Objective Disclosure Risk

This article introduces you to :Respond Disclosure Risk and how to acquire Deterministic Risk Insight for managed content.

Introduction

SSProtect not only protects data, but leverages the underlying architecture to deliver management services that facilitate Security Incident Response and Recovery tasks. One such facility is :Respond Disclosure Risk Analysis, which provides Definitive Insight into use of an SSProtect Organization's managed content. This is helpful when investigating a potential data breach.

Prerequisites

This article assumes you have worked through and/ or are familiar with concepts and activities covered in the Common Tasks, Simple Administration, and Sharing/ Managing Data Walkthroughs.

Execution requires that you've Licensed :Respond as directed in this section's Overview.

Finally, STEP guidance uses Profiles created in the Walkthrough, Third Party Trust Sharing. This is a matter of convenience rather than a requirement; execution is straightforward and simple.

Breach Dynamics

For those unfamiliar with Breach Dynamics, here's one typical high-level progression:

1. IT gets a phone call from the FBI with specific information identifying a potential data breach.
2. IT investigates to verify the information, and if there is a problem, assembles a team to respond.
3. IT begins their response by understanding the scope and breadth of the potential breach.
4. Once IT understands the dynamics, they put together and execute a plan to remediate, repair, and cleanse affected resources.

:Respond Disclosure Risk Analysis addresses major aspects of the investigation by providing direct, objective insight into the way your managed content has been used.

Remember that KODiAC Cloud Services operates independent from your host computer and network, and that KODiAC is a critical component in cryptographic offloading. As such, the audit information stored in the cloud provides an accurate and precise record of activities.

:Respond Disclosure Risk Analysis uses this as input to provide a summary Report showing you the resulting Disclosure Risk, of all content, across all affected resources, in a configurable time range.

If you take this report together with the map of affected resources, you can very quickly gather a very good idea of what sensitive content may have been disclosed, and what remained protected.

This facility improves notification accuracy and efficiency, both key components to reducing the impact of a breach, if even only as a result of an elevated reputation for offering very specific details, very quickly.

IMPORTANT: While SSProtect aims to provide Definitive Disclosure Risk Insight, it is limited in scope to the data protected by SSProtect/ KODiAC.  Content not managed by SSProtect cannot be analyzed.

Create Test Data

Let's use one of our Test Accounts to generate some new test data we can use in :Respond Disclosure Risk Reports.

STEP 1: With SSProtect, Log In to your Org1_Admin Test Account.

STEP 2: Create a new text file, C:\TestData\BreachTest-1.txt, and edit the file to include the text, Breach Test Data 1. Save/ Close.

STEP 3: Make a copy of this file in C:\TestData\BreachTest-2.txt, and modify content to reflect, Breach Test Data 2. Save/ Close.

STEP 4: In File Explorer, select both files then right-click and choose, SSProtect Activate.

STEP 5: Right-click the SSProtect notification icon and choose Usage Reports\ File Detail Report to review the progression for both files.

STEP 6: Find the activity associated with the two files we just protected, and make note of both the earliest Report Date line item for either, and also the latest Report Date line item for either. Keep these UTC times since we'll use them in subsequent steps.

Acquire Our First Disclosure Risk Report

Let's pull a :Respond Disclosure Risk Analysis Report for very recent activity, i.e. for the timeframe between the start of this article and now.

STEP 7: Right-click the SSProtect notification icon and choose Disclosure Risk Analysis. Check Suppress PrePeriod and Auto-Report, then click the Distinct radio button in preparation for setting the target timeframe.

STEP 8: Set the Start Time to match the earliest UTC time you saved in STEP 6, though back up one minute just to be certain we capture the time that includes both items in plaintext form (see below). Set your Start Date to the matching date UTC, then adjust your End Date. You may need to add a day to it if you're working close to midnight UTC.

STEP 9: Click Start to execute the Analysis and acquire the resulting Report.

The resulting Disclosure Risk Report should show the two files we created in STEPs 1-4, above:

The results show the two BreachTest*.txt files we created, both with a Risk of 6 - Exposed and Reason equal to Activated Protection.

We purposely included our listing with the additional data access to BreachTest-1.txt that sheds light on the nature of this Report. More specifically, this Report shows the worst-case identified Risk for every instance of every managed data item discovered on any host computer. Because the access attempt creates v2, v2 information is noted to be at Moderate Risk of disclosure: Content was converted to plaintext and utilized by someone using an application (noted in other Report details, likely notepad.exe) and if an attacker were to have access to that same host computer at that same moment, would he/ she have been able to heist the associated plaintext? Depends on many unknowns, some to be discovered with further investigation. Nonetheless, the risk exists and it's very real.

The astute observer will question why the same Managed Access operation doesn't generate a similar line item for the v1 instance. It does, though it's suppressed in the output of this Report only because that same v1 instance is already shown to expose a higher degree of risk due to other dynamics (the fact that it was in plaintext form after the start of the Analysis timeframe, readily available to any attacker).

