Your investigation team has been called by McNorton-Dunham, a defense contractor working on the next generation of predator drones for the U.S. Department of Defense. On Friday, April 3, 2015, the whistle-blowing web site, Wikileaks, published several classified documents detailing communication between McNorton-Dunham and officials at the Pentagon regarding the X11-a5, the newest generation of predator drones that McNorton-Dunham is currently testing. Following the release of the documents, McNorton-Dunham’s computer network came under a DDOS attack that is still continuing today. Messages on Twitter and videos on Youtube have been found showing the hacktivist group, Anonymous, taking credit for the continuing attack. Because of the threat to national security posed by the release of confidential communications, McNorton-Dunham and officials at the Pentagon wants all parties involved prosecuted to the furthest extent possible.
Officials at McNorton-Dunham believe that the leaked documents were the work of an insider. All of the employees who had legitimate access to the leaked documents have been polygraphed and have been found to have no knowledge of the leak. General policy for the company is that all employees must swipe a key card to gain entrance to McNorton-Dunham. All personal items; purses, lunch bags, backpacks and briefcases; are inspected by security personnel upon entrance and exit from the company. All employees use an RSA token and password to be authenticated on the McNorton-Dunham computer network. The company maintains a number of closed-circuit surveillance cameras throughout the physical plant including all of the points of entrance/exit as well as at entrances to classified areas.
While McNorton-Dunham has only one physically computer-based network, access to data is strictly controlled using a RBAC system. All of the computers at McNorton-Dunham contain no drives that would allow an employee to use any type of removable storage device (USB) or optical disc (CD, DVD). Wi-Fi is not used at McNorton-Dunham. The network administrators have firewalls at several locations throughout the companies network and employ the use of an intrusion detection system. The IDS logs prior to Friday do not indicate any type of intrusion prior to the current DDoS attack. All incoming traffic passes through an application gateway proxy firewall and outgoing traffic is logged via a circuit-level proxy firewall.
The human resources department at McNorton-Dunham is responsible for all background checks done for all employees at the company. They have developed a short list of employees who have either filed grievances in the past year, or who have had other events occur that could indicate a possible security problem. They have identified the following employees as the potential leaker. None of the employees had direct access to the communications that were leaked.
• Linda Blair – 38-year-old administrative assistant, employed by McNorton-Dunham for the past 15 years. Linda was reprimanded for the use of an intoxicant while on the job. She attended a 15-day rehab program and has been back at work for the past 5 weeks with no indication of further intoxicant use on the job.
• Marty Feldman – 45-year-old flight specialist, employed by McNorton-Dunham for the past 20 years. Marty has a long record of insubordination to female supervisors. The most recent incident occurred three months prior to document leak when criticism from a female superior led to Marty using derogatory language toward the woman. He was suspended without pay for three days and was demoted one pay level.
• Katherine Hutton – 26-year-old accounts payable clerk, employed by McNorton-Dunham for the past year. Katherine has a spotty attendance record and has received several verbal warnings due to her poor attendance. Human Resources reports that several of Katherine’s co-workers have heard her discussing trips to the local gambling casino prior to many of her absences. Katherine is also rumored to be involved with her immediate supervisor, James Douglass.
• James Douglass – 32-year-old accountant, employed by McNorton-Dunham for the past eight years. While Douglass’s employment record is spotless, Human Resources has added Mr. Douglass to the list because of his reported involvement with Ms. Hutton. At this time, Mr. Douglass is married and father to two small children. Several coworkers reported that Mr. Douglass and Ms. Hutton have been spotted leaving the parking lot together in the same vehicle at lunchtime and the two have been spotted together at a local bar after work.
Your investigated team must try to determine several things for McNorton-Dunham:
1) Can charges be brought against Wikileaks? (Look at past history of the web site)
2) Can the current DDoS attack against Anonymous be proven? How would you gather the evidence? If so, can charges be brought? (Has Anonymous been charged in the past? If so, what has been the outcome?)
3) What information do you need to determine which on of the insiders should be questioned about the leak? (Log files, surveillance videos, building entrance logs, etc.) Requested log files will be made available following next week’s class.
4) How could the information have been exfiltrated from the company?
5) If the leak can be traced to one McNorton-Dunham’s employees, what charges could they face?