DISA IT Seminar : July 2014 1 The Insider Threat Nick Barron, DISA IT Advisor [email protected] +44 7720 508085

DISA IT Seminar : July 2014 1

The Insider Threat

Nick Barron, DISA IT [email protected]

+44 7720 508085


About me

• Day job• Security controller, sysadmin, software developer• Medium size List-X contractor• DISA IT advisor

• After hours• 44CON security conference• SC Magazine• Way too many computers at home


Overview

• What is the insider threat?• Attackers; types, motivation and examples• Detection• Prevention• Summary• Questions


An apology


What is the insider threat?

• Definition from CERT:A malicious insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Cappelli, Dawn M.; Moore, Andrew P.; Trzeciak, Randall F. (2012-01-20). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes

• Definition from CPNI:A person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes

CPNI Insider Data Collection Study, April 2013


Obligatory (possibly fictional) scary numbers

• CPNI Insider Data Collection Study, April 2013• 88% permanent staff, 7% contractor, 5% temp• 82% male• 76% “self initiated”• 47% financial gain motivation, 20% ideology

• Combating the Insider Threat at the FBI: Real World Lessons Learned, Patrick Ready, BlackHat 2013• Not the most common threat (~19%)• But the most costly ($412K per incident, average

victim loss ~$15M per year)


Obligatory (possibly fictional) scary numbers

• Sanity check!• Statistics can be misleading• Only detected intrusions get into the figures

Image: http://xkcd.com/552/. Used with permission


Key points about insiders

• Already authorised• Already know the “crown jewels”• Already know some/most security barriers

(and can test them)• Not just your staff


Features of the insider threat

• The bad side• Insiders negate perimeter defences• Good target knowledge• Interior defences often weaker than perimeter

• The not so bad side• IF detected, better chance of successful

resolution• Operate entirely within your zone of authority


Types of attack

• Information disclosure• Theft of IP

• Competitor/FIS• Personal gain

• Financial gain• Direct (theft of material, fraudulent orders etc)• Indirect (insider information, bids etc)

• Sabotage• Physical, reputational or IT.


Types of attacker

• Self-initiated insider• Disgruntled employees• Potential for financial gain or motivated by

ideology, desire for recognition or revenge

• Exploited/recruited• Identified by attacker• Cultivated

• Deliberate• Gained employment with intent to abuse access• Typically FIS or activist


Motivation

• Money• Ideology• Recognition• Personal loyalty• Dissatisfaction• Revenge


Motivation and action

• Different motivations result in different attacks• Ideology and desire for recognition most likely to

lead to unauthorised disclosure• Financial gain most likely to lead to process

abuse or unauthorised access to assets• Revenge most likely to result in sabotage


Misconceptions

• “I’m not worried, all our staff are security cleared…”

• Clearance is an important risk management tool, but does not remove the threat

clear·ance [kleer-uhns] noun Pre-requisite qualification for a career in insider threat espionage


Whistlestop tour of famous DV cleared insider threats

Images: Wikipedia, used with permission

Blunt, Maclean, Burgess, Philby

David Shayler/Delores Kane/ Son of God

Annie Machon

Katharine Gun



Images: Wikipedia and US Government, used with permission

John Anthony Walker

Aldrich Ames

Robert Hanssen

Bradley Manning




Snowden sidebar

• How did he do it?• High level legitimate access• Gained additional credentials

(social engineering)• Installed own crypto keys and certificates

• Impact does not correlate with volume• Currently published Snowden documents are

only ~2,000 pages (http://cryptome.org/2013/11/snowden-tally.htm)

• That would be about 8MB…• Not much chance of detecting that…


Detection

• Insider threats are not always so obvious!

Image from https://www.123rf.com/profile_dragon_fang. Used under licence


Internal attack process

• Initiation• Identify target material

• Massive head start on external attackers• More careful identification reduces chance of

discovery

• Collect and collate• Depends on volume

• Remove from company control• CDs, DVDs, paper, email, web transfer


Detection

• Technical measures• Unusual copying activity (electronic and paper)• Large and/or unusual data movements• Multiple device control failures• Unusual IT activity (probing etc)• Suspicious network activity

• Forensics• Know normal patterns• Forensic awareness

(do everything Campbell told you to!)


Not just “cyber”

• Not just about technology/techies• Technology helps insiders, but threat comes from

people

• Not just IT techies• Not just system admins

• IT sabotage usually sysadmins (CERT, 90%)• Espionage only 1.5% sysadmins (FBI)


Detection

• Behaviour• Poor work attitude• Stress• Frequent security violations• Poor handling of PM assets

• It’s all about the aftercare…


Detection

• How do they get away with it?• Poor management oversight• Audit logs are “write only”• Need-to-know creep• Poor security culture• “Normalisation of deviance”


Prevention

• Existing security measures (may) still work against insider threats


Prevention

• The usual suspects…• Include insiders in risk assessment process• Make sure access rights are appropriate

(including indirect access)• Clearly document and consistently enforce

polices (esp. IP rights)• Ongoing security awareness/education• Monitor for and consistently respond to abuse• Clear grievance procedure


Prevention

• The usual suspects (IT version)• Good password and account management• Strict termination process• Separation of duties where feasible• Least privilege• Consider insiders in contractors, suppliers etc• Pay particular attention to privileged users• Appropriate logging and monitoring


Prevention

• Education, education, education…• Ensure users are aware of insider risks• Reporting process for suspicious behaviour

• Proper asset valuation/compartmentation• Ensure that most valuable data is secured• Don’t be lazy with access rights

(e.g. don’t be the NSA!)

• Include insider risk in security testing scope• Penetration tests etc should include insider risks


Prevention

• Have a response plan• What do you do when you suspect senior staff

are up to no good?• Ensure clear levels of authority are defined

• Include software lifecycle risks• Independent code review• Be suspicious of “job protection” developers

• Termination procedures• Ensure ALL accounts disabled• Third parties e.g. subcontractors/suppliers


Prevention

• Learn from past events• How would Snowden have got on in your

environment?• Tabletop insider attack penetration test

• Recognise “red flag” behaviour signs• Ensure HR work with security


But it’s not easy…

• Knowing what is normal file transfer behaviour is difficult

• A good insider will know the rules and avoid breaking as many as possible

• Balancing “see something, say something” versus “office Stasi” is difficult.

• Insider threat could involve no IT abuse at all…


Further info

• CERT https://www.cert.org/insider-threat/• CPNI, search for “Insider Threat”

• BlackHat• Slides http://tinyurl.com/BlackhatInsiderSlides• Video www.youtube.com/watch?

v=38M8ta13K0Q

• 44CON https://44con.com


Summary

• The insider threat is primarily a people thing, not a cyber thing.

• There are no silver bullet solutions, beware of vendors who will sell you one!

• Proper application of traditional personnel security measures is key

• IT monitoring and forensics will help with detection and response


Questions?

Documents

DISA IT Seminar : July 2014 1 The Insider Threat Nick Barron, DISA IT Advisor [email protected] +44 7720 508085