Investigating Large-Scale Data Breach Cases

Introduction
• Data breaches is an incident in which
sensitive, protected, or confidential data has
potentially been viewed, stolen, or used by an
individual unauthorized to do so.
• Data breaches may involve payment card
information (PCI), personal health information
(PHI), personally identifiable information (PII),
trade secrets, or intellectual property
• Yahoo
• Date: 2013-14
Impact: 3 billion user accounts
Details: Yahoo announced in September 2016 that in 2014 it had
been the victim of what would be the 
biggest data breach in history. The attackers, which the company
believed we “state-sponsored actors,” compromised the real
names, email addresses, dates of birth and telephone numbers of
500 million users. Yahoo claimed that most of the compromised
passwords were hashed.
• Then in December 2016, Yahoo disclosed another breach from
2013 by a different attacker that compromised the names, dates of
birth, email addresses and passwords, and security questions and
answers of 1 billion user accounts. Yahoo revised that estimate in
October 2017 to include all of its 3 billion user accounts.
 Investigation Approach

• Set Investigation Control Points

• Manage the Unknown Unknowns
• Information Flow and Data Discovery Exercise
• Network Discovery
• Accurately Scope Evidence and Acquisition
• Leverage Fraud Data
 1.Set Investigation Control Points

• An investigation control point is a high-level policy

decision that serves to focus the investigator on
management goals for the investigation process .
• Different parties involved in an investigation will likely
have different goals for the end product of that
investigation.
• Setting investigative control points up front will remove
any ambiguity around actions taken by anyone involved
 1.Set Investigation Control Points
• Common control points :
• Identification and preservation of evidence
• Determination of scope of data exposure
• Identification of intruders
• Remediation (Solution)
 1.Set Investigation Control Points
• Each of these investigation control points
should represent progressive operational
phases of the investigation, set by priority and
practicality
 1.Set Investigation Control Points
• The goals for an investigation could be
(1) to determine whether a physical or technical breach of the systems
environment occurred, and if so, the extent to which the security
breach resulted in a compromise of sensitive data;
(2) to identify the extent to which sensitive data had been retained on
affected systems and were thus at risk;
(3) to find any further details of evidentiary value relative to a possible
data compromise with specific regard to information derived from
the known fraud pattern analysis;
(4) to transition relevant case evidence to law enforcement ---set the
stage for prosecution;
(5) to identify the technical vulnerabilities that facilitated the breach;
(6) to remediate these vulnerabilities.
2.Manage the Unknown Unknowns

• In most large-scale data breach investigations, the case

investigator will be faced with one or more “unknown
unknowns.”
• Most investigations will lead to the discovery of
previously unknown, overlooked(fail to notice), or
forgotten assets.
• These are referred to as unknown unknowns, because
not only did the victim organization not know they
existed, they did not even know there was a possibility
for them to exist
2.Manage the Unknown Unknowns
 2.Manage the Unknown Unknowns

• In conducting interviews with key personnel during the

course of an investigation, there is a statistical likelihood
that the individual will leave out key information – not
because he or she is hiding information, but simply
because the person does not know better .
• An investigator should always validate information
gleaned(gathered) from interviews and existing
documentation; this can be accomplished with an
Information Flow and Data Discovery Exercise
 3 Information Flow and Data
Discovery Exercise
• This assessment includes a review of the at-risk data flow at
the organization from the initial entry point into that
organization.
• The investigator should identify any and all systems that the
data in question touches, why it touches that system, and
whether it is retained on that system.
 3 Information Flow and Data
Discovery Exercise
• The objective is to identify the individual systems
and network devices where the sensitive data may
have been at risk of compromise.
• Interviews with key personnel at the victim
organization should be compared against a physical
examination of the network environment.
• This examination should give investigators
a clear understanding of the information flow and
the security measures in place around the data that
was compromised
 3 Information Flow and Data
Discovery Exercise
• A data discovery exercise may need to
be conducted whereby all integral systems
and servers that process, store, or transmit
sensitive data should be reviewed
periodically for old content and data
structures
 3 Information Flow and Data
Discovery Exercise
• During many investigations, investigators are able
to discover that plain-text sensitive
information was accessed by intruders that the
victim organization was unaware even existed .
• In conducting data discovery, many investigators
heavily rely on the use of the regular expression
parsing utility named GREP(for searching plain
text data)
 3 Information Flow and Data
Discovery Exercise

• The analysis of these types of “unknown

unknown” data during a data breach
investigation can often be overlooked(fail to
notice) by case investigators who fail to
validate information gleaned from interviews.
 4 Network Discovery
• In conjunction with an Information Flow and
Data Discovery Exercise, the case investigator
should work with the victim to conduct a full-
scale network discovery.
• Investigator should done the victim
organization network mapping .
• The existence of unknown company assets
and/or network devices can often be a lead
that makes or breaks an investigation
 4 Network Discovery
• At the culmination(end point) of the
investigator’s mapping exercise, a comparison
should be made between the investigator’s
documented network topography and the one
the victim organization has documented
 5.Accurately Scope Evidence
and Acquisition
• Given the results of the Information Flow and
Data Discovery exercises, the investigator should
have a fair idea of the systems within the
affected environment that fall in scope for an
investigation.
• Specifically, those systems that store, retain, or
transmit the data that were compromised should
fall directly into scope for the investigation
 5.Accurately Scope Evidence
and Acquisition
• Any systems that maintain direct access to
systems storing the affected data should fall into
scope as well
• Investigator should defer to law enforcement to
determine the operational scope of the
investigation.
• The investigator should be ready for law
enforcement to deem(consider) all systems
within a given environment into scope for
analysis
 6 Detect and Manage
Misinformation
• In the midst of a large-scale data breach scenario, many
organizations move into informational lockdown.
• This move can be to limit media exposure of
the event, to reduce liability based on the information that
was compromised, or simply the result of multiple internal
personnel working to remain gainfully employed.
• Unfortunately, this reluctance to share
accurate information or to deliberately share misinformation
can often adversely affect investigative efforts.
 6 Detect and Manage
Misinformation
• The strongest tool an investigator has to manage
and mitigate(lessen) misinformation is his or her
ability to validate claims made by on-site
personnel.
• To consistently negotiate misinformation, an
investigator should always work to
validate statements made during the interview
process, through both physical and technical
examination
 7.Leverage Fraud Data
• Organizations became aware of a potential
problem by an overwhelming(large) amount of
fraud occurring against data tied to their systems,
investigators can often leverage(use max) that
fraud data in conducting the investigation
• The fraud data, given the time frame that it was
known or suspected to have passed through the
victim’s systems, might provide a basic timeline to
give some insight as to when a breach may have
taken place
 Leverage Fraud Data
• By parsing(resolve into components) known fraud
data against data
discovered during the information flow mapping
and data discovery exercise, an investigator can
determine a relative hit ratio of fraud data versus
data retained on affected systems.
• Higher ratios, and ratios that are close to 100%,
might signify that the investigator has
discovered the exact data that was
exfiltrate(removed) from victim systems