When the Swedish Transport Agency (STA) outsourced its IT operations to a third-party IT supplier back in 2015, the fallout was catastrophic. As it turns out, this seemingly low profile governmental office was managing a huge amount of classified information, including data on military vehicles, protected identities and Sweden's register of drivers' licences. Although the Swedish Security Service highlighted that this represented a threat, the STA still went ahead and allowed its data to be accessed by Third-party system administrators at IBM, without the necessary security clearances and processes in place.

The breach occurred during the privatisation of the STA's IT system. The outsourcing process at the STA meant many of the records relating to both military vehicles and people with protected identities were openly available to IT workers in eastern Europe. Details on security planning are also thought to have been made available. The incident shows a fundamental misunderstanding of the significance of information, and that anyone, including privileged users - whether they are third party or internal employees- is a potential risk.

According to the Verizon 2017 data breach investigations report, privilege misuse is the third most prevalent cause of data breaches. The moments directly after the discovery of a breach are crucial and what you choose to do will impact how your organisation recovers its reputation and determines what happened. So, what should you do in the immediate aftermath of discovering a third-party data breach to mitigate the fallout of a breach and avoid becoming the next STA?

Investigation phase one – proving the allegation

Immediately after receiving the police request, the security team must begin a comprehensive investigation looking for digital evidence of suspicious activity in the systems.

This involves firstly reviewing the logs of the corrupted file server around the specified date and time. The logs should confirm that the admin suspected of compromising the organisation was logged into the server in question. However, in the case that the logs don't show the detailed activity flow of the admin on the server, the analyst will need to continue the investigation for more reliable evidence, which can be carried out with Privileged Access Management (PAM) tools. These kinds of tools can help the analyst to find the session recordings (replayable audit trails) of the suspected admin. The analyst can also find out whether or not the admin has used typical file moving applications which have been opened within the Windows session (these include “explorer”, “total commander”, “winSCP”, “cmd.exe”, etc).

This first phase of investigation should be relatively rapid, as PAM tools can aid the aggregation and investigation of logs which would usually take days or even weeks. The searchable, video-like audit trails not only clearly show the malicious insiders' activity, but the tamper-proof nature of the network-based PAM technology means that the authorities are able to accept the audit trail as an authentic and reliable evidence source.

Phase two- adding analytics to look for other suspicious activity

The next two questions which need to be addressed are whether or not the privileged user's credentials have been stolen, and if the theft of documents and other sensitive data was the only malicious activity which took place. To get the answers needed, the organisation can run historical data through an analytics tool.

For example, all of the session recordings which concern the suspicious insider can be analysed by the privileged account analytics engine. The analytics can then build a baseline of the privileged user's activities over a longer period of time. If the baseline activity doesn't show any deviation from the session being investigated- the user logged in at the same time, from a familiar device, via the usual connection- except for opening a file moving program, the analyst can draw the conclusion that whilst carrying out regular maintenance work, the admin illegally transferred a classified document. Another clue is behavioural biometric identifiers, including keystroke dynamics and mouse movement characteristics; any differentiation here can be detected and analysed.

Third-party system administrators are typically unknown to an organisation, yet they are trusted with the very high or even unrestricted access to IT systems and applications. Government organisations which are responsible for large amounts of highly sensitive information must ensure that if they are trusting a third-party IT supplier, they have a comprehensive privileged access management strategy in place, which includes technology to enable rapid incident response in the event of a third-party breach.

Contributed by Csaba Krasznay, security evangelist, Balabit

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.