Insider threat-what-us-do d-want

Insider Threat!!!
What US Department of
Defense want?
Lan Nguyen
Co-founder
Veramine Inc.

Outline
 About Insider Threat
 Definition and Research
 Motivations and Statistics,
 US military cases: Snowden and others
 US Government and DOD Measures
 Solutions to Insider Threat:
 Public Information and Veramine projects with US DOD, DHS and Airforce
 Strongly supported by Solutions for External Threats, i.e. EDR and Deception
 UAM, UEBA: Detections by AI, Rules, and Controls over Data, User and Device
 Forensics and Logs: Collecting Artifacts, Variety, Details, Realtime, Filtered
 Incident Response Actions on Hosts, Users… Threat Hunting with Yara and Search
Veramine Inc.
Advanced Endpoint Security

About Insider Threat
Definition of Insider Threat (Wikipedia)
- malicious to an organization
- comes from people within the organization
- have inside information of the organization’s IT systems
- involve fraud or theft of confidential or commercially valuable information
- or theft of intellectual property, or sabotage of computer systems
Research: CERT Insider Threat Center of Carnegie-Mellon University
- database of 850+ insider threat cases, including fraud, theft and sabotage
- blog to help organizations defend themselves against insider crime
- Insider Threat Test Datasets for Data Analysis and Machine Learning
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099
Veramine Inc.

About Insider Threat
Veramine Inc.

Motivations
Veramine Inc.
2500INTERNAL SECURITY BREACHES OCCURRING IN US BUSINESS EVERY DAY
https://www.isdecisions.com/insider-threat/statistics.htm

Motivations
Veramine Inc.
According to insider threat statistics from a Ponemon
Institute study, accidental insider threat cost roughly $283,000
per incident, but due to their frequency, these incidents racked
up to $3.8 million per year, per organization

Motivations
Veramine Inc.
The figures come from Verizon's Insider Threat
Report, a report released this week that reframes
data from the company's 2018 Data Breach
Investigations Report (DBIR)

Edward Snowden Case
- was a Central Intelligence Agency (CIA) employee and subcontractor
- given full administrator privileges with virtually unlimited access to NSA data
- copied and leaked thousands of highly classified information from the National
Security Agency (NSA) in June 2013
- the disclosures revealed numerous global surveillance programs, run by NSA,
European governments, Five Eyes Intelligence Alliance, telecom companies
Snowden is very technical
- six months training full-time at CIA's secret school for technology specialists
- former NSA co-worker said Snowden was a "genius among geniuses" who
created a widely implemented backup system for the NSA and often pointed
out security flaws to the agency
- offered a position on NSA's elite team of hackers, Tailored Access Operations
Veramine Inc.

Other US military cases
Chelsea Manning
- former US Army soldier, assigned in 2009 to an Army unit in Iraq as an
intelligence analyst
- disclosed to WikiLeaks nearly 750,000 classified, or unclassified but sensitive,
military and diplomatic documents, in early 2010
Harold T. Martin III
- accused of stealing approximately 50 terabytes of data
- from the Central Intelligence Agency, the National Security Agency, the
United States Cyber Command, the United States Department of Defense
and the National Reconnaissance Office
- US gov agencies failed to effectively detect and respond to Martin's
practices and behaviors over 10 to 20 years, until 2016
Veramine Inc.

US Gov Reactions to Insider Threat
October 2011, US President Obama issued Executive Order 13587
establishing the National Insider Threat Task Force (NITTF)
2017 NITTF Insider Threat Guide and NITTF Tech Bulletin 20180527: How
Committee on National Security Systems Directive 504 (CNSSD 504 - technical
cores of insider threat prevention) Defines User Activity Monitoring (UAM)
November 1, 2018, NITTF released the Insider Threat Program Maturity
Framework, an aid for advancing federal agencies’ programs beyond the
Minimum Standards, and builds upon 2017 NITTF Insider Threat Guide
Veramine Inc.

Committee on National Security Systems
Directive 504 (CNSSD 504) - 2016
Technical functionality that a user activity monitoring (UAM) solution must have to meet the Directive’s
requirements
UAM “technical capability to observe and record the actions and activities of an individual, at any time, on
any device accessing U.S. Government information in order to detect insider threats and to support
authorized investigations.“
- a structured, consistent, and continuous collection and reporting process
- across the whole of an organization at the device level
- for identifying, assessing, deciding upon responses to, and acting
- upon specific analysis of insider threat behaviors
Every department and agency (D/A) should have five minimum technical capabilities to collect user activity
data
- keystroke monitoring,
- full application content (e.g., email, chat, data import, data export),
- screen capture,
- file shadowing for all lawful purposes (i.e., the ability to track documents when the names and locations
have changed)
- collected UAM data must be attributable to a specific user. The D/A should incorporate UAM data into
an analysis system that is capable of identifying anomalous behavior.
Veramine Inc.

Cybersecurity Maturity Model
Certification (CMMC)
July 16, 2019 DoD Announces the Cybersecurity Maturity Model Certification
(CMMC) Initiative
- a framework aimed at assessing and enhancing the cybersecurity posture of
the Defense Industrial Base (“DIB”), particularly controlled unclassified
information (“CUI”)
- in response to a series of high profile breaches of DoD information.
- all companies conducting business with the DoD, including subcontractors,
must be certified.
Veramine Inc.

User and Entity Behavior Analytics
(UEBA)
 Examples of machine-learning detection algorithms:
 User tracking: deviances from norms of user logon & logoff behaviorSMB tracking:
deviances from normal SMB behaviors indicating lateral movement
 Printing tracking: deviances from normal printing behaviors of each user
 Process profiling: deviances from norms of process behavior
 “Data Exfiltration” detection
 Insiders can gather important data (database of classified, ssn, financials,
secrets...), compress and encrypt it, and then exfil it to external sites
 deviances from historical and seasonal norms of network volume
 Several other detections about anomalies in certs, networks, eop registries,
process tampering, user activities…
 Deep Learning, Bayesian network, Naïve Bayes, Regression…
Veramine Inc.

DNN: Forward and backward functions
From Coursera

CNN: AlexNet
= ⋮ ⋮
227×227 ×3
55×55 × 96 27×27 ×96 27×27 ×256 13×13 ×256
13×13 ×384 13×13 ×384 13×13 ×256 6×6 ×256 9216 4096
⋮
4096
11 × 11
s = 4
3 × 3
s = 2
MAX-POOL
5 × 5
same
3 × 3
s = 2
MAX-POOL
3 × 3
same
3 × 3 3 × 3 3 × 3
s = 2
MAX-POOL
Softmax
1000
[Krizhevsky et al., 2012. ImageNet classification with deep convolutional neural networks] From Coursera

Summary of RNN types
One to one One to many Many to one
Many to many Many to many
From Coursera

User Activities Monitoring (UAM)
User Control
 Keylogging, Screenshot
captures, Activities on
Browsing, Email, SMB
 Data on User, Sessions,
Console, RDP…
 Use case example: Monitoring
activities on most important
servers, such as AD, DB, SMB,
Data Center servers, and
designated computers
accessing those servers.
 Video Capability: near-real
time “video” capability to view
user activities at endpoints
Veramine Inc.

Device Control
 Devices Policy defines
a list of USBs based on
their Vendor Id,
Product Id, Serial.
When such a device is
plugged-in, sensor can
block / allow access to
this USB device based
on policy settings.
 History of USB activities
such as Inserts,
Removals
Veramine Inc.

Specific device,
vendor, or product ID
can be given:
 No Access (blocked)
 Read-Only Access
 Read-Write Access
All by policy
Veramine Inc.
Device Control

 Based on Velociraptor,
collecting artifacts from
endpoints
 Includes ~60 Windows
artifacts
 Instantly send an action
to one host or many.
 Actions send
immediately to
connected hosts, queue
for disconnected hosts
Veramine Inc.
Forensics

 Can define built-in collection tasks or define new ones
 VQL: SELECT [Columns] FROM [plugins(args)] WHERE [Conditions]
Veramine Inc.
Forensics

 VQL, simply improved
from SQL, allows artifact
collection tasks to be
quickly programmed,
automated and shared.
Turn-around from IOC to
full hunt: a few minutes.
 E.g. VQL to collect files
(artifacts) in users’ temp
directory which have
been created within the
last week, or changed in
the last hour. Its
parameters:
 Target group of hosts
 Directory to search
 Required age of files
Veramine Inc.
Forensics

 Forensics tab has
searching, sorting, filtering
 Cancel Queued Collection
jobs, Delete Results from
already run jobs
Veramine Inc.
Forensics

 New Forensics tab under “Response”
 List of jobs + state (queued, in progress, completed, error)
Veramine Inc.
Forensics

 We show Velociraptor JSON, sortable, searchable
 Results ZIP has TXT, CSV, JSON, collected files
Veramine Inc.
Forensics

Combined with Solutions for External
Threats
3 endpoint solutions that can also be packaged into 3-in-1:
- Endpoint Detection and Response (EDR), a main anti-APT tool set, to
effectively provide Detection, Investigation, Response, Data Collection...
- Dynamic Deception System (DDS), a Platform of Traps, such as Deceptive
services, processes, mutexes, credentials, network listeners, data shares,
registry helper, virtual boxes, VMs..., as Active Defense to Detect and Prevent
attacks
- Insider Threat Prevention (ITP), combining Advanced Controls of Users, Data
and Devices, such as Key loggers, Screenshots, Browsing, Email activities, USB
Tracking and Permissions, Digital Forensics...
Veramine Inc.

 Detection and Tracking of insider threats through SMB network share access;
 SMB file share tracking; where people copy files from a network share to their local drive
 captures files, exfiltration
 Look for compromised accounts, using mimikatz to obtain credentials
EDR Detection for Insider Threat
Veramine Inc.

IR Investigation: Yara Memory Search
 Sensor reports processes matching yara expression (per process, not
only system match)
Veramine Inc.

 Customers can Save + Update commonly-used Yara expressions
 Schedule periodic Yara memory search
Veramine Inc.
Yara Memory Search Easy UX

Yara Memory Search Easy UX
Veramine Inc.

IR Response Actions
Host Control: Network
Quarantine, Shutdown, Reboot
Veramine Inc.
User and Session Control:
Disconnect, Disable, Enable

Deception Shares and Files
Veramine Inc.

Deception Process, Service
Veramine Inc.

Deception Credentials
Veramine Inc.

Performance
 On average taking less than 1% CPU and 20 MB RAM.
 On average, per host, network traffic is less than 30 MB / 1 day.
 Network traffic can be further tuned using collection policies which allows
to configure which events are collected by sensors.
Veramine Inc.

Q&A
Thanks!!
Contact: Nguyễn Duy Lân
Email: lan at veramine.com
Veramine Inc.

Insider threat-what-us-do d-want

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Insider threat-what-us-do d-want

Similar to Insider threat-what-us-do d-want (20)

More from Security Bootcamp

More from Security Bootcamp (20)

Recently uploaded

Recently uploaded (20)

Insider threat-what-us-do d-want