Insider threat v3

4,956 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,956
On SlideShare
0
From Embeds
0
Number of Embeds
3,633
Actions
Shares
0
Downloads
87
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Insider threat v3

  1. 1. Insider Threat Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557
  2. 2. Overview • How big of a problem is the Insider Threat? • Who commits insider computer crimes and why do they do it? • The Toolsets & Tradeoffs – What are the sources of internal visibility? • What to look for – Specific guidance on detecting insiders and APT 22
  3. 3. 3 Mythology & Fear 3
  4. 4. 4 and Cynicism… 4
  5. 5. Why Insider Threats? – The Verizon Breach Report • Verizon 2012 Data Breach Investigations Report • 2012 – 98% stemmed from external agents – 4% implicated internal employees • 2011 – 92% stemmed from external agents – 17% implicated insiders • 2010 – 70% stemmed from external agents – 48% were caused by insiders • Hacking in 2012 – 3% involved SQL Injection – 55% involved default credentials – 40% involved stolen credentials – 29% involved brute force or dictionary attacks 55
  6. 6. Ponemon & Solera Networks: The Post Breach Boom 66
  7. 7. Insider Threats 7 • 12 years of history • Over 700 insider threat cases • IT Sabotage – Average: $1.7 million – Median: $50,000 • IP Theft – Average: $13.5 million – Median: $337,000 7
  8. 8. Different Stats teach different lessons • Insider attacks do not occur frequently relative to external attacks. – ~4% of incidents - VDBIR • However, many organizations face them. – More than half the number that experienced successful outsider attacks - Ponemon • Usually, they are not very costly, but in some cases, they can be very expensive. 88
  9. 9. The APT • Mandiant 2012 M-Trends Report: – In 100% of cases the bad guys used valid credentials – Malware was only installed on 54% of compromised systems – Median number of days before attackers were discovered: 416 99
  10. 10. Three kinds of Insider Threats • Negligent Insiders – Employees who accidentally expose data. • Malicious Insiders – Employees who intentionally expose data. • Compromised Insiders – Employees whose access credentials or personal computers have been compromised by an outside attacker. 1010
  11. 11. An Observation • Imperfect controls can be useful if they reduce incidents in practice – Common Assumption: If we can evade a security control, that control is worthless. • Evasions of technical controls can be automated and globally distributed. • Deterrence doesn’t work on the Internet because attribution doesn’t work on the Internet. – We don’t apply this assumption in the world of physical security. • How? – Reduction of negligent incidents – Keeping honest people honest – Deterrence – People have a tendency to be impulsive • Knowledge that events are being logged and the logs are archived and monitored creates a risk for insiders unless they can modify the logs. • The use of fully automated analysis creates thresholds that insiders can evade. • A hybrid approach where automated tools help human analysts avoids creating a scenario where an attacker can know that activity won’t be discovered 1111
  12. 12. Three kinds of Insider Threats • Negligent Insiders – Prevention • Access controls • Encryption of data at rest • DRM? • Education • Malicious Insiders – Prevention • Access Controls • Checks and Balances – Detection • Management Training • Monitoring • Compromised Insiders – Detection 1212
  13. 13. Who commits insider attacks? 13 Source: Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination - CERT 13
  14. 14. CERT: Common Sense Guide to Prevention and Detection of Insider Threats 14 IT Sabotage Financial Gain Business Advantage % of cases: 45% 44% 14% Employment: Former Current Current Position: Technical Data Entry & Customer Services Technical or Sales Authorized Access? Rarely 75% 88% Used their own credentials? 30% 85% Almost always Compromised an account? 43% 10% Rarely Attack was non-technical: 65% 84% Almost always When: After hours Normal hours Normal hours Where: Remote Local Local IDed due to: Logs Logs Logs 14
