Stories‎ > ‎

A Look into the OPM Breach Discovery

posted Sep 16, 2016, 12:40 AM by Michael Lenart   [ updated Sep 16, 2016, 12:40 AM ]

By Ben Cotton

Last April, my team of cybersecurity professionals showed up at the U.S. Office of Personnel Management (OPM) for a routine product demonstration of our CyFIR software. Little did we realize that we were about to uncover one of the largest data breaches in the history of the U.S. Government.

This isn’t a problem that was localized to OPM. Since last April, we’ve seen several high profile data thefts in the headlines that have affected America’s political entities, major corporations, and private individuals. We know that there is a major threat to information stored on private and public sector networks, and something has to be done. The OPM breach provides us with an illustrative case study that might give some direction on incident response: what to do, and perhaps more importantly, what not to do.

Photo credit:

On September 7, after a long and thorough investigation, the House of Representatives Oversight and Government Reform Committee (HOGR) released a comprehensive and well-documented report outlining their findings regarding this data breach. The HOGR report confirms exactly how vulnerable many of our nation’s IT systems are and the critical need for innovative technologies to protect our networks.

Importantly, the report confirmed that the information held on OPM’s network had been breached more than a year prior to its discovery and highlighted the key role that the CyFIR platform played in identifying and responding to the intrusion that compromised 21 million sensitive government records.

Specifically, the report stated, “During CyTech’s April 21, 2015 demonstration, CyTech identified or ‘discovered’ malware on the live OPM IT environment related to the incident. There is no evidence showing CyTech was aware [of the incident] at the time of the April 21 demonstration… Beginning on April 22, 2015, CyTech offered and began providing significant incident response and forensic support to OPM related to the 2015 incident. The documents and testimony show OPM and Cylance recognized CyFIR’s ability to quickly obtain forensic images. CyTech provided an expert to manage the CyFIR tool and continue to provide onsite support through May 1, 2015.” [1]

The findings outlined in the Committee’s exhaustive investigative report, and echoed by Committee Chairman Jason Chaffetz (R-Utah) at a recent event, highlight an extreme gap in our government security systems that must be addressed immediately and thoroughly if we are to prevent this type of incident in the future.

Simply put, we need more innovative cybersecurity tools to protect the networks that store the confidential information of Americans across the country to ensure that outdated security systems do not continue to fail. We cannot underestimate the need to streamline processes to get these innovative technologies into systems quickly. We need to fast track the acquisition process for products that can swiftly detect, investigate, isolate, and remediate zero day malware similar to that found on the OPM’s network.

During his remarks, Chairman Chaffetz expressed an extreme concern that several government entities, citing the Department of Education as an example, remain at risk of being hacked unless we begin installing the tools needed to offset these threats. The inadequate measures taken by OPM are paralleled in other agencies, and we must ensure that these government systems are being protected.

So, then, how did my team achieve this important goal of reducing risk, identifying threats, and addressing them?


Using its innovative endpoint vulnerability assessment technology, CyFIR identified, within 12 minutes, a set of unknown processes running on a limited set of endpoints. This information was immediately provided to OPM security staff and was ultimately revealed to be zero day malware that had been in place on the OPM network for more than a year.

CyFIR takes a “Zero Trust” approach that leverages our distributed architecture – shortening discovery time to minutes – which allows for remote live forensic analysis and remediation, thus diminishing the need for time-consuming and expensive deployment of personnel. CyTech’s executive staff are all long-time forensic examiners with experience performing computer forensic casework for the highest levels of the Federal Government and Fortune 500 companies. As such, we build into our platform what we want to use ourselves.

A common concern now is that almost every federal department and agency is connected in some way to the OPM network, and that could mean that these agencies are also at risk from the same type of penetration discovered at OPM. Responsible officials at each federal entity should be working tirelessly to ascertain if such penetrations have occurred and implement added protection to ensure this doesn’t happen in the future.


Technologies must be able to rapidly and simultaneously scan all running processes on individual computers and at the enterprise level, in order to dramatically shorten the time it takes to discover, investigate, and remediate a breach. All government entities should be secure and protected with the most comprehensive data security tools available.

Photo credit:


The CyFIR system provides forensic evidence including memory images, hard drive images, event logs, and registry entries that existing government software cannot. We are able to quickly identify, isolate, remediate, and remove hostile threats to these large scale networks.

With capabilities like these, cybersecurity personnel can take action much faster. What’s evident here is that our government’s networks need to be protected to ensure another breach of this magnitude is prevented and our personal information remains secure.


We could not have known on that typical April day that we would unearth this set of malware that had been siphoning data from the OPM’s systems for more than a year, but we built our CyFIR technology to do just that. As hackers and data thieves become more sophisticated, and as our networks become more complex, having a system to catch processes before they take root in the shadows is more important than ever. The question now is whether government entities and businesses will take preventative action or wait instead until it’s too late.


About the Author

Ben Cotton is the CEO of CyTech Services Inc., providing clients with security assessments of information systems, computer forensics and electronic discovery. Ben uses the skills he gained from his extensive military service experience in special operations to meet the needs of government and commercial clients. He leads incident response and litigation support engagements. Ben founded CyTech as he was preparing to retire following a 21 year career in the United States Army Special Forces.  As part of his military service, Ben developed the digital sensitive site exploitation, computer network attack (CNA), computer network defense (CND) and computer network operations (CNO) capabilities for the United States Special Operations Command (USSOCOM). The Special Forces approach to dealing with these kinds of challenges in a military setting is also applied as the CyTech team deals with the current cyber challenges facing its clients. 

End Note

[1] Chapter 5: The CyTech Story; Page 125