By Mike Wood, Engineer at CounterTack
CounterTack’s goal is to provide Endpoint Security Teams the ability to quickly identify and understand the state of an endpoint. Security Teams are more often than not tasked with trying to identify whether a user's action is truly "insider threat" malicious or whether they just have poor security habits. Last month the press reported that IBM banned the use of USB storage devices throughout their organization. Their statement called out devices such as flash drives and SD cards: IBM’s Chief Information Security Officers (CSIO) Shamla Naidoo stated that these devices are too large of a risk to intellectual property (IP). In IBM's case they are attempting to mitigate the risk of their employee’s copying IPs to storage devices and either losing it in a coffee shop, airport, or (worst case scenario) selling that IP to a competitor.
If users become part of an investigation due to their activities, companies have to spend countless hours investigating and forensically reviewing computers and logs to document the users’ actions to build a case. CounterTack’s Endpoint Protection Platform (EPP) has the ability to aid Security Teams to identify what has transpired on their endpoints in real time. EPP gives Security Teams the ability to track removable devices and data that has been copied from these devices. Insider Threat teams can leverage this information to understand intent of a user. The behavior for “File Created on Remote Drive” enables Insider Threat Teams to quickly find users who are using removable drives in their environment (Figure 1.0).
Figure 1.0 showing behavior “File Created on Removable Drive”
Investigators can quickly see what was copied onto the drive (Figure 1.1).
Figure 1.1 Shows expanded view of the Behavior with additional details.
We see in the expanded view that a word document named “CounterTack_Contract_V1.3.docx” was created on this drive. The device information “M-Syst5” product name “Dell Memory Key” is captured and presented. At this point the analyst can click on the file, “Show Card”, and gain more details on the file (Figure 1.2).
Figure 1.2 Shows File Path, Endpoint information, Created by, Device Information, and Intelligence. It also shows a drop-down of the actions that can be performed: Extract File, Delete File, and Search for the File.
Analysts can “Extract File” to analyse the file to determine risk of the user who copied the file to the drive. If this key IP document is determined to be risky, analysts can take actions and “Delete File”. Analysts can also search for the file across the environment to help determine the risk and how many other users and endpoints have this document. We can also gather the scope of how many other endpoints this removable drive have be used on by clicking on “vendor”, “Product”, or “Serial Number”. It will search the database to see if the device has been used elsewhere in the environment (Figure 1.3).
Figure 1.3 Shows the search for “events.device_name= “My-sysT5”.
In the above Figure 1.3 we have seen the device on another system and a timeline of the activity. In this case it appears that when we examined the events from 2018-06-07 the user copied a word document “CounterTack_Contract.v1.docx” (Figure 1.4).
Figure 1.4 Shows an expanded view from search results on a different endpoint, same drive.
As we pivot back to original endpoint Lab3 we can drill into the events. We see that the user copied the “CounterTack_Contract.v1.docx.” from the device, made some edits, and renamed it “CounterTack_ConTract.V1.3.docx.” on the desktop, then moved it to the device (Figure 1.5).
Figure 1.5 Shows tracking of the file create, read and delete of files and file paths and names.
EPP empowers Security Teams and Insider Threat Teams to understand the events that are happening on an endpoint and provide full context of users and endpoint behaviors. This insight gives them the ability to make educated decisions on next steps in their investigation playbooks.