Lessons learned in the aftermath of a breach

In this first part, a veteran in the cyber security industry shares experiences in the field

data breach lessons
Credit: Shutterstock

For those who have children, you probably know that you try to share life lessons from your experiences with them so that they can avoid some of the pitfalls you've taken on your path.  

Jim Jaeger, chief cyber services strategist with Fidelis Cybersecurity (recently part of General Dynamics), has been on the ground with a number of major enterprises that have suffered a high profile breach. 

Over the course of his career, he has led cyber forensics investigations into some of the largest network breaches in history, and was also the Assistant Deputy Director of Operations with the NSA and Commander of the Air Force Technical Applications Center. Previously, he was a Brigadier General in the United States Air Force and his military service includes stints as the Director of Intelligence (J2) for the U.S. Atlantic Command.

Jaeger shared stories of his experiences in hopes that professionals who are new to the information and cyber security industry can take away something helpful from these lessons learned.

“For much of the last 10 years, I’ve been leading large scale incident response operations into breaches. We are brought in by outside counsel, perhaps law firms representing the victim of the breach. Our objective is to try to contain the breach, stop it, determine how the hackers got in, what they are taking, how they are packaging it and getting it out of the network” Jaeger said. 

Jim Jaeger, chief cyber services strategist with Fidelis Cybersecurity

Jaeger, like many veterans of the industry, believes that it is extremely important to capture lessons learned and push them back out to the network security community so that they can better defend themselves. “Because we do some of the bigger breaches, we see the greatest opportunity to learn lessons in that environment,” he said.

The irony is, few network security engineers, CIOs, or CISOs would be surprised by any of the lessons Jaeger learned. “What’s really powerful is the damage that can be done if you don’t do the things that you should be doing, like patching. A major credit card company had been breached with SQL injection. In our investigation, we found two vulnerabilities based on software defects that were known. There were patches to fix them, but they hadn’t been applied.”

Another valuable warning for those who are new to the security industry, said Jaeger, “This is one of the few crimes where you actually punish the victim.” 

Two breaches that Jaeger and his team were called in to investigate happened more than six years apart. Though technology had changed quite a bit in that time, the breaches are still very similar, especially in terms of lessons learned.

"In both cases," said Jaeger, "the breach went on for more than a year. One of them the biggest lesson is that we need to do good network security monitoring. There is no network that is so secure that a determined hacker can not and will not get in sooner or later."

Criminals never get into the network at the sweet spot, but once they find a way in, they use tools and systems to help them navigate. "Often they use the same tools," Jaeger said. "They are not bringing in new software or malware. They use the actual tools you are using."

If they can’t find the tools that have the functionality they need, they may use their own tools, but they prefer not to, Jaeger explained. "When they bring them in, they have to put them somewhere, so they will name them something very similar so that they don’t immediately look suspicious."

The nearly decade old breach of TJX Corporation was one of the two investigations Jaeger spoke about on experience. There is a lot of public information on the breach, but when it happened TJX processed all of their credit card transactions in their Framingham, Mass., data center. The data wasn't encrypted, so it went from the POS to the data center when the incident response team noticed a fraud pattern.

"In the early stages of the breach, they brought in a remedial cyber firm that worked for six weeks, and they came back and said we don’t see a problem," Jaeger said. "When my team was called in, we arrived at the data center, and found the breach in two hours."

Read part 2 of this series.

Fast forward six years, and Jaeger's team is responding to a very similar problem. Check back on Monday for more on Jaeger's lessons from the field.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.