insider threat v3
DESCRIPTION
TRANSCRIPT
![Page 2: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/2.jpg)
2
Overview
• How big of a problem is the Insider Threat?
• Who commits insider computer crimes and why do they do it?
• The Toolsets & Tradeoffs – What are the sources of internal visibility?
• What to look for – Specific guidance on detecting insiders and APT
2
![Page 3: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/3.jpg)
3
Mythology & Fear
3
![Page 4: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/4.jpg)
4
and Cynicism…
4
![Page 5: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/5.jpg)
5
Why Insider Threats? – The Verizon Breach Report
• Verizon 2012 Data Breach Investigations Report
• 2012– 98% stemmed from external agents– 4% implicated internal employees
• 2011– 92% stemmed from external agents– 17% implicated insiders
• 2010– 70% stemmed from external agents– 48% were caused by insiders
• Hacking in 2012– 3% involved SQL Injection
– 55% involved default credentials– 40% involved stolen credentials– 29% involved brute force or dictionary attacks
5
![Page 6: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/6.jpg)
6
Ponemon & Solera Networks: The Post Breach Boom
6
![Page 7: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/7.jpg)
7
Insider Threats
• 12 years of history• Over 700 insider threat
cases
• IT Sabotage– Average: $1.7 million– Median: $50,000
• IP Theft– Average: $13.5 million– Median: $337,000
7
![Page 8: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/8.jpg)
8
Different Stats teach different lessons• Insider attacks do not occur frequently relative to external
attacks.– ~4% of incidents - VDBIR
• However, many organizations face them.– More than half the number that experienced successful outsider
attacks - Ponemon
• Usually, they are not very costly, but in some cases, they can be very expensive.
8
![Page 9: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/9.jpg)
9
The APT
• Mandiant 2012 M-Trends Report:
– In 100% of cases the bad guys used valid credentials
– Malware was only installed on 54% of compromised systems
– Median number of days before attackers were discovered: 416
9
![Page 10: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/10.jpg)
10
Three kinds of Insider Threats
• Negligent Insiders– Employees who accidentally
expose data.
• Malicious Insiders– Employees who
intentionally expose data.
• Compromised Insiders – Employees whose access
credentials or personal computers have been compromised by an outside attacker.
10
![Page 11: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/11.jpg)
11
An Observation
• Imperfect controls can be useful if they reduce incidents in practice– Common Assumption: If we can evade a security control, that control is
worthless. • Evasions of technical controls can be automated and globally distributed.• Deterrence doesn’t work on the Internet because attribution doesn’t work on the
Internet.– We don’t apply this assumption in the world of physical security.
• How?– Reduction of negligent incidents– Keeping honest people honest– Deterrence – People have a tendency to be impulsive
• Knowledge that events are being logged and the logs are archived and monitored creates a risk for insiders unless they can modify the logs.
• The use of fully automated analysis creates thresholds that insiders can evade.• A hybrid approach where automated tools help human analysts avoids creating a
scenario where an attacker can know that activity won’t be discovered
11
![Page 12: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/12.jpg)
12
Three kinds of Insider Threats
• Negligent Insiders– Prevention
• Access controls• Encryption of data at rest• DRM?• Education
• Malicious Insiders– Prevention
• Access Controls• Checks and Balances
– Detection• Management Training• Monitoring
• Compromised Insiders – Detection
12
![Page 13: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/13.jpg)
13
Who commits insider attacks?
Source: Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination - CERT
13
![Page 14: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/14.jpg)
14
CERT: Common Sense Guide to Prevention and Detection of Insider Threats
IT Sabotage Financial Gain Business Advantage
% of cases: 45% 44% 14%
Employment: Former Current Current
Position: Technical Data Entry & Customer Services
Technical or Sales
Authorized Access? Rarely 75% 88%
Used their own credentials?
30% 85% Almost always
Compromised an account?
43% 10% Rarely
Attack was non-technical:
65% 84% Almost always
When: After hours Normal hours Normal hours
Where: Remote Local Local
IDed due to: Logs Logs Logs
14
![Page 15: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/15.jpg)
15
Sources of visibility• Firewall logs
– Are you logging everything or just denies?
• Internal & Host IPS systems– HIPS potentially has a lot of breadth– Can be expensive to deploy– Signature based
• Log Management Solutions/SIEM– Are you collecting everything?– You can only see what gets logged
• Netflow– Lots of breadth, less depth– Lower disk space requirements
• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements
Tradeoffs:• Record everything vs
only bad things• Breadth vs Depth• Time vs Depth• Privacy
15
![Page 16: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/16.jpg)
DMZ
VPN
Internal Network
Internet
3GInternet
3G Internet
Tradeoffs
![Page 17: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/17.jpg)
17
Tradeoffs
NetFlow
RICHNESS
Disk Space Required
Full Packet Capture
17
![Page 18: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/18.jpg)
18
Privacy
18
![Page 19: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/19.jpg)
DMZ
VPN
Internal Network
InternetNetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -NetFlow
3GInternet
3G Internet
NetFlow
NetFlow
NetFlow
Internal Visibility Through NetFlow
NetFlow
NetFlow Collector
19
![Page 20: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/20.jpg)
20
Lancope Identity 1000
![Page 21: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/21.jpg)
21
Cisco Identity Services Engine (ISE)• Cisco ISE is a context aware, policy based 802.1x authentication solution• Detect
– Device type, operating system and patch level– Time and location from which user attempting to gain access
User Name MAC Address Device Type
Bob.Smith8c:77:12:a5:64:05
(SamsungElectronics Co.,Ltd)
Android
John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone
![Page 22: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/22.jpg)
22
Following the User
Sometimes investigations start with user intelligence
![Page 23: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/23.jpg)
23
User Reports
![Page 24: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/24.jpg)
24
User Reports
![Page 25: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/25.jpg)
25
User Reports
![Page 26: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/26.jpg)
26
Monitoring tasks need to be narrowed down
26
![Page 27: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/27.jpg)
27
CERT: Common Sense Guide to Prevention and Detection of Insider Threats
IT Sabotage Financial Gain Business Advantage
% of cases: 45% 44% 14%
Employment: Former Current Current
Position: Technical Data Entry & Customer Services
Technical or Sales
Authorized Access? Rarely 75% 88%
Used their own credentials?
30% 85% Almost always
Compromised an account?
43% 10% Rarely
Attack was non-technical:
65% 84% Almost always
When: After hours Normal hours Normal hours
Where: Remote Local Local
IDed due to: Logs Logs Logs
27
![Page 28: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/28.jpg)
28
Theft of Intellectual Property
• Key window – 30 days before and after resignation/termination
• 54% of CERT’s exfiltration cases occurred over the network (most email)
• Email with large attachments to third party destinations• Large amounts of traffic to the printer• Data Infiltration and Exfiltration
28
![Page 29: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/29.jpg)
Automated Data Loss Detection
2929
![Page 30: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/30.jpg)
30
Unusually large amount of data inbound from other hosts
Suspect Data Hoarding
![Page 31: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/31.jpg)
31
Target Data Hoarding
Unusually large amount of data outbound from a host to multiple hosts
![Page 32: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/32.jpg)
32
IT Sabotage
• Targeted monitoring of employees who are “on the HR radar”
• Access after termination (!) (accounts or open sessions)
• Unusual Access – Times– Devices– Source Addresses– Destination Addresses– Mismatches
32
![Page 33: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/33.jpg)
33
User Reports
![Page 34: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/34.jpg)
34
• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.
• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?
Combating Insider Threat is a multidisciplinary challenge
34
IT
HR Legal
![Page 35: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/35.jpg)
35
Do you have a multi disciplinary insider threat management program?
http://www.lancope.com/ponemon-incident-response/
![Page 36: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/36.jpg)
36
Beron’s abnormal disclosure
One of your users has uploaded a large amount of data to the internet.
Data Theft
![Page 37: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/37.jpg)
37
What did Beron send? Who received it?Data Theft
![Page 38: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/38.jpg)
38
Where could have Beron gotten the data?
Data Theft
![Page 39: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/39.jpg)
39
Data Theft
![Page 40: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/40.jpg)
40
Why did Beron do it?
Data Theft
![Page 41: Insider threat v3](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2b10b4af9f892c8b4f9f/html5/thumbnails/41.jpg)
41
Key Take Aways
• There are three kinds of insider threat• Negligent Insiders• Malicious Insiders• Compromised Insiders
• Managing the problem involves• Logs, Logs, Logs• Visibility into the internal network• A multidisciplinary team
• StealthWatch can be a powerful tool for combating insider threat• User identify integration with network activity audit trails• User reports that save time during investigations• Automated detection of data loss and data hoarding