Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Detecting and Preventing the Insider Threat Mike Saunders Hardwater Information Security
  2. 2. About Mike 17 Years in IT 9 Years in Security CISSP, GPEN, GWAPT, GCIH Speaker: DerbyCon, BSidesMSP, ND IT Symposium, NDSU CyberSecurity Conference
  3. 3. Defining the threat Mistakes Sensitive data exposed Unintentional data destruction or contamination Outages caused by misconfigurations Malware outbreaks
  4. 4. Defining the threat Bad actors Theft of IP, sensitive data, $$$ Insider trading Intentional data corruption, deletion Denial of Service Terry Childs - 2008
  5. 5. The Insider Threat Verizion 2015 DBIR ~ 20% of all breaches due to insider actions 39% of all loss of data incidents due to insider actions
  6. 6. Insider Threat Statistics
  7. 7. Insider Threat Statistics 2015 Verizon DBIR
  8. 8. Prevention
  9. 9. Prevention - web Web Exfiltration Block outbound web access by default Require all users to go through web proxy Block access to external email providers Ensure local ISP mail systems are also blocked Block access to known file sharing sites Use proxy vendor classifications
  10. 10. Prevention - web Block access to all uncategorized websites Prevent egress from servers
  11. 11. Prevention Deny by default Ensure all egress avenues are blocked, including SSH, telnet, SMB, CIFS, HTTP/HTTPS Grant unrestricted egress by exception only Tie to user ID, not IP Disable split tunneling on VPN connections
  12. 12. Prevention - applications Consider whitelisting technologies to prevent unknown executables from running Significant management overhead initially Worth it in the long run
  13. 13. Removable Media Deny access to use removable media USB AND CD/DVD-R Permit by authorized exception only Regularly review removable media authorizations
  14. 14. Prevention - physical h/t Jeremy Strozer Restrict access to sensitive ares Document storage Datacenter & network closets Physical security controls Monitor for abnormal activity
  15. 15. Data Classification Implement data classification scheme Identify what data is sensitive Separate storage of sensitive and non-sensitive data
  16. 16. A word about DLP DLP is not a panacea Useless without a data classification program You MUST perform HTTPS inspection What about encrypted zip in email?
  17. 17. A meme about DLP
  18. 18. Privilege Management Restrict access to local AND directory administrator groups Separate accounts for admin and daily use Regularly review access to admin groups Group users by job function Regularly x-ref group membership to job functions Privilege review whenever employees change roles
  19. 19. Restrict Access Deny access to sensitive data by default Provision access to data by group / role Individual access by exception only
  20. 20. Monitoring
  21. 21. Monitoring Email Develop reporting for outbound email usage by user Network / Web Develop reporting for outbound data usage by user Compare outbound reports against baseline Look for spikes in usage; review
  22. 22. More on monitoring What about packets bouncing off the firewall? 1 IP to an external IP on many ports or to many IPs may be sign of probing Newer attack methods to exfiltrate over DNS dns/detecting-dns-tunneling-34152
  23. 23. Tuning for monitoring IDS/IPS - DO NOT enable all the things! Details will be lost in the noise Test in small batches, only enable useful / actionable alerts Enable reputational and behavioral blocking on local client firewalls / AV - i.e. Symantec Sonar
  24. 24. Antivirus May be ineffective against emerging threats but useful after the fact AV alerts from system boot or scheduled scans should be investigated - something bad is already on the system Investigations can x-ref proxy logs to identify infection vector, subsequent calls to botnet / threat actor
  25. 25. Hardening systems Same methods used to prevent against external threats Remove “low hanging fruit” for insiders Disable unnecessary services Remove unneeded software Patch quickly, patch often
  26. 26. Share auditing Routinely scan for file shares nmap -sS --v -oA myshares --script smb-enum-shares --script-args smbuser=smbuser,smbpass=password -p445 <range> nmap -sU -sS -v -oA myShares --script smb-enum-shares.nse --script- args smbuser=smbuser,smbpass=password -p U:137,T:139 <range> Unprivileged user without special group permissions Identify shares allowing anonymous or “Authenticated Users” Sample each accessible share for unprotected sensitive data
  27. 27. Logging Send all logs to SIEM Log all authentication attempts Both successful and failed NSA “Spotting the Adversary with Windows Event Log Monitoring” Log access to sensitive data directories Log firewall activity Process logging Consider file integrity management and change request system
  28. 28. Education / Resources SANS: Securing the Human intext:”insider threat” and-indicators.cfm
  29. 29. Wrap up Prevention is key Restrict privileges Restrict network egress Block removable media Monitor for abnormal behavior Review shares for unprotected sensitive data Logging is essential Educate, educate, educate
  30. 30. Contact @harwaterhacker
  31. 31. Resources spotting_the_adversary_with_windows_event_log_monit oring.pdf nmap share scanning shares.html nmap-smb-enum-shares-output.html
  32. 32. Questions?