CyFIR News

CyFIR News

Personal Statement from CyTech Services CEO, Ben Cotton, on the OPM Breach Response

featured image

Last April, CyTech Services was invited to the US Office of Personnel Management for a routine product demonstration of our CyFIR Enterprise software. We had no idea when we entered the building that CyFIR was about to identify malicious code on their live network and that we would assist with the investigation of the largest data breach in the history of the US Government.

This isn’t a problem that only happens at government agencies like OPM. These types of data thefts have become all too common, and every day seems to bring new headlines about hacks or breaches into political committees, corporations, and private citizens. Clearly, something has to be done, and our work with OPM shows how an incident response should take place and, more importantly, the steps that large organizations can take to protect themselves. It’s critical that our nation’s IT systems realize their vulnerabilities and accept that they need innovative technologies to address them.

On September 7, 2016, after a long and thorough investigation, the House Oversight and Government Reform Committee (HOGR) released a comprehensive and well-documented report outlining their findings regarding this data breach. The HOGR report confirms exactly how vulnerable many of our nation’s IT systems are and the critical need for innovative technologies to protect our networks. CyTech Services—and our revolutionary remote enterprise forensics and incident response product, CyFIR—were fortunate to be highlighted in the report for our role in identifying and remediating the OPM breach.

CyTech Services is proud that we were able to transition quickly from a simple product demonstration into a critical incident response mode. When we originally found malcode running on live systems at OPM during our April 21-22, 2015 product demonstration, we saw no indication that they were engaged in an active incident response at the time, nor did we know that they were deploying our demonstration tool into the live network with the intention of assisting with their breach investigation. Unknown to us, Cylance, a premier next-generation antivirus company, was already engaged on scene and was in the midst of deploying their product to the OPM enterprise when CyFIR’s Threat Assessment Module confirmed the existence of malcode running live in the OPM architecture during our demonstration. Immediately thereafter, CyTech incident responders began working with the Cylance team to assist the OPM in remediating the breach, investigating the malicious code, and obtaining key evidence files.

Many of the stories in the news have claimed that CyTech Services asserted that we were the first to discover the OPM breach. However, our own press release of June 15, 2015 states that we “quickly identified a set of unknown processes,” and that “CyTech is unaware if the OPM security staff had previously identified these processes.”

The recently released final report from the House Oversight and Government Reform Committee shows that Cylance found malicious code on a number of servers before CyTech’s arrival, and CyTech’s CyFIR Enterprise tool confirmed those findings during our demonstration. While the report outlines the odd manner in which OPM deployed (and paid for—or more specifically—did not pay for) those tools, I feel safe in saying that both Cylance and CyTech Services clearly understood the ramifications of what our products were rapidly detecting and knew that OPM was in need of immediate expert support.

I may be a bad businessman in that I upgraded their demonstration that day to a fully functional system and flew in one of our incident responders on a verbal request, but at the same time, I knew that waiting for the procurement process might take months. I served in the United States Army for over twenty years, and I refuse to simply “turn off” my love of country for the slowly-grinding wheels of bureaucracy. Therefore, with an emergency purchase order promised by OPM management, CyTech Services threw the full weight of its software and expertise into the effort.

I’ve said it before, and I’ll say it again. I’m proud of what our team was able to do for the Office of Personnel Management in helping to mitigate the largest breach the Federal Government has suffered. Simply put, Government and industry need more innovative cybersecurity tools to protect the networks that store the confidential or proprietary information of Americans across the country. During his remarks at the event where he introduced the report, Chairman Chaffetz expressed an extreme concern that several government entities remain at risk. We must ensure that these government systems are being protected.