On The Hill, CyTech CEO Ben Cotton discusses the opportunity that a new administration brings to how we—as a nation—view, prevent, and respond to cyber threats. Cotton says:
I have no doubt that as OMB Director, Mulvaney will continue to advocate for spending cuts at the federal level. And as Trump puts forth his proposals to invest in the United States’ physical infrastructure, I would urge Mulvaney to look at our cyber infrastructure as an area that would greatly benefit from more – and smarter – spending.
In an increasingly technological world, it is not only our physical borders that are permeable and vulnerable to unwanted intrusion by those wishing to do our nation harm or influence our institutions. The nation is constantly subject to cyber threats, and our cyber defense must rise to meet these advanced challenges. We know that the vulnerabilities we face are very real and the consequences of data breaches and cyberattacks from enemies foreign and domestic are wide ranging.
CNN HLN’s Michaela Pereira interviewed CyTech CEO Ben Cotton about the potential for nefarious actors hacking the 2016 Presidential Election ballots and what could be done to ensure that our election results are safeguarded.
Paul Barrett, in his article entitled “When Spotting a Hack Doesn’t Help You,” discusses the April, 2015 data breach at the United States Office of Personnel Management and the role of CyTech Services in the identification, investigation, and remediation of the breach.
Cotton assumed his business would benefit from its role in revealing the breach. Instead, OPM publicly denied he’d helped and implied he’d angled for undeserved praise in the media. That’s a devastating suggestion in the digital security field, where contractors are expected to keep their findings private. Stuck in an entrepreneur’s nightmare, Cotton had to put his faith in a congressional investigation of the breach.
Barrett continued with the background of both Cotton and CyTech Services, which he established after retiring from the US Army Special Forces and discussed OPM’s failure to pay the small, service disabled veteran owned business for its work.
Last April, CyTech Services was invited to the US Office of Personnel Management for a routine product demonstration of our CyFIR Enterprise software. We had no idea when we entered the building that CyFIR was about to identify malicious code on their live network and that we would assist with the investigation of the largest data breach in the history of the US Government.
This isn’t a problem that only happens at government agencies like OPM. These types of data thefts have become all too common, and every day seems to bring new headlines about hacks or breaches into political committees, corporations, and private citizens. Clearly, something has to be done, and our work with OPM shows how an incident response should take place and, more importantly, the steps that large organizations can take to protect themselves. It’s critical that our nation’s IT systems realize their vulnerabilities and accept that they need innovative technologies to address them.
On September 7, 2016, after a long and thorough investigation, the House Oversight and Government Reform Committee (HOGR) released a comprehensive and well-documented report outlining their findings regarding this data breach. The HOGR report confirms exactly how vulnerable many of our nation’s IT systems are and the critical need for innovative technologies to protect our networks. CyTech Services—and our revolutionary remote enterprise forensics and incident response product, CyFIR—were fortunate to be highlighted in the report for our role in identifying and remediating the OPM breach.
CyTech Services is proud that we were able to transition quickly from a simple product demonstration into a critical incident response mode. When we originally found malcode running on live systems at OPM during our April 21-22, 2015 product demonstration, we saw no indication that they were engaged in an active incident response at the time, nor did we know that they were deploying our demonstration tool into the live network with the intention of assisting with their breach investigation. Unknown to us, Cylance, a premier next-generation antivirus company, was already engaged on scene and was in the midst of deploying their product to the OPM enterprise when CyFIR’s Threat Assessment Module confirmed the existence of malcode running live in the OPM architecture during our demonstration. Immediately thereafter, CyTech incident responders began working with the Cylance team to assist the OPM in remediating the breach, investigating the malicious code, and obtaining key evidence files.
Many of the stories in the news have claimed that CyTech Services asserted that we were the first to discover the OPM breach. However, our own press release of June 15, 2015 states that we “quickly identified a set of unknown processes,” and that “CyTech is unaware if the OPM security staff had previously identified these processes.”
The recently released final report from the House Oversight and Government Reform Committee shows that Cylance found malicious code on a number of servers before CyTech’s arrival, and CyTech’s CyFIR Enterprise tool confirmed those findings during our demonstration. While the report outlines the odd manner in which OPM deployed (and paid for—or more specifically—did not pay for) those tools, I feel safe in saying that both Cylance and CyTech Services clearly understood the ramifications of what our products were rapidly detecting and knew that OPM was in need of immediate expert support.
I may be a bad businessman in that I upgraded their demonstration that day to a fully functional system and flew in one of our incident responders on a verbal request, but at the same time, I knew that waiting for the procurement process might take months. I served in the United States Army for over twenty years, and I refuse to simply “turn off” my love of country for the slowly-grinding wheels of bureaucracy. Therefore, with an emergency purchase order promised by OPM management, CyTech Services threw the full weight of its software and expertise into the effort.
