When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
1980’s In August 1986 at Lawrence Berkley National Laboratory in California, Clifford Stoll a sys admin was looking into a $0.75 accounting error in computer usage. Reported as one of the first documented case of a computer break in.
1990s- early 2000s, started seeing automated attacks, scripts worms, viruses
(Morris Worm was in 1988),
Melissa Virus, infected macro virus March 26, 1999
I love you virus May 5, 2000, email virus, malware attachment
Conficker a worm from November 2008. used advanced malware techniques. Largest computer work
Late 2000 first appearance of what was defined as APT: Operation Aurora, launched against Google, Adobe, Juniper, Rackspace, Yahoo, Symantec and others. Mostly nation state level threat actors.
Most recently, we’re seeing the monetization of advanced malware with packages available for sale such as the Zeus malware. The availability of sophisticated, advanced malware that can be purchased raises the stakes and makes everyone a target. Bots for hire, EaaS
Rise of cyber security threat intelligence, information sharing, and automation of security intelligence into the detection process.
So the irony is that despite $32 billions spent on preventative technologies, attacks still happen. Our market requires defense-in-depth, which is really a code to buy a lot of products. Although you’ve implemented a ton of products, the adversary is still moving faster than you have the ability to keep them out.
Source:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
PII for as many as four million government employees, as well as up to 40 years of security clearance data
So what does that imply? Well, of course, it implies that the adversary is already in. And with an adversary that has already essentially either put a botnet or piece of malware or maybe it’s something even more advanced and targeted, now the fact that that compromise sits inside your network requires a very different approach to how you want to go and find, remediate, identify inside of your environment.
So when you look at Lancope’s StealthWatch, you talk about telemetry data, you’re talking about the ability to collect 90 or 100% accounting of every transaction in the network, and to be able to illuminate at a affordable rate, the ability to detect these types of rogue attacks that are happening inside that LAN.
Sources:
-Mandiant M-Trends® 2013:
The typical advanced attack goes unnoticed for nearly eight months.Attackers spend an estimated 243 days on a victim’s network before they are discovered – 173 days fewer than in 2011. Though organizations have reduced the average time between compromise and detection by 40%, many are still compromised for several years before detecting a breach.
-Verizon’s 2013 Data Breach Investigations Report
The report compiles information from over 47,000 security incidents and 621 confirmed data breaches that resulted in at least 44 million compromised records.
-Ponemon’s 2013 Cost of Data Breach: United States
Lost business costs were $3.03 million in 2012. These costs refer to abnormal turnover of customers (a higher than average loss of
customers for the industry or organization), increased customer acquisition activities,
reputation losses and diminished goodwill. During the eight years we studied this aspect of a
data breach, the highest cost for lost business was $4.59 million in 2008. This year’s cost of
lost business represents the lowest cost since the inception of this study in 2005.
Attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade.
The bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays.
Lockheed Martin first discussed the “cyber kill chain” to describe the phases of how cyber attacks progress, to provide defenders an opportunity to disrupt the attack before the exfiltration.
Continuous response loop is a variation of the US Air Force OODA loop, developed by USAF Colonel John Boyd
Multiple non military model have been based upon this, including examples like: PDCA: Plan Do Check Act
Observe
Orient
Decide
Act
So Cisco really likes this term, as do I, network as a sensor, right. You, you have your sensor grid already deployed, we are going to take advantage of the investment you’ve already made in that, in that route switch infrastructure to be able to provide you security analytics from within. So this is a, this slide really is intended to talk to the areas within the network that they can go and enable visibility today.
DSCP: Differentiated services code point: a QOS value.
Through baselining, a model of “normal” is created for the network, and security events trigger when host deviate from normal behavior. Points are assigned to one or multiple alarm categories to help prioritize the stages of an attack, and when events trigger can respond through GUI, email/syslog, and mitigation (ASA, ISE, etc…)
Give examples of a host performing addr_scan (which builds Recon) followed by Brute Force Login (which builds Exploitation) followed by suspect data loss (which builds Exfiltration) and tunneling traffic with Fake Application (which builds C&C).
Discuss collecting flows as close to the user edge as possible with the goal to provide 100% LAN host-to-host, east-west visibility: server to server within datacenter, host to host within same building, etc… will by default see north south traffic by focusing on east-west.
Hover over the word FLOWS within continuous network monitoring
Prior to talking about detection discuss long term retention of flows for forensics, good or bad traffic, everything is accounted for. On average 90+ days of flow storage but can be architected to meet requirements.
ASK: can you pick any host on your network and pull back every conversation they were involved in for the past 3 months?
Surface Threats through behavioral changes
Forensics
Capacity Planning
Data for FW provisioning
Rules to detect unauthorized traffic
Discuss to concept of Host Groups for Network Segmentation:
Physical segmentation can be challenging, especially after the network has been built
Internal = Inside
Internet = Outside
Command and Control = known bad
Click on “Apply Network Segmentation” to view an example host group tree. Once on the slide with the host group tree, Click on the Host Group tree to return to this slide.
Further segment by compliance, location, crown jewels, datacenter, etc…
Apply alarms (host lock/custom event) for unauthorized packets crossing boundaries or unwanted applications.
The market is beginning define context-aware security, which Lancope has pioneered. Lancope has done this forever with flow data; we have spent half of our time determining how we enrich flow data. So the use of situational information like identity, location, time of data, application, etc. help our customers to operationalize security and improve security decisions. This is a perfect marriage of metadata and context for real time detection and post-incident response. This actionable security intelligence is where Lancope is driving in the future.
Now the metadata we collect, we can talk more about but it really is a, it is a feature and a function that is embedded in every Layer-3 device you have inside this network. All you have to do is for command lines, go into your router or your switch, ask it to export this summary data to our device, and we will sit there in listening mode, ready to capture it, and begin profiling what that traffic actually looks like.
So there is no cost to turn it on. It’s high, we are highly scalable. It provides low latency, minimal impact on your memory and CPU usage inside your environment, and it’s free. So what we’ve seen is, at Walmart, you know, in a day, in, in 10 minutes they turn on 5000 store routers and began pointing it back across their WAN into a single IP that was at the center of this chart, the FlowCollector.
That’s how easy it is. Most of the onus actually falls on your network organization to go and instrument these commands inside of IOS, inside of your Cisco environment and point it back out to StealthWatch. And once that data starts hitting us, we begin auditing, accounting it, profiling it.