O'Reilly logo

Enemy at the Water Cooler by Brian T Contos

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Collaborative
Threat—A
Telecommunications
Company in the U.S.
“Everything which the enemy least expects will
succeed the best.”
—Frederick the Great
Chapter 7
123
424_Wtr_Clr_07.qxd 7/27/06 1:37 PM Page 123
Every once in a while you get to a point in your career where you think
you’ve seen and heard it all.Then out of nowhere comes an event that at first
seems somewhat bizarre, but the more you think about it, the more sense it
makes.
A telecommunications company in the U.S. had an interesting situation.
They discovered that certain operators were giving out confidential cus-
tomer data to ethically flexible private investigators who were researching
divorce cases. It appeared that during an investigation, a private investigator
would work with one of the company’s operator to glean the calling records
of the persons they were investigating: Who did the person call? Who did
those people call, and so on? This was explicitly against company policy, and
all operators had been trained to never give information out without prop-
erly authenticating the caller to ensure that the data they requested
belonged to them.
But the success of these inquiries only required that the private investiga-
tors find an operator sympathetic to their cause. In this particular case, the
operator was looking for a little extra cash, and perhaps didn’t feel that what
she was doing was all that bad, or she may even have viewed herself as a vigi-
lante of sorts. Whatever the case, the investigator now had an insider who
could help carry out the scheme.
While the phone company knew this was happening, it was hard to figure
out which operator was giving out the restricted information. Most of the
employees were temporaries—college students—so the turnover rate was rela-
tively high. Also, the sheer volume of calls, number of operators, and number
of customer files made investigation a daunting task. However, as with most
systems I’ve discussed, the operator’s phone system and file access activity cre-
ated logs. Further, the telephone system and database files were actually one
integrated system. Every time an operator received a call, the information was
logged, and files that the operator accessed during that call were also logged,
based on the time slice for the duration of each call.
The program that the operators used had been in place for several years,
but logs were very rarely—if ever—actually analyzed for anything except
statistics on the number of calls per operator, call duration, and other cus-
tomer service measurements.
www.syngress.com
124 Chapter 7 • Collaborative Threat—A Telecommunications Company in the U.S.
424_Wtr_Clr_07.qxd 7/27/06 1:37 PM Page 124
Since the ESM system they had deployed for analysis in other areas of
their network had proved to be useful, they decided to feed the phone
system events into it as well.This was a very telecommunication-specific
application with an extremely high level of customization.The logs were a
bit cryptic, but after about a day, the ESM event connectors were able to
read the phone system events, normalize, categorize, and correlate them just
as if the events were generated by a more traditional application such as a
commercial CRM.
Being able to read the information in real-time was valuable, but the
phone company had already been tipped off to the fact that this malicious
activity had been going on for some time.Their primary concern was to
find out who was doing it, how long the operator had been doing it, and
who else might be involved.To do this, information from the backup tapes
would have to be retrieved, the information from those tapes would have to
be interpreted by the ESM connector and analyzed by the ESM manager.
This case is a prime example of why forensic analysis based on holistic, nor-
malized information is so important. If only a few of the event fields from
each log were normalized, or even collected in the first place, the level of
analysis would be limited.
Once the data had been passed through the ESM manager, it was sub-
jected to a number of filters, visualization tools, and analysis features.The
ESM analysts were looking for any relationships between operators and
callers, linked with operators and file access events. Facing almost a terabyte
of data, they decided to analyze trends based on individual operators—since
those trends were a common link between the private investigator calls and
the files being accessed. Further, the analysts reduced the per-operator call
to specific operators during a specific shift. Looking at each operator’s
actions during a shift and comparing them to the actions of others was the
best way to determine anomalous behavior and identify outliers—data that
didn’t fit.
www.syngress.com
Collaborative Threat—A Telecommunications Company in the U.S. • Chapter 7 125
424_Wtr_Clr_07.qxd 7/27/06 1:37 PM Page 125

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required