SlideShare a Scribd company logo

Insider Threat Kill Chain: Detecting Human Indicators of Compromise

Download as PPTX, PDF
Tripwire
Tripwire

Your organization’s greatest assets are also its greatest threat: People. Your greatest risk are those you trust. Last year, more than a third of data breaches were perpetrated by a malicious insider, such as an employee, contractor or trusted business partner. On average, an attack by an insider is also more likely to cost the most, averaging $412K per incident. The intentions of these insiders can be sabotage, fraud, intellectual property theft or espionage. However, in many cases, patterns of detectable behavior and network activity emerge that provide indicators of risk, assist in early detection and in speeding up response time of an actual incident. In this webinar we discussed: - how human resources, legal and IT can work together to help prevent insider threats before they become a problem. - how to dentify risk indicators with employee attitudes and behavior and how it correlates to their patterns of activity on your network. - how you can use log intelligence and security analytics to automate actions and alerts and rapid reporting and forensics. The recorded webcast for this presentaion can be found here: http://www.tripwire.com/register/insider-threat-kill-chain-detecting-human-indicators-of-compromise/

TechnologyBusiness
1 of 32
INSIDER THREAT KILL CHAIN DETECTING HUMAN INDICATORS OF COMPROMISE
IT Sabotage 21% Fraud 37% IP Theft 15% Espionage 19% Other 8%
Rajendrasinh Babubhai Makwana ADMINS GONE WILD
Recruitment/ Tipping Point Search/Recon Acquisition/ Collection Exfiltration/ Action
Recruitment/ Tipping Point Search/Recon Acquisition/ Collection Exfiltration/ Action
Recruitment/ Tipping Point Search/Recon Acquisition/ Collection Exfiltration/ Action
Risk Indicator Consistently first in and last out of office 12 Months+ unused vacation Life change: martial status change Gives notice Lay-off notification Passed over for promotion/raise Disciplinary action
Risk Indicator Increasing number of logins, variation in remote/local Logging into network at odd times Logging in frequently during vacation times Remote logging using different employee credentials Changes in websites visited, work vs. personal Increased printer usage Export of large reports/downloads from internal systems
Logon attempt from terminated employee/contractor Odd remote logon patterns from employee on watch list Logons from employee at odd times Logon to high value asset from unauthorized system Creation and deletion of user account within interval Add and delete a user account from group within interval Employee disables anti-virus Employee visits blocked websites frequently Leaving employee downloads large files from Intranet or CRM Employee installs and uses Tor on company system Employee installs scanning/hacking tools on system
<event name=”Suspicious connection by risky employee”> <logTime>2014-04-07T12:17:32</logtime> <suser>maliciousinsider</suser> <src>10.0.0.1</src> <shost>insider_system</shost> <prot>TCP</prot> <dpt>{22,23,3389}</dpt> <start>17:00:00</start> <end>08:00:00</end> </event>
http://www.wired.com/2014/05/navy-sysadmin-hacking/
Recruitment/ Tipping Point Search/Recon Acquisition/ Collection Exfiltration/ Action
kwestin@tripwire.com

Recommended

Secured touch
Secured touchSecured touch
Secured touchYanivTaieb
 
Cost for Failed Certificate Management Practices
Cost for Failed Certificate Management PracticesCost for Failed Certificate Management Practices
Cost for Failed Certificate Management PracticesSOCRadar Inc
 
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...ObserveIT
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection WebinarObserveIT
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?ObserveIT
 
Internal Control Issues in Fraud Cases
Internal Control Issues in Fraud CasesInternal Control Issues in Fraud Cases
Internal Control Issues in Fraud CasesDecosimoCPAs
 
W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...
W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...
W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...Scott & Baldwin CPAs
 
Fraud - Real Life Horror Stories
Fraud - Real Life Horror Stories Fraud - Real Life Horror Stories
Fraud - Real Life Horror Stories DecosimoCPAs
 

Recommended

Secured touch
Secured touchSecured touch
Secured touchYanivTaieb
 
Cost for Failed Certificate Management Practices
Cost for Failed Certificate Management PracticesCost for Failed Certificate Management Practices
Cost for Failed Certificate Management PracticesSOCRadar Inc
 
