This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
|Tracking an Insider |
A former employee left many traces as he hacked his company.
The investigation began like any other, with a phone call. A high-tech company believed an intruder had broken into its network.
"The first step I took was to find out as much as I could. ...That involved asking them for their logs and anything they could provide me that could lead us to what actually happened," says Shelagh Sayers, FBI supervisory special agent.
Like other agents investigating computer intrusion cases, she sat down with company officials, asked a lot of questions and inspected computer logs for anomalies.
In the end, the case didn't require complicated forensics, Sayers says. Roman Meydbray, a former network administrator of Creative Explosions, a Scotts Valley, Calif.-based software company, had broken into the firm's computer system.
According to federal court records, Meydbray gained unauthorized access into the network from his San Jose home within two weeks of being fired in 2003. He deleted an email server domain, accessed the company president's email account, and made configuration changes to the mail servers that caused emails to be rejected.
Court documents cite evidence that proved the case: ISP records linked the intrusion to Meydbray's
| IP address; his computer, which was seized from his home when officials executed a federal search warrant, indicated his access of the president's email and deletion of the email server domain; and company logs confirmed his IP address was used to access the president's unopened email. He pleaded guilty to one count of unlawful access to stored communications and one count of unauthorized access to a computer and recklessly causing damage.
Sayers says companies need to have a plan in place before an incident occurs, including having logging enabled and policies on revoking employees' access upon termination.
Also, a business shouldn't assume the investigator it calls to an incident is going to be an expert on its network, she says. "You're depending on someone knowledgeable to tell you how their network architecture is set up or what particular items in a log might mean."
In the Creative Explosions case, like most other computer intrusion cases, FBI agents didn't shut down the business during their investigation, Sayers says.
"We work extremely hard with the victim company to not further victimize them. We'll take every step to ensure their business is not interrupted," she says.
This was first published in September 2007