Our specialists can quickly assess the situation and formulate an incident response plan. We can rapidly deploy state-of-the-art incident response software and hardware to determine whether an intrusion did in fact occur. If there is a likelihood that the network has been penetrated, we deploy detection tools to determine what took place and how.
We utilize a proven incident response playbook to determine which systems are affected, how the attackers gained entry, and where their command and control facilities are. Once enough information is obtained, the next step is a total containment action wherein we cut the communication channels to the command and control servers and contain the incident. Next is the total remediation and eradication of the malware on the affected systems, followed by a period of monitoring to ensure that the threat is totally eliminated. We have responded to time-sensitive cases regarding network infiltrations ranging from those based on employee negligence to highly-orchestrated government sponsored attacks.
As we depend more and more on digital communications such as email and text messaging for the exchange of ideas, the landscape of Signals Intelligence (SigInt) is changing rapidly. Now, rather than going through the trouble of gaining physical access to the target premises to install audio bugs, threat actors prefer to install monitoring software on computers and mobile devices to intercept email and text communications, as well as listen to room conversations when needed. When a simple commercial spyware program is installed on a mobile phone, it allows the attacker to intercept all the data and voice communications of the device, in addition to turning the device into an audio bug for eavesdropping on ambient conversations. Simple, commercial-grade spyware installed on a computer can effectively serve the same purpose. Furthermore, an attacker can install such software from across the ocean.
Unfortunately, detection of such threats takes quite a bit of technical knowhow and technology. Delta Strategic Solutions can perform a “sweep” of a network, computer, or mobile phone where we can detect unauthorized intrusions and identify malware. This can be in the form of a comprehensive sweep of the client’s network and individual components, targeting surreptitious monitoring software and hardware, or a simple sweep of a mobile phone. The sweep is conducted utilizing state-of-the-art detection equipment, forensic software and hardware, and methodologies that are built upon a solid foundation of cybercrime investigative experience.
With the use of certain spy software (‘spyware’), a mobile device may be transformed from an indispensable piece of daily life to a weapon actively working against the owner. A compromised cell phone can be tracked, used to eavesdrop on phone calls as well as physical surroundings, and enable a perpetrator to view all text messages, chats, emails, pictures, videos, and social media activities, among other data. Similarly, a commercial-grade malware installed on a desktop or a laptop computer will allow the attacker to monitor all of the user’s activities ranging from emails and chats to personal documents. In addition, spyware are often able to activate the computer’s camera and microphone to record surroundings of the computer surreptitiously. Our investigators have worked with mobile phones manufactured by every major brand and know what to look for on these devices.
Perhaps the most serious threat to an organization’s crown jewels originates from within. We separate internal threats into two categories: a) professional spies, and b) employees who became rogue at some point. Investigation of authorized users’ unauthorized activity requires special tools and techniques. We have successfully investigated all forms of insider threats regardless of the sophistication of the adversary. When people in the industry speak about APTs, they neglect to mention the possibility of APTs infiltrating organizations not via cyber-attacks, but by placing professional spies as employees. This is an ever-present danger and, on several occasions, our investigations have revealed that we were not simply dealing with employee misconduct, but with a calculated set of actions taken by an extremely skilled perpetrator.
We have successfully caught professional spies, as well as exonerated wrongfully accused employees. We have uncovered an employee working at a research and development section of a company launching attacks from his workstation on other researchers’ workstations to gain access to their programs and models. We have witnessed an employee installing ‘key loggers’ on other employees’ workstations. This broad range of situations has made us experienced, skilled, and well-equipped to deal with any form of internal threat regardless of the sophistication of the adversary.
The typical internal threat, however, is the employee’s desire to gain a competitive advantage on the marketplace or to attain more favorable employment. The theft of intellectual property is a mission that can easily be completed, often by copying someone else’s idea or product, or by stealing a company’s crown jewels. Organizations are generally ill-equipped to detect unauthorized activity by an authorized user. The vast majority of internal misconduct simply goes undetected. Those cases that are detected are generally identified either accidentally, or when it is too late. An employee may have a planned course of action to steal data over a long period of time or, more commonly, to begin copying sensitive data near their date of departure from the firm. Theft of intellectual property can reap terrible consequences for an organization, especially if the data reaches a competitor. Our investigators have consistently uncovered evidence of theft of intellectual property and trade secrets where the perpetrator(s) used advanced tools to conceal their actions.
Organizations face high-technology threats on a daily basis. There are common attack vectors used in these types of attacks from external threats: phishing attacks involve cloned websites designed [by data thieves] to extract confidential information from employees, social engineering tactics are designed to manipulate employees into disclosing private data, and employee smart phones, used as doors to your network, can be utilized to compromise critical systems. Oftentimes, firms may be faced with a rather formidable adversary carrying out these attacks. These threats can range from “script kiddies” to organized criminal groups and Advanced Persistent Threats (APTs).
We at Delta Strategic Solutions were combatting APTs far before the term ‘APT’ was created. At the time, we called them “sophisticated adversaries” and our founder Mr. Demirkaya has lectured and published on the subject as early as 2001, warning industry professionals on the growing trend of organized and government-backed adversaries. We have responded to many intrusions wherein we were able to quickly identify that an APT was behind the attack. The intention of an APT attack is to steal sensitive data rather than cause damage to the network or organization. Usually, APT attacks target organizations with a high volume of sensitive data, such as those in the national defense, manufacturing and financial industries. These attacks are carried out not by lone individuals, but by government entities, criminal organizations, and even terrorist groups; these groups have powerful incentives to infiltrate key business networks.
The Delta Strategic Solutions incident response team is quick to deploy our tools and vast knowledgebase to provide an overwhelming reaction to combat these threats. What makes APTs formidable is not necessarily the sophistication of their attack tactics but rather their persistence. If they are discovered and thrown out of the network, they will not give up. They will come back. Unlike other incident response firms, we do not simply disengage after the threat is eradicated. Once we uncover what happened and how it happened, we will deploy countermeasures to ensure that it will not happen again. We have the knowledge and technical knowhow to make a computer practically impenetrable. Such drastic measures are often not needed; however, if necessary, we can secure a network to such an extent that no APT will be able to successfully gain access to it.