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...ObserveIT
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection WebinarObserveIT
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?ObserveIT
 
Internal Control Issues in Fraud Cases
Internal Control Issues in Fraud CasesInternal Control Issues in Fraud Cases
Internal Control Issues in Fraud CasesDecosimoCPAs
 
W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...
W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...
W:\Scott &amp; Baldwin\Marketing\Business Leadership Seminars\September 2008\...Scott & Baldwin CPAs
 
Fraud - Real Life Horror Stories
Fraud - Real Life Horror Stories Fraud - Real Life Horror Stories
Fraud - Real Life Horror Stories DecosimoCPAs
 
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughTripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyTripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationTripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportTripwire
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationTripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsTripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksTripwire
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

More Related Content

More from Tripwire

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughTripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyTripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationTripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportTripwire
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationTripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsTripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksTripwire
 

More from Tripwire (20)

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data Privacy
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase Cole
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest Celebration
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key Findings
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key Findings
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber Moments
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber Attacks
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Insider Threat Kill Chain: Detecting Human Indicators of Compromise

Editor's Notes

  1. Hello my name is Ken Westin. I am a product marketing manager with Tripwire and today I will be presenting on the Insider Threat Kill Chain: Detecting Human Indicators of Compromise
  2. Your organizations greatest asset is also its greatest threat. People.The very people we trust to run our business can also be its biggest risk. This includes employees, contractors and trusted business partners
  3. One of my first experiences with Tripwire actually happened well before I worked here. I was a big fan of Tripwire Open Source and had it running on various web servers I managed for a small company. We hired a consultant to help with some server administration work and he was given access to a server. There was some dispute with the contractor and managemen regarding over billing. Then one night at 4:30AM I was awoken to my phone sending me alerts because the website went down, I logged into the server to fix it but Apache wouldn’t come back up, so I turned to Tripwire to see what changed and reviewed logs and it was easy to see what happened. The contractor we had hired logged in the system, renamed the Apache configuration files and stopped the web server, so that when you tried to restart Apache it wouldn’t work. The timeline corresponded to emails where he made veiled threats to management. The system admin received a letter along the lines of our intent to prosecute and we never heard from him again.Although this is a story I personally experienced, it is definetely not rare.
  4. Risk assesment models generally define “Threats” a product of capability and intent. CERT who has done extensive research on insider threats, analyzed the underlying intentions of the perpatrator of actual insider cybercrimes in the United States and categorized them into 4 key groups:IT Sabotage – Where like in our previous example a disgruntled employee decides to cause damage to data or infrastructure,.Fraud – Where an insider steals information, such as credit card or payment data usually for the purpose of financial gain. Intellectual Property Theft – includes cases where not only are business plans or technology stolen, but also things like source code where many developers feel they retain ownership rights to code the developed, or a sales rep who helps himself to customer information before going to work for another company.Espionage – Includes state sponsored espionage as well as corporate espionage. Many nation states target corporations (expand on this more)
  5. Many in security are familiar with the Cyber Kill Chain coined by Lockheed Martin to describe phases of a targeted attack which can then map to defensive measures such as : Reconnaissance -&gt; Exploitation phases -&gt; Command &amp; Control -&gt; ActionsThe cyber kill chain approach however breaks down when we try to apply it to an insider threat, as they are already on the inside and in many cases are using authorized credentials to simply do unauthorized things, making it more challenging to detect as they progress through their various nefarious actions. The FBI modeled a different kill chain model when discussing how they deal with the Insider Threat within the FBI itself, which I believe works very well. It starts with the Recruitment or Tipping Point, it is basically the point where the good employee turns bad, be it an internal event such as being passed over for a promotion, or an outside influencer who may be offering a bribe or other incentive.Next is the search and recon phase, which can be a faster process the more knowledgable the employee, as well as their level of access. Then we have the actual acquisition and collectoin of information, be it copying it to one place on a server, their laptop, or photocoying and printing documents. The