Harsh Behl is the Director of Product Management at Exterro, an e-discovery and information governance software provider. Based in London, Harsh has over a decade long experience in the cybersecurity realm and has spearheaded initiatives at his organization with hands-on experience in Data Analysis, Penetration Testing and Vulnerability Assessment, Encryption and Steganography software among others.
In an exclusive interaction with The Cyber Express, Harsh Behl discusses insider threats, roadblocks in internal investigations and how digital forensic solutions can help in-house investigations.
Here is an excerpt from the interview.
TCE: Why are insider threats both intentional and unintentional growing?
With new work models such as work from anywhere and bring your own device, organizations are challenged with gaining visibility into users and the level of access they have to critical business assets. Home networks are now the corporate network, which translates to more data generated and, subsequently more risk.
Gaining visibility into employee personal devices is again a challenge, and any compromise in the device poses a threat to work product or intellectual property. More remote endpoints have created more security vulnerabilities, and organizations have lesser access to data and collaboration between teams for investigations. Adding to these is the slow implementation of policies, procedures, and employee training initiatives in using digital forensic solutions for investigations. These factors have left businesses with the issue of not being able to identify and mitigate intentional and unintentional insider threats.
Most often, unintentional threats occur due to phishing or social engineering attacks. Threat actors are able to access information across the board, including that of contractors and third parties working for the business. Unintentional attacks could also occur when malicious code is deployed into the system of a remote employee with access to critical data.
Intentional attacks could occur due to an employee exiting the company or through a disgruntled one. It could also be employees who are incentivized to steal data, like in the case of the ransomware group Lapsus$. The group identifies malicious insiders to install malware before demanding a ransom. These are some of the most pressing concerns associated with insider threats.
TCE: Roadblocks to internal investigations that currently exist among organizations.
In-house investigations are becoming more collaborative irrespective of the industry or sector the business caters to. Staff who are not legal professionals are being drawn into investigations. For example, HR, finance, compliance, and legal departments now play a critical role in preserving and analysing data for investigations. When data is scattered across departments, home networks, the cloud and more, the investigation process becomes complicated and time-consuming. This is doubly difficult when organizations have to collaborate with outside counsel, contracted law firms or legal service providers.
With disparate sets of data scattered across various functionalities, managing data silos is challenging. In addition, gathering data individually from remote endpoints can become extremely time-consuming and expensive, posing massive hurdles to investigations. This is where digital forensics solutions come in. Software that can reduce the amount of time spent in gathering and analyzing data is reduced drastically, making it a more efficient and cost-effective choice.
TCE: What Anomalies Do You Typically Look for When a System Becomes Compromised?
Anomalies encompass a wide range of events. Exterro can identify several anomalies. For instance, we can look at any/all USB events specifying the USB devices connected to the system. We can also highlight any remote desktop connections, find out if a threat actor gained access over the system, and identify privilege escalation, i.e., if a user (without admin access) procured admin access.
We can detect such events and bring them to the attention of the users, helping them build upon their investigations.
Additionally, if the fraud in question is a malware, virus etc., We can identify the point of entry or the point of intrusion. We also look for the movement of the malware, its persistence, affected end points, giving us the ability to identify the process for remediation. Our remediation process analyzes the system data (such as registries), the memory and the volatile data running on the device.
In case of intellectual property theft or data exfiltration, we try to analyze human behavior in conjunction with the system data to correlate and corroborate the points that could lead to proving malicious intent of the users. For instance, we can identify if the user had leaked documents or any intellectual property of the company. While anomalies vary case by case, our process can answer who did what and when post breach.
TCE: How digital forensic solutions can help in-house investigations?
Over the last few years, cyberattacks and insider threats from current and past employees have increased. Globally, four in ten business leaders say existing employees pose a threat to data theft. This isn’t unfounded as 63% of employees exiting a company admitted to taking data from their respective workplaces. At a time when cyberattacks are on the rise, probing the incident is also often a challenging task. With these traits on the rise, organizations need a holistic investigation mechanism to identify and manage threats.
But a massive hurdle is legacy forensic technologies. These are hard to scale and create data silos. With investigations spanning innumerable endpoints, collating and analyzing data is a time consuming task. Existing forensic tools and technologies can’t perpetually deliver the efficiency required to complete the investigative workload. This is why businesses need integrated digital forensic solutions that foster collaboration, reducing data movement, longer timeframes and higher costs.
TCE: Why can digital forensics enable organizations in reducing risk brought on by insider threats?
Insider threats are an expensive affair. Globally, insider threats have increased by 40% over the last 2-3 years costing companies an average of $13 million. If not monitored properly, insider threats may go unnoticed for weeks and sometimes months. Businesses need the capacity to react quickly and efficiently to insider threats, requiring data to be collected from numerous endpoints across the network and remote locations quickly. And it must be done without detection. This data needs to be analyzed to gather actionable insights on how to remediate the situation.
Digital forensic solutions can help businesses perform all of these tasks. They enable organizations to become more proactive in detecting and avoiding insider threats. When integrated with SIEM tools to create a Security Orchestration Automation Response, digital forensic solutions can act as a guidebook for preventive measures before a breach can even occur. Data gathered from digital forensic solutions can aid SIEM tools to trigger workflows automatically and also reduce the risk of data breaches.
In the digital age, where businesses are generating petabytes of data, legacy investigation strategies become ineffective and costly. With powerful and flexible digital forensic solutions, organizations can tackle big, diverse data loads, work faster and scale bigger.
TCE: How can these solutions reduce the risk brought on by outsourcing investigations?
Any successful investigation requires untainted facts, which means forensically sound preservation, collection, analysis and review of data. When investigations are outsourced, they become expensive, time consuming due to multiple factors. Businesses would have to identify the right third-party vendor with expertise in digital forensics, while also relying on the third-party to conduct a forensically sound investigation. In addition, the third party must be given access to the company’s IT infrastructure and the devices that require data collection and analysis, opening up the attack surface further.
Interviewing relevant people for the investigation and verifying the information they provide with the data, contextualizing and analyzing mandates no margin of error. The outsourcing companies will also have to upload sensitive company data onto their own data centers to carry out the investigation. These factors add external contingencies to an investigation, posing greater risk of data theft. Integrated digital forensic solutions that are easy to use enable in-house teams to get to the facts of the case faster, quicker in a cost-effective manner. The evidence generated is forensically sound and businesses can avoid the risk of data movement and the use of non-defensible approaches of investigation that could render evidence inadmissible.
TCE: How Would You Monitor and Log Cyber Security Events?
While Exterro is a post-breach analysis company and does not partake in monitoring, we provide scanning options. Scanning could allow the users to look for indicators of compromise across the entire network.
Exterro runs these scans with the support of our automation capabilities, and if we find any anomalies/compromises, we can automate further investigation. We integrate with technologies such as SIEM (Security Information and Event Management) (SIEM) and SOAR (Security Orchestration, Automation and Response) from Palo Alto’s Splunk, which helps us add to the cyber infrastructure of an organization.