GE trade secret theft case demonstrates need for document behavior monitoring

A former GE engineer and a Chinese national have been formally charged with 14 counts of economic espionage by the U.S. Department of Justice after stealing trade secrets from GE. The indictment describes the calculated theft of sensitive documents related to the proprietary design of GE’s gas and steam turbines.

According to the unsealed indictment, the engineer at GE Power & Water in Schenectady, New York “exploited his access to GE’s files by stealing multiple electronic files, including proprietary files involving design models, engineering drawings, configuration files, and material specifications having to do with various components and testing systems associated with GE gas and steam turbines.” This employee then sent these exfiltrated files via email to a Chinese businessman. The pair allegedly used the stolen GE trade secrets to “advance their own business interests in two Chinese companies.”

This isn’t a new story, but a continuing one. Industrial espionage by state actors like this have a long history. The problem is, it’s far too easy for internal bad actors to carry out these schemes because most organizations are focused primarily on monitoring and responding to external threats to pay much attention to what’s happening on the inside.

However, there are behavioral markers that can serve as early indications of an internal threat: people with legitimate access who behave in ways that put our data, our systems, our organizations, and even our businesses’ viability at risk. This is what the user behavior analysis (UBA) products are supposed to do. It is not clear whether GE deploys a UBA solution, or whether their deployed system failed. In either case, the problem of stolen documents will worsen when cloud storage is involved in storing and sharing corporate secrets.

Masqueraders vs. traitors

In 2009, I was part of a team assembled by the Institute for Information Infrastructure Protection at Dartmouth College (with funds from the US Department of Homeland Security) who conducted a research project exploring ways to understand and address the insider threat. We performed a carefully-designed experiment to see whether malicious insiders have different behaviors from innocent users. Setting aside users who stumbled across sensitive data that wasn’t meant for them – the unintentional or accidental threat – our research separated the bad actors into two core groups:

1. Masqueraders: Users who acquire legitimate credentials from inside users to gain access to internal data (e.g., Snowden).

2. Traitors: Adversaries using their own level of access to steal data.

In the case of masqueraders, we can deduce that an individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. In other words, a normal individual user performs tasks and accesses files in a predictable and unique fashion. In the case of a masquerader who has stolen another user’s credentials, that person will likely not know the file system and layout of another user’s desktop and certainly not the target user’s behavior.

The behavior presented by a masquerader includes searching more extensively and broadly across file folders and documents based on file or folder names. It’s the digital equivalent of “casing the joint” in search of the desired treasure trove of information. To the well-trained eye of an experienced security analyst, this should sound an alarm of activity that’s very different from the behavior of the user being impersonated. But an automated active authentication system can do the job far easier, faster and more accurately.

A traitor is more difficult to spot, but there are certain markers that can send up a signal of nefarious activity. Behaviors such as suddenly downloading an unusually high number of documents or searching for files that are within that user’s security permissions, but outside the scope of their daily work, are telltale signs.

Research indicates that that the traitor scenario is rarer than the masquerader. Credential theft is the most likely means of a bad actor impersonating a legitimate user, handed the keys to do so without much effort. The ensuing losses and damage all point the finger in one direction: the legitimate, sloppy insider who either chose a bad password that is easy to guess, shared with a colleague, or simply lost due to exposing the credential on a deceptive webpage. In most cases, the real threat is insecure authentication. Two-factor authentication helps substantially, but like any user facing technology, it too will and has failed. That’s why monitoring the way your internal users access, download and share files is so important.

So, now that it is well established that internal theft remains a serious security threat, what can be done about it?

Detection and forensics: Unmasking the internal threat

Attribution of an attacker has long been a challenge for enterprise security teams. Masqueraders are very good at hiding their tracks, making it nearly impossible to reach their actual source location. Making matters even more complex is the dominance of the public cloud as a repository for enterprise files. Yes, the cloud is improving collaboration and productivity in unprecedented ways, but companies are now moving data to the cloud at a faster rate than they can secure it. Public cloud shares open the door for easier exfiltration by simply sending a link to the document stored in the cloud to a remote actor in a (encrypted) text message, for example.

Fortunately, there are emerging methods and technologies that can help reveal these adversaries more accurately, even when documents have been downloaded or shared from the cloud. Advances in telemetry and geofencing technologies offer the potential to track sensitive data at the file level, revealing the location and activity of recipients of stolen documents. These can be employed strategically by placing decoy documents that serve as tripwires in sensitive locations to provide high-value indicators of a bad actor at work.

Additionally, most of today’s public cloud sharing platforms offer activity logs detailing which files have been accessed, downloaded and shared. Cloud logs provide an enormous amount of valuable information from which proper analytics can extract indicators of data theft.

When telemetry, geofencing and cloud log activity features are combined in a well-engineered, analytics-driven system, security teams can continuously score the risks of activities leading to potential data loss alerts by analyzing document access and sharing activities, even after a document has been downloaded by a seemingly legitimate user.

Additional controls on cloud storage platforms such as Microsoft OneDrive and Google Drive can improve the way businesses secure corporate secrets. Leveraging cloud log data flow analysis and applying telemetry and geofencing to high-value documents can make it harder for internal bad actors to exfiltrate their ill-gotten gains, and to stay anonymous.

Don't miss