Your SlideShare is downloading. ×
0
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Insider Threat Kill Chain: Detecting Human Indicators of Compromise

11,397

Published on

Your organization’s greatest assets are also its greatest threat: People. Your greatest risk are those you trust. Last year, more than a third of data breaches were perpetrated by a malicious insider, …

Your organization’s greatest assets are also its greatest threat: People. Your greatest risk are those you trust. Last year, more than a third of data breaches were perpetrated by a malicious insider, such as an employee, contractor or trusted business partner.

On average, an attack by an insider is also more likely to cost the most, averaging $412K per incident.

The intentions of these insiders can be sabotage, fraud, intellectual property theft or espionage. However, in many cases, patterns of detectable behavior and network activity emerge that provide indicators of risk, assist in early detection and in speeding up response time of an actual incident.

In this webinar we discussed:

- how human resources, legal and IT can work together to help prevent insider threats before they become a problem.

- how to dentify risk indicators with employee attitudes and behavior and how it correlates to their patterns of activity on your network.

- how you can use log intelligence and security analytics to automate actions and alerts and rapid reporting and forensics.

The recorded webcast for this presentaion can be found here:

http://www.tripwire.com/register/insider-threat-kill-chain-detecting-human-indicators-of-compromise/

Published in: Technology, Business
0 Comments
19 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
11,397
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
124
Comments
0
Likes
19
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Hello my name is Ken Westin. I am a product marketing manager with Tripwire and today I will be presenting on the Insider Threat Kill Chain: Detecting Human Indicators of Compromise
  • Your organizations greatest asset is also its greatest threat. People.The very people we trust to run our business can also be its biggest risk. This includes employees, contractors and trusted business partners
  • One of my first experiences with Tripwire actually happened well before I worked here. I was a big fan of Tripwire Open Source and had it running on various web servers I managed for a small company. We hired a consultant to help with some server administration work and he was given access to a server. There was some dispute with the contractor and managemen regarding over billing. Then one night at 4:30AM I was awoken to my phone sending me alerts because the website went down, I logged into the server to fix it but Apache wouldn’t come back up, so I turned to Tripwire to see what changed and reviewed logs and it was easy to see what happened. The contractor we had hired logged in the system, renamed the Apache configuration files and stopped the web server, so that when you tried to restart Apache it wouldn’t work. The timeline corresponded to emails where he made veiled threats to management. The system admin received a letter along the lines of our intent to prosecute and we never heard from him again.Although this is a story I personally experienced, it is definetely not rare.
  • Risk assesment models generally define “Threats” a product of capability and intent. CERT who has done extensive research on insider threats, analyzed the underlying intentions of the perpatrator of actual insider cybercrimes in the United States and categorized them into 4 key groups:IT Sabotage – Where like in our previous example a disgruntled employee decides to cause damage to data or infrastructure,.Fraud – Where an insider steals information, such as credit card or payment data usually for the purpose of financial gain. Intellectual Property Theft – includes cases where not only are business plans or technology stolen, but also things like source code where many developers feel they retain ownership rights to code the developed, or a sales rep who helps himself to customer information before going to work for another company.Espionage – Includes state sponsored espionage as well as corporate espionage. Many nation states target corporations (expand on this more)
  • Many in security are familiar with the Cyber Kill Chain coined by Lockheed Martin to describe phases of a targeted attack which can then map to defensive measures such as : Reconnaissance -> Exploitation phases -> Command & Control -> ActionsThe cyber kill chain approach however breaks down when we try to apply it to an insider threat, as they are already on the inside and in many cases are using authorized credentials to simply do unauthorized things, making it more challenging to detect as they progress through their various nefarious actions. The FBI modeled a different kill chain model when discussing how they deal with the Insider Threat within the FBI itself, which I believe works very well. It starts with the Recruitment or Tipping Point, it is basically the point where the good employee turns bad, be it an internal event such as being passed over for a promotion, or an outside influencer who may be offering a bribe or other incentive.Next is the search and recon phase, which can be a faster process the more knowledgable the employee, as well as their level of access. Then we have the actual acquisition and collectoin of information, be it copying it to one place on a server, their laptop, or photocoying and printing documents. The last