last phase is the actual egress of data from the organization, or the point at which the employee is able to cause actual damage to network. This is not limited to a single event and can be an ongoing process, often escalating in terms or risk on the perpetrators side as they become more confident thinking they will not get caught. On the defensive side as this kill chain progresses the methods for mitigating the risks change. Our first line of defense is in Prevention, this starts with security policies, training of employees, access controls and principle of least privilege for example. As the insider begins to take actions we move into the realm of detection, when they log into critical assets, copy files, download tools that may assist in information gathering and scanning and other activities that can be detected with proper logging and controls in place.The next phase is responding to an actual incident, when we realize data has been compromised, or damage is inflicted on systems affecting business operations. At this phase it is about identifying the scope of the compromise and getting systems back up and running and in a trusted state. Having access to logs and system change information is critical at this phase for incident response, forensics and getting things operational again.All through these phases of the kill chain there are different indicators of risk that can tell us something is wrong, but only if we know what to look for and where. Thes indictors usually come in two different categories, the non-technical indicators usually dealing with behaviour that Human Resources, or a legal department are aware of such as an employee who is reprimanded, or gives notice, events that may increase risk. Then we have the technical indicators such as an employee attempting to access systems they are not authorized to access, or multiple remote connections at odd hours and transfering large files.
  6. Many in security are familiar with the Cyber Kill Chain coined by Lockheed Martin to describe phases of a targeted attack which can then map to defensive measures such as : Reconnaissance -&gt; Exploitation phases -&gt; Command &amp; Control -&gt; ActionsThe cyber kill chain approach however breaks down when we try to apply it to an insider threat, as they are already on the inside and in many cases are using authorized credentials to simply do unauthorized things, making it more challenging to detect as they progress through their various nefarious actions. The FBI modeled a different kill chain model when discussing how they deal with the Insider Threat within the FBI itself, which I believe works very well. It starts with the Recruitment or Tipping Point, it is basically the point where the good employee turns bad, be it an internal event such as being passed over for a promotion, or an outside influencer who may be offering a bribe or other incentive.Next is the search and recon phase, which can be a faster process the more knowledgable the employee, as well as their level of access. Then we have the actual acquisition and collectoin of information, be it copying it to one place on a server, their laptop, or photocoying and printing documents. The last phase is the actual egress of data from the organization, or the point at which the employee is able to cause actual damage to network. This is not limited to a single event and can be an ongoing process, often escalating in terms or risk on the perpetrators side as they become more confident thinking they will not get caught. On the defensive side as this kill chain progresses the methods for mitigating the risks change. Our first line of defense is in Prevention, this starts with security policies, training of employees, access controls and principle of least privilege for example. As the insider begins to take actions we move into the realm of detection, when they log into critical assets, copy files, download tools that may assist in information gathering and scanning and other activities that can be detected with proper logging and controls in place.The next phase is responding to an actual incident, when we realize data has been compromised, or damage is inflicted on systems affecting business operations. At this phase it is about identifying the scope of the compromise and getting systems back up and running and in a trusted state. Having access to logs and system change information is critical at this phase for incident response, forensics and getting things operational again.All through these phases of the kill chain there are different indicators of risk that can tell us something is wrong, but only if we know what to look for and where. Thes indictors usually come in two different categories, the non-technical indicators usually dealing with behaviour that Human Resources, or a legal department are aware of such as an employee who is reprimanded, or gives notice, events that may increase risk. Then we have the technical indicators such as an employee attempting to access systems they are not authorized to access, or multiple remote connections at odd hours and transfering large files.
  7. Many in security are familiar with the Cyber Kill Chain coined by Lockheed Martin to describe phases of a targeted attack which can then map to defensive measures such as : Reconnaissance -&gt; Exploitation phases -&gt; Command &amp; Control -&gt; ActionsThe cyber kill chain approach however breaks down when we try to apply it to an insider threat, as they are already on the inside and in many cases are using authorized credentials to simply do unauthorized things, making it more challenging to detect as they progress through their various nefarious actions. The FBI modeled a different kill chain model when discussing how they deal with the Insider Threat within the FBI itself, which I believe works very well. It starts with the Recruitment or Tipping Point, it is basically the point where the good employee turns bad, be it an internal event such as being passed over for a promotion, or an outside influencer who may be offering a bribe or other incentive.Next is the search and recon phase, which can be a faster process the more knowledgable the employee, as well as their level of access. Then we have the actual acquisition and collectoin of information, be it copying it to one place on a server, their laptop, or photocoying and printing documents. The last phase is the actual egress of data from the organization, or the point at which the employee is able to cause actual damage to network. This is not limited to a single event and can be an ongoing process, often escalating in terms or risk on the perpetrators side as they become more confident thinking they will not get caught. On the defensive side as this kill chain progresses the methods for mitigating the risks change. Our first line of defense is in Prevention, this starts with security policies, training of employees, access controls and principle of least privilege for example. As the insider begins to take actions we move into the realm of detection, when they log into critical assets, copy files, download tools that may assist in information gathering and scanning and other activities that can be detected with proper logging and controls in place.The next phase is responding to an actual incident, when we realize data has been compromised, or damage is inflicted on systems affecting business operations. At this phase it is about identifying the scope of the compromise and getting systems back up and running and in a trusted state. Having access to logs and system change information is critical at this phase for incident response, forensics and getting things operational again.All through these phases of the kill chain there are different indicators of risk that can tell us something is wrong, but only if we know what to look for and where. Thes indictors usually come in two different categories, the non-technical indicators usually dealing with behaviour that Human Resources, or a legal department are aware of such as an employee who is reprimanded, or gives notice, events that may increase risk. Then we have the technical indicators such as an employee attempting to access systems they are not authorized to access, or multiple remote connections at odd hours and transfering large files.
  8. With regards to the non-tehnical indicators, which I call “Human Indicators of compromise” here a few examples of potential increased riskConsistently first in and last out of the office – can be an indicator of control, not wanting others to see what they are working on12 months+ of unused vacation – again an issue of control their work has not been handed over for others to reviewLife change: marital status change – not always an indicator of risk, but statistically can beGives noticeLay off notificationPassed over for promotion/raiseDisciplinary action
  9. At the prevention phase there is a great deal that can be done to mitigate insider risks. The first is to consider insiders and partners in your risk assessments, many times in information security the focus is on the outside perimeterBackground checks are important particularly for those in positions of trust, this can include employees as well as partners. Clearly document and enforce security policies
  10. On the preventaiton side there some technical indicators of risk, An increasing number of logins by a user varying from local and remote loginsLogging into the network at odd timesLogging in frequently during vacation times which may not be an indicator that that user is maliocus but that someone else is using their credentials
  11. So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  12. So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  13. So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  14. So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  15. So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  16. So when it comes to monitoring insiders in our environments how can we gather logs and other data and make sense of it to help us identify actual risk indicators and events of interest?With an seemingly endless number of devices, applications and high volume of user activity on any given day identifying a potential insider threat seems almost impossible. However Tripwire Log Center provides the tools to monitor specific users; system access, application usage, physical access, and whether they are on our HR watch list or other activities simply out-of-the-box or easily created. Tripwire Log Center provides actionable intelligence that correlates events of interest to trigger alerts, or activate actions and scripts to quickly respond to a potential insider threat. In addition Tripwire Log Center provides easily accessible archives of log data with powerful search capability to go back and look at actions a particular employee made, or to identify patterns of risky behavior. Tripwire Log Center also provides tight integration with Tripwire Enterprise to identify any changes that are made by users in your environment, as well as to help get it back into a trusted state if unauthorized changes are made. Tripwire Log Center and Tripwire IP360 work together to identify vulnerabilities in your network that a technically savvy insider may leverage to escalate privileges or gain access to sensitive data.
  17. Here are a few examples of correlation rules that can be used to identify events of interest in your environment, many come out of the box with Tripwire Log Center.&lt;read through&gt;
  18. When people deploy a log intelligence tool the first thing they usually ask is what should I log?At a bare minimum you should be logging events from firewalls, unsuccessful login attempts from systems, intrusition detection system logs, web proxies, antivirus alerts and change management systems to report on any configuration changes to systems in your environment.
  19. Before an organization considers deploying a log intelligence or SIEM solution there are some things to take into account .You will want to identify the log volume by Events Per Second, or EPS, this is used by most commercial products for pricing and also provides a guideline for hardware requirements for the servers to handle the load. You will want to establish log management policids and procedures. You may want to work with your legal department on log retention policies to see if there is certain length of time they need to be archived for. We will also want to decide specifically what we plan to collect and from what devices as well as identify who will be managing the systems. Some organizations want to federate this management out at the department level and then pass events of interests up to a security operations center, or pass everything to the SOC and let them sort it out. False positives, unfortunately you can just deploy the systems and leave it, you will need to tune the system to reduce false positives and focus on the events that matter.You will also want to establish baselines to identify what is normal behavior in your environment to better distinguish anomalies from true threats--
  20. Let’s walk through a common real world insider threat example. Let’s assume we have an employee who has been flagged by HR for our watch list, we put a watch on this employee through active directory. We want to monitor if he connect to servers outside of our network after hours, for this rule we will monitor ports 22 (SSH), 23 (Telnet), and 3389 (Terminal Services, or RDP). Since a majority of malicious insiders used remote access for their attacks, we considered instances of connections to these three ports as suspicious in the development of our signature. You will need to account for other protocols used in your own environment to make sure you are monitoring all possible channels of communication. This rule is written out here in Common Event Expression language, a common open format used by most log intelligence and SIEM tools, this can be imported into Tripwire Log Center and shared with other systems easily.
  21. Let’s walk through a common real world insider threat example. Let’s assume we have an employee who has been flagged by HR for our watch list, we put a watch on this employee through active directory. We want to monitor if he connect to servers outside of our network after hours, for this rule we will monitor ports 22 (SSH), 23 (Telnet), and 3389 (Terminal Services, or RDP). Since a majority of malicious insiders used remote access for their attacks, we considered instances of connections to these three ports as suspicious in the development of our signature. You will need to account for other protocols used in your own environment to make sure you are monitoring all possible channels of communication. This rule is written out here in Common Event Expression language, a common open format used by most log intelligence and SIEM tools, this can be imported into Tripwire Log Center and shared with other systems easily.
  22. Although Tripwire Log Center can import CEE, you can also easily create rules through an easy drag and drop interface, as well as create custom reports and dashboards.Here is an example dashboard we have created for what I am calling our HR watch list, it is tied in with Active Directory and provides us with relevant events that are occuring in our environment. In the center map we are watching remote SSH to see where users are connecting to outside the company, to the right we have a map of activity during the day. We are monitoring which users are logging into multiple systems, which users are logging into high value assets, as well as former employees who have attempted to log into the network. We can monitor which systems are making remote SSH connections, as well as what hosts have had large files copied or generated.
  23. We can also bring in physical security the mix by pulling log data from key fob systems and correlate this with network events. It is helpful when dealing with an insider incident to be able to physically place a user in the office at a specific terminal and what assets they connect to on your network and what connections they open up to the outside world.
  24. Tripwire has caught several malicious insiders, many times when the software is first deployed to a network. A power company deployed Tripiwire Log Center and immediately discovered the account of a terminated system admin still in use. Not only that but the account was logging into the network around 4AM on Wednesday. They also discovered that logging had been disabled on a key firewall by the same account.
  25. As an another, a major tire retailer deployed Tripwire Log Center as part of a proof-of-concept . A backdoor was discovered which was setup by a terminated employee that was actively being accessed. They were able to quickly block the access and were able to gather enough evidence to prosecute the terminated employee if management chose to do chose.
  26. A recent headline that actually came up yesterday a former systems administrator on a Navy nuclear aircraft carrier has been charged with conspiring to hack into government systems over the course of several months.Nicholas Paul Knight, 27, referred to himself as a “nuclear black hat,” was discharged from the Navy after he allegedly attempted to hack into a Naval database while at sea serving as a systems administrator in the nuclear reactor department aboard the U.S.S. Harry S. Truman.He was part of a hacking into:U.S. National Geospatial Intelligence AgencyDepartment of Homeland Security’s Transportation Worker Identification systemLos Alamos National LabAs well as Univerisity and police departmentsThis raises another question with regards to insiders, what are employees doing on your network, auditing what tools and software are on on systemsand outgoing connections can help detect risky behaviour that may not cause you to be breached, but could hold you liable to some degree if the employee is illegally hacking other networks.
  27. So in summary I would like to go back to the earlier slide that outlines our insider threat kill chain. As we can see what at first seems like an impossible task of dealing with a malicious insider