Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ntxissacsc5 purple 5-insider threat-_andy_thompson

ntxissacsc5

  • Login to see the comments

  • Be the first to like this

Ntxissacsc5 purple 5-insider threat-_andy_thompson

  1. 1. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Addressing Insider Threat Andy Thompson, CISSP, GPEN Regional Manager CyberArk Software November 10, 2017
  2. 2. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Story Time
  3. 3. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
  4. 4. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
  5. 5. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
  6. 6. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
  7. 7. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
  8. 8. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Andy Thompson • Strategic Advisor – CyberArk Software • B.S. MIS – University of Texas at Arlington • COMPTIA A+ & Sec+ • (ISC)2 SSCP & CISSP • GIAC – Certified Penetration Tester (GPEN) • Advisory Board Member • SANS Mentor • Member of Shadow Systems Hacker Collective • Member of Dallas Hackers Association
  9. 9. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The REAL hacker in the family!
  10. 10. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Kinley – The Artist.
  11. 11. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Charlotte- The Apple Didn’t Fall Far from the Tree.
  12. 12. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Historical cases. • Profile of a malicious insider & attack flow. • Defense strategy • Malicious Insider Kill-Chain • Technical Controls • Insider Threat Pro-Tips Agenda
  13. 13. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Corporate Espionage & Insider Threats Case Studies
  14. 14. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Corporate Espionage Cadence Design Systems vs Avant! • Stolen Source Code • Criminal case filed. • Restitution of $200 million. • Civil Case filed. • $265 million in restitution.
  15. 15. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Jan 2016 - Anthony Levandowski abruptly leaves Waymo (Google) and starts Otto. • Otto almost immediately acquired by Uber for $700 mil. • Lawsuit claims Levandowski stole confidential trade secrets from Google. • Case is currently in arbitration. Google vs Uber
  16. 16. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The Insider Threat: Georgia-Pacific Paper • Brian Johnson, former Systems Administrator • Fired. And then… • Logged in via VPN from home. • Caused over $1 mil in damages to Industrial control systems. • Sentenced to 3 years in jail. • Ordered to repay $1,134,818 in damages.
  17. 17. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The Insider Threat: Columbia Sportswear • Michael Lepper, Senior Director of Technology Infrastructure • 2 Backdoors • Accessed over 700 times • Stole relevant data to Denali. • Case is still in court today.
  18. 18. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Espionage & Insiders inside the Fed.
  19. 19. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Same Results Either Way. 4 Main Type of Damage. • IT Sabotage • Theft or modification for financial gain • Theft of modification for business advantage • Miscellaneous
  20. 20. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Breakdown by Category IT Sabotage 40% Theft for Miscellaneous Reasons 9% Theft or Modification for Financial Gain 39% Theft for Business Advantage 12%
  21. 21. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Interesting Stats on Sysadmin Motivation • Only 1.5% of espionage cases use sysadmin privileges for financial gain or business advantage. • 90% of IT sabotage cases use sysadmin privileges.
  22. 22. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The Malicious Insider
  23. 23. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 CERT’s definition of “Malicious Insider” • A current or former employee, contractor, or business partner who: • Has or had authorized access to an organization’s network, system, or data and • Intentionally exceeded or misused that access in a manner that negatively affected the confidentially, integrity, or availability of the organization’s information or information systems.
  24. 24. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 4 Types of Malicious Insider • Compromised actors • Negligent actors • Malicious insiders • Tech savvy actors
  25. 25. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Profile of a Malicious Insider • Introversion • Greed/financial need • Vulnerability to blackmail • Compulsive and destructive behavior • Rebellious, passive aggressive • Ethical “flexibility” • Reduced loyalty • Entitlement – narcissism (ego/self-image) • Minimizing their mistakes or faults • Inability to assume responsibility for their actions • Intolerance of criticism • Self-perceived value exceeds performance • Lack of empathy • Predisposition towards law enforcement • Pattern of frustration and disappointment • History of managing crises ineffectively.
  26. 26. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Use Case of Data Loss 1. Reconnaissance 2. Circumvention 3. Aggregation 4. Obfuscation 5. Exfiltration Reconnaissance Circumvention Aggregation Obfuscation Exfiltration
  27. 27. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Step One: Reconnaissance • Accessing a new or unusual location in a document repository. • An unusual increase in error or access denied messages. • Failed attempts to mount USB devices and access external websites. • Unusually rapid rate of opening files in a short period of time. • Network scanning and use of network tools. • Running applications that they’ve never run before — especially hacking applications.
  28. 28. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Step Two: Circumvention • Use of tools like TOR, VPNs and proxy servers to engage in untraceable internet activity. • File transfers through instant messaging, to evade DLP restrictions. • Sharing information online, whether it be through copy/paste sites like PasteBin, communities like Reddit, or social networks like Facebook or LinkedIn. • Disabling or bypassing security software, or researching how to do so.
  29. 29. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Step Three: Aggregation • Unusual amounts of file copies, movements, and deletions. • Unusual amounts of file activity in high-risk locations and sensitive file types. • Unusual creation of files that are all exactly the same size. • Saving files to an usual location on a user’s endpoint.
  30. 30. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Step Four: Obfuscation • Unusual rates and sizes of file compression. • Clearing cookies and event viewer logs, or unusual use of browser “stealth” settings like Chrome’s Incognito mode. • Hiding sensitive information in image, video, or other misleading file types. • Unusual rates of file renaming, especially to a different file type.