phase is the actual egress of data from the organization, or the point at which the employee is able to cause actual damage to network. This is not limited to a single event and can be an ongoing process, often escalating in terms or risk on the perpetrators side as they become more confident thinking they will not get caught. On the defensive side as this kill chain progresses the methods for mitigating the risks change. Our first line of defense is in Prevention, this starts with security policies, training of employees, access controls and principle of least privilege for example. As the insider begins to take actions we move into the realm of detection, when they log into critical assets, copy files, download tools that may assist in information gathering and scanning and other activities that can be detected with proper logging and controls in place.The next phase is responding to an actual incident, when we realize data has been compromised, or damage is inflicted on systems affecting business operations. At this phase it is about identifying the scope of the compromise and getting systems back up and running and in a trusted state. Having access to logs and system change information is critical at this phase for incident response, forensics and getting things operational again.All through these phases of the kill chain there are different indicators of risk that can tell us something is wrong, but only if we know what to look for and where. Thes indictors usually come in two different categories, the non-technical indicators usually dealing with behaviour that Human Resources, or a legal department are aware of such as an employee who is reprimanded, or gives notice, events that may increase risk. Then we have the technical indicators such as an employee attempting to access systems they are not authorized to access, or multiple remote connections at odd hours and transfering large files.
  • Many in security are familiar with the Cyber Kill Chain coined by Lockheed Martin to describe phases of a targeted attack which can then map to defensive measures such as : Reconnaissance -> Exploitation phases -> Command & Control -> ActionsThe cyber kill chain approach however breaks down when we try to apply it to an insider threat, as they are already on the inside and in many cases are using authorized credentials to simply do unauthorized things, making it more challenging to detect as they progress through their various nefarious actions. The FBI modeled a different kill chain model when discussing how they deal with the Insider Threat within the FBI itself, which I believe works very well. It starts with the Recruitment or Tipping Point, it is basically the point where the good employee turns bad, be it an internal event such as being passed over for a promotion, or an outside influencer who may be offering a bribe or other incentive.Next is the search and recon phase, which can be a faster process the more knowledgable the employee, as well as their level of access. Then we have the actual acquisition and collectoin of information, be it copying it to one place on a server, their laptop, or photocoying and printing documents. The last phase is the actual egress of data from the organization, or the point at which the employee is able to cause actual damage to network. This is not limited to a single event and can be an ongoing process, often escalating in terms or risk on the perpetrators side as they become more confident thinking they will not get caught. On the defensive side as this kill chain progresses the methods for mitigating the risks change. Our first line of defense is in Prevention, this starts with security policies, training of employees, access controls and principle of least privilege for example. As the insider begins to take actions we move into the realm of detection, when they log into critical assets, copy files, download tools that may assist in information gathering and scanning and other activities that can be detected with proper logging and controls in place.The next phase is responding to an actual incident, when we realize data has been compromised, or damage is inflicted on systems affecting business operations. At this phase it is about identifying the scope of the compromise and getting systems back up and running and in a trusted state. Having access to logs and system change information is critical at this phase for incident response, forensics and getting things operational again.All through these phases of the kill chain there are different indicators of risk that can tell us something is wrong, but only if we know what to look for and where. Thes indictors usually come in two different categories, the non-technical indicators usually dealing with behaviour that Human Resources, or a legal department are aware of such as an employee who is reprimanded, or gives notice, events that may increase risk. Then we have the technical indicators such as an employee attempting to access systems they are not authorized to access, or multiple remote connections at odd hours and transfering large files.
