Embed Size (px)
DESCRIPTION
Citation preview
2
Overview
• How big of a problem is the Insider Threat?
• Who commits insider computer crimes and why do they do it?
• The Toolsets & Tradeoffs – What are the sources of internal visibility?
• What to look for – Specific guidance on detecting insiders and APT
2
3
Mythology & Fear
3
4
and Cynicism…
4
5
Why Insider Threats? – The Verizon Breach Report
• Verizon 2012 Data Breach Investigations Report
• 2012– 98% stemmed from external agents– 4% implicated internal employees
• 2011– 92% stemmed from external agents– 17% implicated insiders
• 2010– 70% stemmed from external agents– 48% were caused by insiders
• Hacking in 2012– 3% involved SQL Injection
– 55% involved default credentials– 40% involved stolen credentials– 29% involved brute force or dictionary attacks
5
6
Ponemon & Solera Networks: The Post Breach Boom
6
7
Insider Threats
• 12 years of history• Over 700 insider threat
cases
• IT Sabotage– Average: $1.7 million– Median: $50,000
• IP Theft– Average: $13.5 million– Median: $337,000
7
8
Different Stats teach different lessons• Insider attacks do not occur frequently relative to external
attacks.– ~4% of incidents - VDBIR
• However, many organizations face them.– More than half the number that experienced successful outsider
attacks - Ponemon
• Usually, they are not very costly, but in some cases, they can be very expensive.
8
9
The APT
• Mandiant 2012 M-Trends Report:
– In 100% of cases the bad guys used valid credentials
– Malware was only installed on 54% of compromised systems
– Median number of days before attackers were discovered: 416
9
10
Three kinds of Insider Threats
• Negligent Insiders– Employees who accidentally
expose data.
• Malicious Insiders– Employees who
intentionally expose data.
• Compromised Insiders – Employees whose access
credentials or personal computers have been compromised by an outside attacker.
10
11
An Observation
• Imperfect controls can be useful if they reduce incidents in practice– Common Assumption: If we can evade a security control, that control is
worthless. • Evasions of technical controls can be automated and globally distributed.• Deterrence doesn’t work on the Internet because attribution doesn’t work on the
Internet.– We don’t apply this assumption in the world of physical security.
• How?– Reduction of negligent incidents– Keeping honest people honest– Deterrence – People have a tendency to be impulsive
• Knowledge that events are being logged and the logs are archived and monitored creates a risk for insiders unless they can modify the logs.
• The use of fully automated analysis creates thresholds that insiders can evade.• A hybrid approach where automated tools help human analysts avoids creating a
scenario where an attacker can know that activity won’t be discovered
11
12
Three kinds of Insider Threats
• Negligent Insiders– Prevention
• Access controls• Encryption of data at rest• DRM?• Education
• Malicious Insiders– Prevention
• Access Controls• Checks and Balances
– Detection• Management Training• Monitoring
• Compromised Insiders – Detection
12
13
Who commits insider attacks?
Source: Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination - CERT
13
14
CERT: Common Sense Guide to Prevention and Detection of Insider Threats
IT Sabotage Financial Gain Business Advantage
% of cases: 45% 44% 14%
Employment: Former Current Current
Position: Technical Data Entry & Customer Services
Technical or Sales
Authorized Access? Rarely 75% 88%
Used their own credentials?
30% 85% Almost always
Compromised an account?
43% 10% Rarely
Attack was non-technical:
65% 84% Almost always
When: After hours Normal hours Normal hours
Where: Remote Local Local
IDed due to: Logs Logs Logs
14
15
Sources of visibility• Firewall logs
– Are you logging everything or just denies?
• Internal & Host IPS systems– HIPS potentially has a lot of breadth– Can be expensive to deploy– Signature based
• Log Management Solutions/SIEM– Are you collecting everything?– You can only see what gets logged
• Netflow– Lots of breadth, less depth– Lower disk space requirements
• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements
Tradeoffs:• Record everything vs
only bad things• Breadth vs Depth• Time vs Depth• Privacy
15
DMZ
VPN
Internal Network
Internet
3GInternet
3G Internet
Tradeoffs
17
Tradeoffs
NetFlow
RICHNESS
Disk Space Required
Full Packet Capture
17
18
Privacy
18
DMZ
VPN
Internal Network
InternetNetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -NetFlow
3GInternet
3G Internet
NetFlow
NetFlow
NetFlow
Internal Visibility Through NetFlow
NetFlow
NetFlow Collector
19
20
Lancope Identity 1000
21
Cisco Identity Services Engine (ISE)• Cisco ISE is a context aware, policy based 802.1x authentication solution• Detect
– Device type, operating system and patch level– Time and location from which user attempting to gain access
User Name MAC Address Device Type
Bob.Smith8c:77:12:a5:64:05
(SamsungElectronics Co.,Ltd)
Android
John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone
22
Following the User
Sometimes investigations start with user intelligence
23
User Reports
24
User Reports
25
User Reports
26
Monitoring tasks need to be narrowed down
26
27
CERT: Common Sense Guide to Prevention and Detection of Insider Threats
IT Sabotage Financial Gain Business Advantage
% of cases: 45% 44% 14%
Employment: Former Current Current
Position: Technical Data Entry & Customer Services
Technical or Sales
Authorized Access? Rarely 75% 88%
Used their own credentials?
30% 85% Almost always
Compromised an account?
43% 10% Rarely
Attack was non-technical:
65% 84% Almost always
When: After hours Normal hours Normal hours
Where: Remote Local Local
IDed due to: Logs Logs Logs
27
28
Theft of Intellectual Property
• Key window – 30 days before and after resignation/termination
• 54% of CERT’s exfiltration cases occurred over the network (most email)
• Email with large attachments to third party destinations• Large amounts of traffic to the printer• Data Infiltration and Exfiltration
28
Automated Data Loss Detection
2929
30
Unusually large amount of data inbound from other hosts
Suspect Data Hoarding
31
Target Data Hoarding
Unusually large amount of data outbound from a host to multiple hosts
32
IT Sabotage
• Targeted monitoring of employees who are “on the HR radar”
• Access after termination (!) (accounts or open sessions)
• Unusual Access – Times– Devices– Source Addresses– Destination Addresses– Mismatches
32
33
User Reports
34
• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.
• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?
Combating Insider Threat is a multidisciplinary challenge
34
IT
HR Legal
35
Do you have a multi disciplinary insider threat management program?
http://www.lancope.com/ponemon-incident-response/
36
Beron’s abnormal disclosure
One of your users has uploaded a large amount of data to the internet.
Data Theft
37
What did Beron send? Who received it?Data Theft
38
Where could have Beron gotten the data?
Data Theft
39
Data Theft
40
Why did Beron do it?
Data Theft
41
Key Take Aways
• There are three kinds of insider threat• Negligent Insiders• Malicious Insiders• Compromised Insiders
• Managing the problem involves• Logs, Logs, Logs• Visibility into the internal network• A multidisciplinary team
• StealthWatch can be a powerful tool for combating insider threat• User identify integration with network activity audit trails• User reports that save time during investigations• Automated detection of data loss and data hoarding
