Log analysis can reveal a lot of security mistakes and fails, but a lot of security sins, too.
Take for example the incident recently shared by Verizon’s Risk Team: called in by a critical infrastructure company to investigate what seemed to be a breach of its networks by the hands of Chinese-based hackers, they ended up discovering a complex scam perpetrated by one of the company’s most respected employees.
“We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they’d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call,” explains Verizon’s Andrew Valentine.
The company started monitoring logs being generated at the VPN concentrator, and discovered an open and active VPN connection from Shenyang, China, to one of their employees’ workstation. What’s more, they discovered evidence of the same VPN connection being established almost every day for months before.
Fearing that some unknown malware was used to route traffic from a trusted internal connection to China and back – this being the only way they could explain themselves the fact that the VPN connection from China was successfully authenticated – they called in Verizon’s team to investigate.
“Central to the investigation was the employee himself, the person whose credentials had been used to initiate and maintain a VPN connection from China,” shares Valentine.
He was a mid-40’s software developer versed in a number of programming languages, a family man, and an employee of the firm for quite a long time. He was “inoffensive and quiet”, “someone you wouldn’t look at twice in an elevator.”
But, as it turned out, he wasn’t as inoffensive as they believed at first glance.
After having analyzed a forensic image of the employee’s desktop workstation and having found on the computer hundreds of .pdf invoices from a third party contractor/developer in Shenyang, they came to the shocking conclusion: the employee – whom they dubbed “Bob” – had only been pretending to work. In reality, he had outsourced his job.
“Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day,” Valentine writes.
If you were wondering what “Bob” did with all his free time, the answer is surf the Internet. He spent hours upon hours browsing Reddit and eBay, watching cat videos on YouTube, updating Facebook and LinkedIn. He only stopped for lunch and took his time to fire off an update e-mail to management at the end of his “working” day.
“Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually,” Valentine revealed.
But the most interesting thing to note is that no-one spotted the deception earlier. The company’s Human Resources department consistently gave him glowing performance reviews because he apparently wrote clean code and submitted it on time.
“We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers’ systems to off-shore firms seems dangerous at best,” Nick Cavalancia, VP, SpectorSoft commented the revelation for Help Net Security. “What many organizations fail to understand is that with proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident.”