Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Detecting and Preventing the Insider Threat Mike Saunders Hardwater Information Security
  2. 2. About Mike 18 Years in IT 9 Years in Security CISSP, GPEN, GWAPT, GCIH Speaker: DerbyCon, BSidesMSP, ND IT Symposium, NDSU CyberSecurity Conference
  3. 3. Defining the threat Mistakes Sensitive data exposed Unintentional data destruction or contamination Outages caused by misconfigurations Malware outbreaks
  4. 4. Defining the threat Bad actors Theft of IP, sensitive data, $$$ Insider trading Intentional data corruption, deletion Denial of Service Terry Childs - 2008
  5. 5. The Insider Threat Verizion 2016 DBIR ≈ 18% of all breaches due to insider actions 32% of all exposed records in 2015 due to insider mistake. 191M in one event. ≈ 49% of all exposed records due to all insider actions
  6. 6. ’15 Exposed Records by Threat Vector (2015 statistics)
  7. 7. Insider Threat Statistics 2015 Verizon DBIR
  8. 8. Prevention
  9. 9. Prevention - web Block outbound web access by default Require all users to go through web proxy Block access to external email providers Ensure local/regional ISP mail systems are also blocked
  10. 10. Prevention - web Block access to known file sharing sites Use proxy vendor classifications Block access to all uncategorized websites Prevent egress from servers
  11. 11. Prevention - network Deny by default Ensure all egress avenues are blocked, including SSH, telnet, SMB, CIFS, HTTP/HTTPS Grant unrestricted egress by exception only Tie to user ID, not IP Disable split tunneling on VPN connections
  12. 12. Prevention - applications Consider whitelisting technologies to prevent unknown executables from running Significant management overhead initially Worth it in the long run
  13. 13. Removable Media Deny access to use removable media USB AND CD/DVD-R Permit by authorized exception only Regularly review removable media authorizations Encrypt all removable media
  14. 14. Prevention - physical Restrict access to sensitive ares Document storage Datacenter & network closets Physical security controls Monitor for abnormal activity
  15. 15. Data Classification Implement data classification scheme Identify what data is sensitive Separate storage of sensitive and non-sensitive data
  16. 16. A word about DLP DLP is not a panacea Useless without a data classification program You MUST perform HTTPS inspection What about encrypted zip in email?
  17. 17. A meme about DLP
  18. 18. Privilege Management Restrict access to local AND directory administrator groups Separate accounts for admin and daily use Regularly review access to admin groups Group users by job function Regularly x-ref group membership to job functions Privilege review whenever employees change roles
  19. 19. Restrict Access Deny access to sensitive data by default Provision access to data by group / role Individual access by exception only
  20. 20. Monitoring
  21. 21. Monitoring Email Develop reporting for outbound email usage by user Network / Web Develop reporting for outbound data usage by user Compare outbound reports against baseline Look for spikes in usage; review
  22. 22. More on monitoring What about packets bouncing off the firewall? 1 IP to an external IP on many ports or to many IPs may be sign of probing Some attacks exfiltrate over DNS dns/detecting-dns-tunneling-34152
  23. 23. Tuning for monitoring IDS/IPS - DO NOT enable all the things! Details will be lost in the noise Test in small batches, only enable useful / actionable alerts Enable reputational and behavioral blocking on local client firewalls / AV - i.e. Symantec Sonar
  24. 24. Logging Send all logs to SIEM Log all authentication attempts Both successful and failed NSA “Spotting the Adversary with Windows Event Log Monitoring”
  25. 25. Logging Log access to sensitive data directories Log firewall activity Process logging Consider file integrity management and change request system
  26. 26. Antivirus May be ineffective against emerging threats but useful after the fact AV alerts from system boot or scheduled scans should be investigated - something bad is already on the system Investigations can x-ref proxy logs to identify infection vector, subsequent calls to botnet / threat actor
  27. 27. Hardening systems Same methods used to prevent against external threats Remove “low hanging fruit” for insiders Disable unnecessary services Remove unneeded software Patch quickly, patch often
  28. 28. Share auditing Routinely scan for file shares Unprivileged user without special group permissions Identify shares allowing anonymous or “Authenticated Users” Sample each accessible share for unprotected sensitive data
  29. 29. Education / Resources SANS: Securing the Human intext:”insider threat” and-indicators.cfm
  30. 30. Wrap up Prevention is key Restrict privileges Restrict network egress Block removable media Monitor for abnormal behavior Logging is essential Review shares for unprotected sensitive data Educate, educate, educate
  31. 31. Contact @hardwaterhacker
  32. 32. Resources spotting_the_adversary_with_windows_event_log_monit oring.pdf nmap share scanning shares.html nmap-smb-enum-shares-output.html
  33. 33. Resources nmap -sS --v -oA myshares --script smb-enum-shares --script-args smbuser=smbuser,smbpass=password - p445 <range> nmap -sU -sS -v -oA myShares --script smb-enum- shares.nse --script-args smbuser=smbuser,smbpass=password -p U:137,T: 139 <range>
  34. 34. Questions?