Webinar-The cybersecurity threat by Verizon Enterprise

The cybersecurity threatThe Insider Threat: Protecting the keys to the kingdom

Rebecca Meller

Security Product Marketing

December, 2017

This document and any attached materials are the sole property of Verizon and are not to be used by you

other than to evaluate Verizon's service.

© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans

identifying Verizon's products and services are trademarks and service marks or registered trademarks

and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other

countries.

All other trademarks and service marks are the property of their respective owners.

2

Proprietary statement

Please advance to the next slide where you can watch the video. The total slide deck is available for your

reference after the video. Thank you.

3

The Insider Threat:

Protecting the keys

to the kingdom

2017 Data Breach Digest Update

5

Agenda

1. Data breach reporting

2. Insider misuse

3. Targeted victims

4. Assets and data

5. Threat actors

6. Breach discovery

7. Detection and validation

8. Response and investigation

9. Prevention and mitigation

10. Takeaways

Verizon Threat Research Advisory Center | Investigative Response Team

First-hand experience

• VTRAC = Verizon Threat Research Advisory Center.

• Investigations for hundreds of global commercial

enterprises and government agencies annually.

• Endpoint forensics, malware reverse engineering,

network forensics, mobile device forensics.

• Annual Data Breach Investigations Report (DBIR) and its

companion—the Data Breach Digest.

Lead InvestigatorEndpoint Forensics

Examiner

Hacktivist attack Mobile assault

Network Forensics

Specialist

C2 takeover

CIP/CS Specialist PFI Investigator

ICS onslaught RAM scraping

Malware Reverse

Engineer

Sophisticated

malware

6

Data breach reporting

The Insider Threat:

Protecting the keys to the kingdom

8

Data Breach Investigations Report

42,068 incidents examined

1,935 analyzed breaches

84 countries represented

65 contributing organizations

13 years of forensic investigationsand security incident data

10th year of publication

9

Breach and incident patterns

Insider and privilege misuse is defined as any unapproved or malicious use of organizational resources;

mainly insider-only misuse.

Insider misuse

The Insider Threat:


11

Insider misuse

Figure 5: Top six misuse varieties within

Insider and privilege misuse breaches.

12

Insider misuse

Figure 6: Top five misuse vectors within

insider and privilege misuse breaches.

Targeted victims

The Insider Threat:


14

Industry analysis

15

Targeted victims

Figure 1: Top six targeted industries

within insider and privilege misuse

breaches.

Assets and data

The Insider Threat:


17

Assets and data

Figure 7: Top 10 affected assets within


18

Assets and data

Figure 8: Top ten data varieties within


19

Data Breach Digest

• Data breaches are complex affairs often involving human

factors, hardware devices, exploited configurations or

malicious software.

• Breach response activities—investigation, containment,

eradication, notification and recovery—are proportionately

complex.

• Response activities aren't just an IT security problem, they

are an enterprise problem involving technical and non-

technical IR stakeholders.

• Each stakeholder brings a slightly different perspective, or

point of view (PoV), to the breach response effort.

• Stakeholder PoVs cover critical decision pivot points, split-

second actions taken and crucial lessons learned.

20

The Insider Threat

USB infection

the Hot Tamale

Disgruntled employee

the Absolute Zero

Rogue connection

the Imperfect Stranger

Insider threat

the Rotten Apple

Threat actors

The Insider Threat:


Rogue connection

22

Rogue network devices range from wireless access points

and personal laptops to any unmanaged asset connected to

the corporate network.

the Imperfect Stranger

BYOD'oh!

• Finance industry customers complained they were unable

to access accounts via website.

• Error messages indicated website blocked over security

concerns.

• Servers operating normally and anti-virus scans coming

back clean.

• Intel indicated victim IP address space associated with

malicious C2 server activity.

Network Forensics Specialist

verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf

23

Rogue connection—the Imperfect Stranger

Response and investigation

• Corporate network searched for IoCs of malware and suspicious traffic;

nothing found.

• Bring Your Own Device (BYOD) and guest networks searched; traffic

found to C2 servers.

• Employee personal laptop identified as originator; infected with

malware.

• BYOD and guest networks had minimal controls and monitoring; no

egress filtering.