It's worth noting (twice as this is also mentioned below) that the moniker chosen for the resulting Risk Rating is in fact subjective, though applied to objective reality: The results aren't derived by extrapolation, guesswork, heuristics, or other forms of interpretation, they are as direct and objective as possible.

* We've hidden the following columns in an attempt to render information that's legible:

• Column B - HostUUID
• Column D - Local IP
• Column E - Public IP
• Column H - File Org (gmail-definisec_t1)
• Column I - File Owner (definisec+test1@gmail.com)
• Column N - File ID

Looking Deeper: Our First Disclosure Risk Report

Let's take a hypothetical situation where we'd been informed of a potential data breach and, in the course of our investigation, determined that an attacker had compromised our host at 9:00 PM (for our test purposes), 16 minutes prior to the creation and protection of BreachTest-1.txt and BreachTest-2.txt. Also remember that we have another dozen or so files we've previously worked with, managed by the same SSProtect Profile on the same host.

This report tells us that the two files, BreachTest-1.txt and BreachTest-2.txt, are Exposed in plaintext form, simply because they were protected after the start of our Analysis. This means any host-resident attacker would have had a clear opportunity to offload plaintext content.

It also tells us that the other files on the host - the other dozen or so - were not Exposed, in this case simply because they weren't accessed.

Recall that our patented cryptographic offloading was specifically designed to ensure that decryption keys aren't generated or stored on the host computer - some of the keys are, but others are generated and stored in KODiAC Cloud Services.

Because of this approach, the attacker would have been able to steal the ciphertext content for managed files, but unless he/ she were able to breach KODiAC Cloud Services, there isn't a way for him/ her to recover plaintext content - unless of course our crypto implementation is flawed or we suffer other issues they are able to exploit.

Let's expand on this idea to look at more common scenarios.

Generate Common Use Data

STEP 10: Dismiss the Risk and Remediation dialog we've been using then double-click BreachTest-1.txt in File Explorer. This will securely open plaintext content in Notepad. Add the line, Breach Test Line 2, then Save/ Close. SSProtect will re-encrypt the file.

STEP 11: Delete BreachTest-2.txt then navigate to the Hostlist from the notification icon's context menu by choosing Managed Files/ Restore. Find BreachTest-2.txt in the list, which should show, (Deleted), then click Restore.

STEP 12: Dismiss the dialog then Refresh Login. Choose the Profile Org1_User1, enter its' Password and Log In.

STEP 13: Double-click BreachTest-1.txt to securely open in Notepad, add the line, Breach Test User 1, then Save/ Close.

STEP 14: Refresh Login and choose the Profile Org1_Admin, enter its' Password, Log In.

STEP 15: From the notification icon's context menu, return to the Risk and Remediation dialog with the Disclosure Risk Analysis menu item.

Acquire and Review Common Use Data

STEP 16: Adjust your Start Time to reflect the most recent time you saved from STEP 6, and add a single minute to it. For us, this is the same time, 9:16 PM or 21:16 UTC. Click Start to execute another Analysis.

This report shows the recent activity, which you'll note displays a Risk rating of 2/ 3. Risk ratings are in fact subjective values attached to objective information, as a guide. They are more fully discussed in :Respond documentation.

Note however that we see a 3 - Moderate rating for BreachTest-1.txt, though two entries instead of one. Risk Reporting shows the, "worst risk" specific to a given managed item, for each Environment. Because the target file was used by two different users, as shown in the Username column, you'll see independent entries. This helps correlate investigation with reality, if for example you find that a particular User's credentials have been compromised.

We also see that Org1_User1 risks Version 1 and Version 2 (because you open Version 1 and create Version 2 when you Save) while Org1_Admin only risks Version 1. Because these are Managed Access operations, an attacker would have had to compromise the managing application to gather plaintext, and/ or find residual plaintext data left by the managing application. These realities can and will be identified when reviewing related File Detail report entries.

Finally, we see the Restore operation specific to BreachTest-2.txt. This isn't a high-risk operation since SSProtect acquires and saves ciphertext data. It does however represent an operation that could have been monitored and/ or intercepted by an attacker, and though plaintext content isn't directly exposed, there is some non-zero value of risk associated with moving protected content that must be depicted - as is the case here, using the lowest Risk Rating available).

Summary

:Respond Disclosure Risk Analysis provides the most significant, objective Disclosure Risk reality associated with end-user operations on managed ciphertext/ plaintext content. Because of the underlying system design, we can offer theoretical claims for ongoing security if items are not accessed and KODiAC Cloud Services isn't breached. This allows us to provide a summary report, for all managed data, to support Incident Response and Recovery operations.

Refer to the :Respond documentation for more insight, such as operations that provide Reports for Third Party Trust content affected by activities in the target Analysis timeframe. You can, as it turns out, review and, "Release" these Reports directly to Privileged Users in their respective Organizations to address notification requirements found in many of today's legal agreements.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.