I’ve said it before, and I’ll say it again. I’m proud of what our team was able to do for the Office of Personnel Management in helping to mitigate the largest breach the Federal Government has suffered. Simply put, Government and industry need more innovative cybersecurity tools to protect the networks that store the confidential or proprietary information of Americans across the country. During his remarks at the event where he introduced the report, Chairman Chaffetz expressed an extreme concern that several government entities remain at risk. We must ensure that these government systems are being protected.
WASHINGTON (September 7, 2016) — Majority members of the House Oversight and Government Reform Committee today released a comprehensive and documented report outlining their findings regarding the April 2015 Office of Personnel Management (OPM) data breach, which includes a confirmation that CyTech Services played a key role in identifying and responding to the intrusion that compromised 21 million sensitive government records.
As the report indicates, at OPM’s invitation, CyTech demonstrated their CyFIR Enterprise digital forensics and incident response platform at OPM on April 21-22, 2015. Using CyTech’s innovative endpoint vulnerability assessment methodology, CyFIR identified, within 12 minutes, a set of unknown processes running on a limited set of endpoints. This information was immediately provided to OPM security staff upon detection and was ultimately revealed to be zero day malware that had been in place on the OPM network for more than a year.
Specifically, the report stated, “During CyTech’s April 21, 2015 demonstration, CyTech identified or ‘discovered’ malware on the live OPM IT environment related to the incident. There is no evidence showing CyTech was aware [of the incident] at the time of the April 21 demonstration…Beginning on April 22, 2015, CyTech offered and began providing significant incident response and forensic support to OPM related to the 2015 incident. The documents and testimony show OPM and Cylance recognized CyFIR’s ability to quickly obtain forensic images. CyTech provided an expert to manage the CyFIR tool and continue to provide onsite support through May 1, 2015.” [Chapter 5: The CyTech Story; Page 125]
CyTech CEO Ben Cotton, a 21-year veteran of the U.S. Army Special Forces, lauded the findings outlined in the report, stating, “We are pleased that the report officially confirms what we have known to be true since the day we deployed the software on OPM’s network – By leveraging CyFIR’s total dynamic visibility (TDV) on the endpoint the CyFIR platform detected the malware in OPM’s network within 12 minutes of installation, that CyFIR was able to provide OPM the technical capabilities to forensically investigate, respond to the breach and perform these activities with an unprecedented speed to resolution (S2R). CyFIR worked exactly as it was supposed to in identifying and locating the cyber threat existent in OPM’s production systems.”
John Irvine, Chief Technology Officer of CyTech Services, added, “This validates the efficacy and efficiency of the CyFIR platform, demonstrating its value to the federal government and any organization where network security is a priority. All government entities should be secure and protected with the most comprehensive data security tools available, especially when our national security is at risk. Our concern now is that the large number of government departments and agencies that are connected to the OPM network may have also been compromised and should now be evaluated.”
CyFIR’s rapid threat assessment module was designed and built specifically for this type of analysis at the speed and breadth necessary to identify and contain the problem quickly. The technology can rapidly scan all running processes on individual computers and at the enterprise level, dramatically shortening the time it takes to discover, investigate, and remediate a breach through its unique distributed architecture. CyTech remains committed to providing one of the most comprehensive forensic investigation and incident response tools on the market and protecting the privacy and security of trusted information.
ABOUT CYTECH SERVICES, INC.
CyTech Services, Inc. specializes in enterprise-level digital forensic tool development and specialized digital incident response services. CyTech’s forensic staff has an extensive history of serving top Federal Law Enforcement and Intelligence agencies and corporate clients. CyTech is the creator and developer of the CyFIR enterprise suite. CyTech Services is a Service Disabled Veteran Owned Small Business (SDVOSB) led by Ben Cotton, a 21-year veteran of the U.S. Army Special Forces. CyTech Services is headquartered in Manassas, VA.
Ironically, the tool that discovered the ongoing breach, CyFIR from CyTech Services, was never actually purchased by OPM. Though Seymour told Congress OPM had purchased licenses after a trial in a segregated test network, the tool was actually demonstrated on OPM’s live network, and no licenses were ever purchased. OPM officials returned the trial software after deleting images from OPM’s own incident response—images that included “more than 11,000 files and directories” of forensic data, the report noted.
“Documents and testimony show CyTech provided a service to OPM and OPM did not pay,” the report found, noting that this violated federal law against accepting voluntary services.