  31. 31. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Step Five: Exfiltration
  32. 32. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 How to Defend
  33. 33. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Not a“Cyber Security” issue alone. • Policies & Procedures • Regular scheduled training • Prevent at hiring process • HR anticipating negative workplace issues • Focus on deterrence not just detection. • Can’t detect outliers if P&P’s don’t exist. Human Resources Legal Information Technology Operations
  34. 34. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The Insider Threat Kill-Chain Recruitment/ Tipping Point Search/Recon Acquisition/ Collection Exfiltration/ Action Prevent Detect Respond Human Resources Legal Non-Technical Indicators Technical Indicators
  35. 35. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Observable vs Cyber Actions
  36. 36. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Technical Controls
  37. 37. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Technical Controls • Consider Threats from SLDC. • Visibility into Change Control. • Secure backup/recovery. • Strong password management • Log, monitor, & audit privileged actions. • SIEM – behavioral analytics. • DLP solutions. • Deactivate computer access following termination. • Separation of duties. • Least Privilege. • Application control. • Encryption.
  38. 38. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Excellent for preventing data exfiltration. • Hard to implement successfully. • ProTip: Identify and classify data before deploying DLP • DLP is not an access control system and not be seen as a replacement to one. • Systems still vulnerable to sabotage Data Loss Prevention Web Ext.HD DATA
  39. 39. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Remove privileged access as soon as notice is tendered. • D/C immediately upon termination. • No Exceptions! • Use Functional Account Model. Deactivate Access
  40. 40. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
  41. 41. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Functional Account Model ADM-AThompson ADM-JVealey ADM-CBotello ADM-KJermyn ADM-PLI 5 Privileged Accounts ADM-Functional-Account 1 Privileged Account AThompson JVealey CBotello KJermyn PLi AThompson JVealey CBotello KJermyn PLi
  42. 42. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Prevents users from exceeding boundaries. • Malicious • Accidental • Prevents malicious software installation. • Prevents malicious activities. Least Privilege & Application Control
  43. 43. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Good in a defense in depth strategy. • Not so much with espionage & malicious insiders • Authorized users bypass the control…by design. • Malicious insiders can siphon off to non-encrypted media. • Story Time with Phineas Fisher… Encryption
  44. 44. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Insider Threat in the SDLC • Not all attacks start in Prod. • Logic bombs lay dormant… • Until the “perfect” time. • Solutions: • Code review • Integrity monitoring • Change control Software Development Life-Cycle Analyze User Requirements Design the Program Build the System Documents & Test the System Operate & Maintain the System
  45. 45. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Backups are sensitive to attack. • Offsite & disconnected • Availability is a target. • Solution: • DR Tests • Integrity checks • Full restores • Incrementals too! Secure Backup & Recovery
  46. 46. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Discover & Manage • Complex • Frequently Changing • Unique • Single Conduit for Privileged Accounts. • Limit an attacker’s window & scope of attack opportunity. Privileged Account Management
  47. 47. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 • Centralized logging to prevent log tampering. • Gain visibility into the session itself. • Not just metadata. • Can assist with recovering from sabotage Logging, Monitoring, & Auditing
  48. 48. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Know Your People Work Schedule Badge# 1337 Serial# 07734 972-445-1313 Patterns of Activity Sally@CyberArk.com Works for Network Team IP: 172.16.54.24
  49. 49. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 SIEMs, Analytics, & Heuristic Detection • Suspected credential theft. • Unmanaged privileged access. • Access via irregular hours. • Access from irregular IP’s. • Active vs dormant users. • Anomalous access to multiple machines. • Suspicious activities detected in privileged sessions.
  50. 50. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Look for Outliers in Behavioral Analytics • Detect malicious privileged user behavior. • Compare current activity to user and entity profiles. • Patented CyberArk analytic technology detects and alerts on malicious behavior. • Reduces the attacker’s window of opportunity. • One solution to detect both advanced external and insider threats. Detect Detecting abnormal privileged accounts activity Ongoing Profiling Profiling normal behavior Collect Collecting privileged accounts activity
  51. 51. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Exhibit A: Time of Day. Critical Indicator • “…we were able to identify their working hours. Here is the average working hours for a week (the hour on the graph is UTC+1): Figure 1: Attackers working hours generally, the attackers worked between 2AM and 10AM from Monday to Saturday included.” • The attacks came during the day in China, which is after hours in Europe and the US Mandiant, APT1 Report – February 2013
  52. 52. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Activities During Irregular Hours September 28th, 2017 November 10th, 2017
  53. 53. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Insider Threat: Pro-Tips • Look for Resume.doc • Monitor frequent web traffic to: • LinkedIn • Monster.com, Jobs.com, etc • Pastebin, data dump sites • Competitors • Pay close attention to disenfranchised employees • Passed over for promotion • Low performance evaluations • Recent HR events
  54. 54. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 A Robust Insider Threat Program Illustrated
  55. 55. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 <Insert sleeping CISO picture>
  56. 56. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Conclusion • Your organization's greatest asset is also its greatest threat. • “It takes a village…” • Technical Controls provide layers of security. • Takeaways of things to monitor against.
  57. 57. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Questions? 58 Andy Thompson • Andy@MeteorMusic.com • www.MeteorMusic.com • Linkedin: AndyThompsonInfoSec • Twitter: R41nM4kr
  58. 58. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Collin College North Texas ISSA (Information Systems Security Association) 59 Thank you

×