys know how to exploit someone’s desire to be polite, desire to be important or even someone’s tendency to correct others. The FBI even provides a brochure on elicitation techniques, how to detect and deflect them. Cyber scope training should help end-users be more information security aware with how they respond to email, phone calls and social networking contacts. Start by showing employees how they can be profiled by criminals who are a member of your organization through who to establish a “beach-head”. As the RSA advanced persistent threat of last year proves, the initial target doesn’t need to be someone with direct access to the desired information. So both management and the rank and file need to understand that everyone is a target. Provide your people with an easy way to report suspicious contact attempts whether from the cyber or “real” worlds.
But how can you take counter-intelligence to the next level? Here are 2 within the scope of cyber security. The first is an adaptation of the old honeypot server concept of the nineties used to research web server attacks. Take the same concept but apply it to the internal network and change the purpose to detection. There’s no need to set up a separate server – in fact it may be better not to. Instead, plant honeypot resources throughout your production systems.
For instance, on file servers, create special folders intermingled with real production file folders. In these honeypot folders put a collection of file formats such as MS Office documents, PDFs or other files specific to your industry – AutoCAD files for instance. You can create similar lists and document libraries in SharePoint or tables on database servers. Open up access permissions so that anyone can access them. (If possible allow access to list the contents without giving access to the actual content of the data. In Windows, this is the difference between List and Read access on a folder. This way it will be more difficult for attackers to recognize the data as being fake.) Then enable auditing on those honeypot resources and start monitoring attempts to access this data.
Remember that our goal is to catch outsiders whether in the form of an active human intruder or any type of malware designed to collect desirable information and send it back to the attacker. This particular operation is not designed to catch the dishonest insider. To prevent the audit system from being over whelmed with false positives caused by innocent employees they need to be trained recognize these honeypot resources for what they are and to stay out of them. Perhaps you include specific but bogus abbreviation in the name of all such resources like “ACT”. Employees that see “Transmogrifier Plans ACT” will know to avoid that folder even if there really is a Transmogrifier project at your organization. (If there is, please let me know because I would love to have one).
Here’s a more strategic counter-intelligence operation taken from the pages of The Spy Who Came in from the Cold. In this famous le Carré novel, British intelligence officer Alex Leamas is recalled to headquarters after his East Berlin spy network is rolled up by East German counter-intelligence officer Hans-Dieter Mundt. But instead of being assigned a desk job he is offered an opportunity to get revenge. In a brilliantly conceived plot he takes on the role of an embittered has-been, forced into retirement and betrayed by his own government – a tempting target for Mundt.
You can hang out tempting targets for your attackers too. In consulting projects we created fake corporate personas complete with email addresses, phone extensions, corporate directory entries and social networking presences. Given them key jobs in important departments. Too look real, these take some work and need regular updating. Monitor their voice mail and email and social network presence for messages. When you get activity from people inside or outside the organization, it’s like a fisherman getting a nibble on his line. It will take time to determine if it’s the species you are fishing for or just a passing nibble from someone innocent.
Chances are that your people are going to be targeted. Take advantage of that by putting your own Alec Leamas out there to distract and trap them. Chances are someone is going to penetrate your preventive controls. If you can detect them in your network before they get too far you are still ahead of the game. Maybe you can even waste their resources and time by feeding them misleading information and even eroding their credibility with their masters. Wouldn’t that be fun?