  15. 15. Sources of visibility • Firewall logs – Are you logging everything or just denies? • Internal & Host IPS systems – HIPS potentially has a lot of breadth – Can be expensive to deploy – Signature based • Log Management Solutions/SIEM – Are you collecting everything? – You can only see what gets logged • Netflow – Lots of breadth, less depth – Lower disk space requirements • Full Packet Capture – Deep but not broad – Expensive – High disk space requirements 15 Tradeoffs: • Record everything vs only bad things • Breadth vs Depth • Time vs Depth • Privacy 15
  16. 16. DMZ VPN Internal Network Internet 3G Internet 3G Internet Tradeoffs
  17. 17. Tradeoffs 17 NetFlow R I C H N E S S Disk Space Required Full Packet Capture 17
  18. 18. Privacy 1818
  19. 19. DMZ VPN Internal Network Internet NetFlow Packets src and dst ip src and dst port start time end time mac address byte count - more - NetFlow 3G Internet 3G Internet NetFlow NetFlow NetFlow Internal Visibility Through NetFlow NetFlow NetFlow Collector 19
  20. 20. Lancope Identity 1000 20
  21. 21. Cisco Identity Services Engine (ISE) • Cisco ISE is a context aware, policy based 802.1x authentication solution • Detect – Device type, operating system and patch level – Time and location from which user attempting to gain access 21 User Name MAC Address Device Type Bob.Smith 8c:77:12:a5:64:05 (Samsung Electronics Co.,Ltd) Android John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone
  22. 22. 22 Following the User Sometimes investigations start with user intelligence
  23. 23. 23 User Reports
  24. 24. 24 User Reports
  25. 25. 25 User Reports
  26. 26. Monitoring tasks need to be narrowed down 2626
  27. 27. CERT: Common Sense Guide to Prevention and Detection of Insider Threats 27 IT Sabotage Financial Gain Business Advantage % of cases: 45% 44% 14% Employment: Former Current Current Position: Technical Data Entry & Customer Services Technical or Sales Authorized Access? Rarely 75% 88% Used their own credentials? 30% 85% Almost always Compromised an account? 43% 10% Rarely Attack was non-technical: 65% 84% Almost always When: After hours Normal hours Normal hours Where: Remote Local Local IDed due to: Logs Logs Logs 27
  28. 28. Theft of Intellectual Property • Key window – 30 days before and after resignation/termination • 54% of CERT’s exfiltration cases occurred over the network (most email) • Email with large attachments to third party destinations • Large amounts of traffic to the printer • Data Infiltration and Exfiltration 2828
  29. 29. Automated Data Loss Detection 2929
  30. 30. 30 Unusually large amount of data inbound from other hosts Suspect Data Hoarding
  31. 31. 31 Target Data Hoarding Unusually large amount of data outbound from a host to multiple hosts
  32. 32. IT Sabotage • Targeted monitoring of employees who are “on the HR radar” • Access after termination (!) (accounts or open sessions) • Unusual Access – Times – Devices – Source Addresses – Destination Addresses – Mismatches 3232
  33. 33. 33 User Reports
  34. 34. • IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? Combating Insider Threat is a multidisciplinary challenge 3434 IT HR Legal
  35. 35. 35 Do you have a multi disciplinary insider threat management program? http://www.lancope.com/ponemo n-incident-response/
  36. 36. 36 Beron’s abnormal disclosure One of your users has uploaded a large amount of data to the internet. Data Theft
  37. 37. 37 What did Beron send? Who received it? Data Theft
  38. 38. 38 Where could have Beron gotten the data? Data Theft
  39. 39. 39 Data Theft
  40. 40. 40 Why did Beron do it? Data Theft
  41. 41. 41 Key Take Aways • There are three kinds of insider threat • Negligent Insiders • Malicious Insiders • Compromised Insiders • Managing the problem involves • Logs, Logs, Logs • Visibility into the internal network • A multidisciplinary team • StealthWatch can be a powerful tool for combating insider threat • User identify integration with network activity audit trails • User reports that save time during investigations • Automated detection of data loss and data hoarding
  42. 42. Thank You Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557

×