Correlating PII to ...
 
Notifications
Clear all

Correlating PII to individual Emails and Customers

4 Posts
2 Users
0 Likes
882 Views
(@lnxslak)
Posts: 2
New Member
Topic starter
 

Long time lurker, finally made an account because I'm running into a question I am getting over and over from customers and lawyers.

How are you guys correlating individual pieces of PII back to individual E-Mails in a BEC scenario ?

The request we are getting is that in a BEC, the lawyers need to know exactly what types of PII were compromised from exactly which customers so that they can constrain potential liability in the future. So this is not such a big ask if the number of emails and PII instances is small - but what about when we are talking about 100k++ emails, spanning years ? So far I've been managing with a sort of hacky process of importing a PST into autopsy - using search filters to classify the PII, export to csv, and then some hacky shell scripts to get a better idea - but in the case of the PST this only links me back to the mbox not the specific email context.

I have looked around these forums of course and I have searched the web (autopsy will tie a sample to a mbox and you can relate to the email but its all manual) - there are a few tools that seem to sort of do that but not exactly (PII tools for example), I actually have my dev team right now building an in house solution but that is a couple of weeks away.

Any help would be greatly appreciated - and wanted to say thanks for all the information I've managed to pull out of this forum so far - it has been a life saver on more than one occasion.

And if i just need to search harder that is fine too - and my apologies 😉

 
Posted : 26/11/2019 6:58 pm
(@dcs1094)
Posts: 146
Estimable Member
 

The worst part of an O365 compromise investigation x Yes you can look at the log files to see whats been exfiltrated, however as soon as the account credentials are compromised, anything in that mailbox could have been viewed, so it all needs to be reviewed. I normally seize the PST files then process them with Intella. You can then build regular expressions and tailor them to your PII requirements. The issue I've found is different types of PII information can be difficult to identify, i.e. in Australia matter of opinion could be classed as PII - how do you build a regex for that? So, I'd process the PST file for emails, including their attachments (OCR PDF's etc) then run regex searches with the caveat the searches only identify x, y & z. Anything else may need to be reviewed manually, but each job should be treated on a case-by-case basis.

 
Posted : 27/11/2019 1:27 pm
(@lnxslak)
Posts: 2
New Member
Topic starter
 

Glad to hear I'm not the only one that is feeling this pain.

Intella looks promising - does it allow you tie your regex searches back to the individual emails ? Does it have some useful output formats for that data after it has mapped those relationships ?

I'm gonna grab the trial and play with it anyways - but thought I would ask as well. Thanks again.

 
Posted : 27/11/2019 3:15 pm
(@dcs1094)
Posts: 146
Estimable Member
 

Intella looks promising - does it allow you tie your regex searches back to the individual emails ?

Yep, you can easily identify the email/attachments where hits were located. I had the issue previously of running searches and not being able to easily identify the emails or/and files which they hit on, but this solved that. Obviously you would encounter false positives depending on how you construct your regex, but that'll always happen regardless what tool you use and depends on type of source data you are analyzing.

Does it have some useful output formats for that data after it has mapped those relationships ?

I normally export the valid PII data entries back into PST files for legal teams to review, along with a metadata output which depicts general email header information and the specific PII raw data which it hit on. Being able to show the PII data which it hit on, alongside the email/attachment data in one is really neat and useful to legal.

It's pretty much my go to now if I need to review mailboxes. I tested their software on some much larger mailboxes rather than just their normal sample you can access and was pretty impressed with processing performance.

 
Posted : 27/11/2019 4:25 pm
Share: