top 9 insider threats and how to spot them€¦ · responding to alerts 500 50 44. 9 common insider...
TRANSCRIPT
Top 9 Insider Threats and How to Spot Them
Michael Lebeau
Senior Systems Engineer
The threats are real.
Insider threat detection challenges
quest.com | confidential3
% of alerts are left uninvestigated
% of alerts are false positives
1/3 of orgs spend 500 hours/month
responding to alerts
44500 50
9 Common Insider Threats
Insider threats
5
Brute force attack Data exfiltration Snooping user Abnormal AD
activity
Malware
Scripted account
usePrivilege elevation Lateral movementAbnormal system
access
Brute-force attack
6
Use Case
• Attackers repeatedly try to guess a user’s password
• Worms or other malware designed to identify user accounts and attempt to crack their passwords using password dictionaries
Indicators
• Abnormal failed authentication attempts
By correlating failed logons with other user actions, you can alert on true brute-force attacks without drowning in false positives.
Data exfiltration or destruction
7
Use Case
• Unauthorized copying or transfer of data from a computer using any of multiple techniques
• User is attempting the malicious destruction of data
Indicators
• An excessive number of file access or file move events
• An excessive number of file delete events
Stealing or destroying valuable corporate data could be perpetrated by cybercriminals or rogue employees
Snooping User
8
Use Case
• A user accessing resources and files that aren’t appropriate for their role, even though permissions aren’t necessarily locked down
• Could be a user that is not actively malicious but inappropriately curious
Indicators
• A high number of file access attempts in a short period of time
• A high number of failed file access events
• Attempts to access file servers and folders the user has never, or rarely, accessed in the past
An internal user who is inappropriately curious might attempt to browse servers and folders that they shouldn’t be accessing, such as salary information or reorg plans.
Abnormal AD activity
9
Use Case• Attempting to exploit compromised
credentials
• Compromised account is being used to corrupt or destroy critical directory data
• Interactive privileged account being used to run scripts
Indicators
• Spike in the volume of changes to AD
• User performing actions that are not part of their standard routine
• Users making membership changes to privileged AD groups
• Abnormal number of failed AD changes
Example: first-level helpdesk representative normally is only responsible for unlocking disabled user accounts and resetting their passwords, but has suddenly begun creating new user accounts in AD
Malware
10
Use Case• Ransomware and other forms of malware
look to establish a beachhead on a
computer within your network
• Malware will attempt to compromise user
accounts in order to gain access to
corporate resources
Indicators
• Excessive # of logon attempts to multiple user accounts, servers, DCs and domains –all from a single computer or IP address
• Excessive # of file renames across multiple folders and servers, all from a single user account
Malicious malware is installed on a computer through a successful phishing attempt. Once in the network it will try and get access to user accounts and sensitive file data.
Abnormal system access
11
Use Case• User account accesses your network from
an atypical geographical location or an
abnormal workstation
• Most of the time, it’s not an attack, so raising
an alarm on all abnormal access would
quickly drown you in a sea of dead-end
alerts
Indicators
• Authenticated users accessing servers they rarely or never accessed before
• Users accessing an excessive number of servers within the environment
Could be a sign that an external attacker has been able to compromise an internal user account.
Scripted use of privileged account
12
Use Case• Program or script operating under a user’s
credentials in order to make mass
destructive changes to AD or valuable file
data
Indicators
Excessive number of:
• User or group changes made to AD
• File access, move or delete events
• Authentication attempts against different user accounts
• Failed or successful attempts to access different computers and servers
If the volume of activity by a given account is so high that it clearly could not be performed interactively by a user, it is likely that malware or scripts are being run under the account's context for nefarious purposes.
Privilege elevation
13
Use Case• Attacker compromises regular user account,
then elevates the privileges of those
accounts in order to get access to the data
or systems they’re interested in
• Rogue insiders often attempt to elevate their
own privileges or create new accounts and
add them to nested privileged groups in
order to gain more access rights
Indicators
• User being added to a critical built-in privileged group, either directly or via nested group membership
Once a hacker compromises a regular user account, their next move is to elevate their rights by granting the account additional privileges through group memberships and file permissions.
Lateral movement
14
Use Case• Horizontal movement across AD to gain
more widespread access
Indicators
• Multiple # of logon attempts to different target servers
• Multiple # of successful authentications to different target servers
• Access to servers in the environment that the user has never accessed previously
• Logon using different user accounts from a single computer or IP address
Attackers will continue to expand their reach across the network until they’ve secured access to the sensitive information they were looking for, or planted malware to allow for their prolonged access to the environment
AD attacks
The anatomy of an Active Directory attack
The anatomy of an Active Directory attack
The anatomy of an Active Directory attack
The anatomy of an Active Directory attack
The anatomy of an Active Directory attack
The anatomy of an Active Directory attack
What’s the solution
Risky users
SMART alerts
Million raw events
User threat alerts – making sense out of noise
387
1,153
304
180
80,000 users
60 days
Tens of thousands of indicators below the threshold were discarded
5 alerts a day on avg.
Scored and prioritized by importance
Threat indicators
Suspicious AD activity
Suspicious AD activity
Suspicious AD activity
Snooping user
Brute-force attack
Come see Quest In the vendor area
• Chanda to edit with details
Questions?