Manning. Snowden. Whose name is next to be added to the notorious list of government leakers?
The CIA is trying to answer that question right now.
A day after WikiLeaks released what it alleged to be the “entire hacking capacity of the CIA,” the focus Wednesday began shifting to just who gave the stunning surveillance information to the anti-secrecy website.
“There is heavy s— coming down,” said a veteran cyber contractor for the intelligence community who previously worked in the breached unit, the CIA’s Center for Cyber Intelligence.
The contractor told Fox News that CCI has long maintained an internal database of information — accessible to anyone with proper credentials or security clearance — that seemed to be dumped in total to WikiLeaks. In its news release on the disclosure, WikiLeaks said CCI had more than 5,000 registered users, a number alternatively referred to as “absurd” and “a bit high” by security experts who spoke to Fox News. The CIA declined comment to Fox News.
The FBI opened a federal criminal investigation into the WikiLeaks disclosure on Wednesday, Fox News confirmed. As the probe gets underway, experts said there’s a typical incident response playbook they would use to narrow down the massive pool of suspects.
“They’re going to try to do some forensic work because those documents probably have been changed [over time], so that enables them to narrow down the period to when they were taken,” said Alex Yampolskiy, the CEO of SecurityScorecard. “Once you say ‘this seems like it was a snapshot from this particular time,’ then they can look at audit logs of who had access to the document during that time frame.”
Yampolskiy said analysts would likely target the most sensitive documents that were revealed during their forensic work, as only those with a higher security clearance would have had access to them – again, shrinking the group of suspects.
Once a core group is established, investigators would institute behavioral profiling.
“They’ll run certain types of analytics – what websites did they access? What are the emails? How many people are still working there?” Yampolskiy said.
Regardless of the results of the inquiry, Brian Vecci, a technological evangelist for cybersecurity company Varonis, said the secret trove revealed by WikiLeaks illustrates the pervasive issue of another “major data breach of a major government organization tasked with security.”
“What’s clear to me — and this is true of pretty much every big data breach — the preventive controls were broken, or the detective controls were broken,” Vecci said. “Meaning, either too many people had access to the information, or the people that had access weren’t being recorded and analyzed. Or both.”
Last year SecurityScorecard ranked 18 industries by their cybersecurity performance. Information services, construction and food ranked 1, 2 and 3, respectively. Government was dead last.
But there was a twist, Yampolskiy said.
“The CIA was specifically one of the top performers in the government,” he said. “An ‘A’ letter grade.”