  • Many in security are familiar with the Cyber Kill Chain coined by Lockheed Martin to describe phases of a targeted attack which can then map to defensive measures such as : Reconnaissance -> Exploitation phases -> Command & Control -> ActionsThe cyber kill chain approach however breaks down when we try to apply it to an insider threat, as they are already on the inside and in many cases are using authorized credentials to simply do unauthorized things, making it more challenging to detect as they progress through their various nefarious actions. The FBI modeled a different kill chain model when discussing how they deal with the Insider Threat within the FBI itself, which I believe works very well. It starts with the Recruitment or Tipping Point, it is basically the point where the good employee turns bad, be it an internal event such as being passed over for a promotion, or an outside influencer who may be offering a bribe or other incentive.Next is the search and recon phase, which can be a faster process the more knowledgable the employee, as well as their level of access. Then we have the actual acquisition and collectoin of information, be it copying it to one place on a server, their laptop, or photocoying and printing documents. The last phase is the actual egress of data from the organization, or the point at which the employee is able to cause actual damage to network. This is not limited to a single event and can be an ongoing process, often escalating in terms or risk on the perpetrators side as they become more confident thinking they will not get caught. On the defensive side as this kill chain progresses the methods for mitigating the risks change. Our first line of defense is in Prevention, this starts with security policies, training of employees, access controls and principle of least privilege for example. As the insider begins to take actions we move into the realm of detection, when they log into critical assets, copy files, download tools that may assist in information gathering and scanning and other activities that can be detected with proper logging and controls in place.The next phase is responding to an actual incident, when we realize data has been compromised, or damage is inflicted on systems affecting business operations. At this phase it is about identifying the scope of the compromise and getting systems back up and running and in a trusted state. Having access to logs and system change information is critical at this phase for incident response, forensics and getting things operational again.All through these phases of the kill chain there are different indicators of risk that can tell us something is wrong, but only if we know what to look for and where. Thes indictors usually come in two different categories, the non-technical indicators usually dealing with behaviour that Human Resources, or a legal department are aware of such as an employee who is reprimanded, or gives notice, events that may increase risk. Then we have the technical indicators such as an employee attempting to access systems they are not authorized to access, or multiple remote connections at odd hours and transfering large files.
  • With regards to the non-tehnical indicators, which I call “Human Indicators of compromise” here a few examples of potential increased riskConsistently first in and last out of the office – can be an indicator of control, not wanting others to see what they are working on12 months+ of unused vacation – again an issue of control their work has not been handed over for others to reviewLife change: marital status change – not always an indicator of risk, but statistically can beGives noticeLay off notificationPassed over for promotion/raiseDisciplinary action
  • At the prevention phase there is a great deal that can be done to mitigate insider risks. The first is to consider insiders and partners in your risk assessments, many times in information security the focus is on the outside perimeterBackground checks are important particularly for those in positions of trust, this can include employees as well as partners. Clearly document and enforce security policies
  • On the preventaiton side there some technical indicators of risk, An increasing number of logins by a user varying from local and remote loginsLogging into the network at odd timesLogging in frequently during vacation times which may not be an indicator that that user is maliocus but that someone else is using their credentials
  • So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  • So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  • So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  • So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  • So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  • So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  • Here are a few examples of correlation rules that can be used to identify events of interest in your environment, many come out of the box with Tripwire Log Center.<read through>
  • When people deploy a log intelligence tool the first thing they usually ask is what should I log?At a bare minimum you should be logging events from firewalls, unsuccessful login attempts from systems, intrusition detection system logs, web proxies, antivirus alerts and change management systems to report on any configuration changes to systems in your environment.
  • Before an organization considers deploying a log intelligence or SIEM solution there are some things to take into account .You will want to identify the log volume by Events Per Second, or EPS, this is used by most commercial products for pricing and also provides a guideline for hardware requirements for the servers to handle the load. You will want to establish log management policids and procedures. You may want to work with your legal department on log retention policies to see if there is certain length of time they need to be archived for. We will also want to decide specifically what we plan to collect and from what devices as well as identify who will be managing the systems. Some organizations want to federate this management out at the department level and then pass events of interests up to a security operations center, or pass everything to the SOC and let them sort it out. False positives, unfortunately you can just deploy the systems and leave it, you will need to tune the system to reduce false positives and focus on the events that matter.You will also want to establish baselines to identify what is normal behavior in your environment to better distinguish anomalies from true threats--
