2. About Mike
17 Years in IT
9 Years in Security
CISSP, GPEN, GWAPT, GCIH
Speaker: DerbyCon, BSidesMSP, ND IT Symposium,
NDSU CyberSecurity Conference
3. Defining the threat
Mistakes
Sensitive data exposed
Unintentional data destruction or contamination
Outages caused by misconfigurations
Malware outbreaks
4. Defining the threat
Bad actors
Theft of IP, sensitive data, $$$
Insider trading
Intentional data corruption, deletion
Denial of Service
Terry Childs - 2008
5. The Insider Threat
Verizion 2015 DBIR
~ 20% of all breaches due to insider actions
datalossdb.org
39% of all loss of data incidents due to insider
actions
10. Prevention - web
Web Exfiltration
Block outbound web access by default
Require all users to go through web proxy
Block access to external email providers
Ensure local ISP mail systems are also blocked
Block access to known file sharing sites
Use proxy vendor classifications
12. Prevention
Deny by default
Ensure all egress avenues are blocked, including
SSH, telnet, SMB, CIFS, HTTP/HTTPS
Grant unrestricted egress by exception only
Tie to user ID, not IP
Disable split tunneling on VPN connections
13. Prevention - applications
Consider whitelisting technologies to prevent unknown
executables from running
Significant management overhead initially
Worth it in the long run
14. Removable Media
Deny access to use removable media
USB AND CD/DVD-R
Permit by authorized exception only
Regularly review removable media authorizations
15. Prevention - physical
h/t Jeremy Strozer
Restrict access to sensitive ares
Document storage
Datacenter & network closets
Physical security controls
Monitor for abnormal activity
16. Data Classification
Implement data classification scheme
Identify what data is sensitive
Separate storage of sensitive and non-sensitive data
17. A word about DLP
DLP is not a panacea
Useless without a data classification program
You MUST perform HTTPS inspection
What about encrypted zip in email?
19. Privilege Management
Restrict access to local AND directory administrator groups
Separate accounts for admin and daily use
Regularly review access to admin groups
Group users by job function
Regularly x-ref group membership to job functions
Privilege review whenever employees change roles
20. Restrict Access
Deny access to sensitive data by default
Provision access to data by group / role
Individual access by exception only
22. Monitoring
Email
Develop reporting for outbound email usage by user
Network / Web
Develop reporting for outbound data usage by user
Compare outbound reports against baseline
Look for spikes in usage; review
23.
24. More on monitoring
What about packets bouncing off the firewall?
1 IP to an external IP on many ports or to many IPs
may be sign of probing
Newer attack methods to exfiltrate over DNS
https://www.sans.org/reading-room/whitepapers/
dns/detecting-dns-tunneling-34152
25. Tuning for monitoring
IDS/IPS - DO NOT enable all the things!
Details will be lost in the noise
Test in small batches, only enable useful / actionable
alerts
Enable reputational and behavioral blocking on local
client firewalls / AV - i.e. Symantec Sonar
26.
27. Antivirus
May be ineffective against emerging threats but useful
after the fact
AV alerts from system boot or scheduled scans
should be investigated - something bad is already on
the system
Investigations can x-ref proxy logs to identify
infection vector, subsequent calls to botnet / threat
actor
28. Hardening systems
Same methods used to prevent against external
threats
Remove “low hanging fruit” for insiders
Disable unnecessary services
Remove unneeded software
Patch quickly, patch often
29. Share auditing
Routinely scan for file shares
nmap -sS --v -oA myshares --script smb-enum-shares --script-args
smbuser=smbuser,smbpass=password -p445 <range>
nmap -sU -sS -v -oA myShares --script smb-enum-shares.nse --script-
args smbuser=smbuser,smbpass=password -p U:137,T:139 <range>
Unprivileged user without special group permissions
Identify shares allowing anonymous or “Authenticated Users”
Sample each accessible share for unprotected sensitive data
30. Logging
Send all logs to SIEM
Log all authentication attempts
Both successful and failed
NSA “Spotting the Adversary with Windows Event Log Monitoring”
Log access to sensitive data directories
Log firewall activity
Process logging
Consider file integrity management and change request system
31. Education / Resources
SANS: Securing the Human
site:sans.org intext:”insider threat”
https://www.cert.org/insider-threat/research/controls-
and-indicators.cfm
32. Wrap up
Prevention is key
Restrict privileges
Restrict network egress
Block removable media
Monitor for abnormal behavior
Review shares for unprotected sensitive data
Logging is essential
Educate, educate, educate