  • Let’s walk through a common real world insider threat example. Let’s assume we have an employee who has been flagged by HR for our watch list, we put a watch on this employee through active directory. We want to monitor if he connect to servers outside of our network after hours, for this rule we will monitor ports 22 (SSH), 23 (Telnet), and 3389 (Terminal Services, or RDP). Since a majority of malicious insiders used remote access for their attacks, we considered instances of connections to these three ports as suspicious in the development of our signature. You will need to account for other protocols used in your own environment to make sure you are monitoring all possible channels of communication. This rule is written out here in Common Event Expression language, a common open format used by most log intelligence and SIEM tools, this can be imported into Tripwire Log Center and shared with other systems easily.
  • Let’s walk through a common real world insider threat example. Let’s assume we have an employee who has been flagged by HR for our watch list, we put a watch on this employee through active directory. We want to monitor if he connect to servers outside of our network after hours, for this rule we will monitor ports 22 (SSH), 23 (Telnet), and 3389 (Terminal Services, or RDP). Since a majority of malicious insiders used remote access for their attacks, we considered instances of connections to these three ports as suspicious in the development of our signature. You will need to account for other protocols used in your own environment to make sure you are monitoring all possible channels of communication. This rule is written out here in Common Event Expression language, a common open format used by most log intelligence and SIEM tools, this can be imported into Tripwire Log Center and shared with other systems easily.
  • Although Tripwire Log Center can import CEE, you can also easily create rules through an easy drag and drop interface, as well as create custom reports and dashboards.Here is an example dashboard we have created for what I am calling our HR watch list, it is tied in with Active Directory and provides us with relevant events that are occuring in our environment. In the center map we are watching remote SSH to see where users are connecting to outside the company, to the right we have a map of activity during the day. We are monitoring which users are logging into multiple systems, which users are logging into high value assets, as well as former employees who have attempted to log into the network. We can monitor which systems are making remote SSH connections, as well as what hosts have had large files copied or generated.
  • We can also bring in physical security the mix by pulling log data from key fob systems and correlate this with network events. It is helpful when dealing with an insider incident to be able to physically place a user in the office at a specific terminal and what assets they connect to on your network and what connections they open up to the outside world.
  • Tripwire has caught several malicious insiders, many times when the software is first deployed to a network. A power company deployed Tripiwire Log Center and immediately discovered the account of a terminated system admin still in use. Not only that but the account was logging into the network around 4AM on Wednesday. They also discovered that logging had been disabled on a key firewall by the same account.
  • As an another, a major tire retailer deployed Tripwire Log Center as part of a proof-of-concept . A backdoor was discovered which was setup by a terminated employee that was actively being accessed. They were able to quickly block the access and were able to gather enough evidence to prosecute the terminated employee if management chose to do chose.
  • A recent headline that actually came up yesterday a former systems administrator on a Navy nuclear aircraft carrier has been charged with conspiring to hack into government systems over the course of several months.Nicholas Paul Knight, 27, referred to himself as a “nuclear black hat,” was discharged from the Navy after he allegedly attempted to hack into a Naval database while at sea serving as a systems administrator in the nuclear reactor department aboard the U.S.S. Harry S. Truman.He was part of a hacking into:U.S. National Geospatial Intelligence AgencyDepartment of Homeland Security’s Transportation Worker Identification systemLos Alamos National LabAs well as Univerisity and police departmentsThis raises another question with regards to insiders, what are employees doing on your network, auditing what tools and software are on on systemsand outgoing connections can help detect risky behaviour that may not cause you to be breached, but could hold you liable to some degree if the employee is illegally hacking other networks.
  • So in summary I would like to go back to the earlier slide that outlines our insider threat kill chain. As we can see what at first seems like an impossible task of dealing with a malicious insider
  • ×