• Corporate network shared same NAT as BYOD and guest networks;

thus the blocking.

Attack-defend card

24

Rogue connection—the Imperfect Stranger

Lessons learned

• Separate corporate network egress traffic from public address space,

such as BYOD and guest networks.

• Enhance BYOD and guest network cybersecurity controls and

monitoring; block high-risk ports and protocols.

• Annually review acceptable use, BYOD, information security and

physical security policies; update as needed.

• Train and remind employees on cybersecurity policies and procedures;

know what to do if a BYOD is involved.

Threat actor types

25

26

Threat actor types

Figure 3: Top seven threat actor varieties


breaches.

27

Threat actor types

Figure 4: Top five threat actor

motivations within insider and privilege

misuse breaches.

Breach discovery

The Insider Threat:


Breach discovery

29

30

Breach discovery

Figure 2: Breach discovery timeline


breaches.

31

Indicators of potential inside threat

• Attempts to access systems or data without a valid

need-to-know.

• Requesting access to projects or areas outside of

normal job duties.

• Unexplained affluence.

• Excessive financial indebtedness.

• Working odd or late hours.

• Pattern of security violations.

• Disgruntled attitude.

• Unusual or erratic behavior.

Breach discovery

Potentially exploitable behavior

• Criminal activity

• Sexual misconduct

• Excessive gambling

• Alcohol or drug abuse

• Problems at work

Detection and validation

The Insider Threat:


USB infection

33

Threat actors with physical access can introduce toolkits,

built to run directly from the USB device itself, to bypass

access controls.

the Hot Tamale

The dirty cleaner

• A contracting company announced unilateral pay cuts; an

outsider offered bonus pay to a janitor in need of cash.

• The task was simple: at night, plug a USB flash drive into

company systems.

• Several systems were suspected of being accessed by an

external entity via malware.

Internal Investigator

verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

34

USB infection—the Hot Tamale


• Domain log searches for IoCs identified several accessed by admin

account.

• System log analysis revealed suspicious CLI-related exploitation

attempts just after USB device introduced to systems.

• Investigation found malware tied to this activity, to include USB device.

• Timeline analysis led investigators to janitorial staff; needless to say,

janitor was terminated.

Attack-defend card

35

USB infection—the Hot Tamale

Lessons learned

• Establish a host-based USB device access/anti-virus policy.

• Disable USB device auto-run functionality.

• Limit local admin account usage.

36

Inventory and monitor

sensitive data

• Track assets and sensitive data.

• Monitor systems for data loss; scan for

improperly stored sensitive data.

• Use IDS and FIM solutions; white-list

applications.

Report suspicious insider activity

• Train and sensitize employees.

• Reinforce with emails, banners, and

posters.

• Content should include recognizing signs

of suspicious behavior.

Log and monitor user

account activity

• Use a SIEM or UBA solution; monitor,

detect and log account activity.

• Implement access controls; monitor

privileged accounts.

• Test logging and monitoring systems.



The Insider Threat:


Disgruntled employee

38

Layoffs, pay cuts or organizational shifts may leave some employees

rationalizing nefarious activities.

the Absolute Zero

A "pre-competitive" advantage

• A manager became disgruntled during an organizational

restructuring.

• Used admin access to take over other accounts and

download confidential files.

• The case seemed cut and dried—but the lawyers still

required digital evidence.

Human Resource


39

Disgruntled employee—the Absolute Zero


• A programmer reported an app with unexpected failures.

• Suspicious log entries showed manager's account logged

into server prior to issues.

• Manager admitted accessing multiple email boxes to collect data

for use in new job.

• Investigation confirmed documents stolen; however, mass delete

commands also found.

• These commands were scheduled for critical times, such as during the

tax season.

40

Disgruntled employee—the Absolute Zero

Lessons learned

• Maintain a "need-to-know" regarding restructuring moves.

• Put in place an action plan to mitigate vindictive behavior by

those affected.

• As part of the transition, conduct a thorough asset inventory.

• Safeguard terminated employee systems after termination.

• Work closely with HR and legal throughout the investigation.

Attack-defend card

41

Collect and preserve

evidence

• Scope and triage incident quickly.

• Use trusted tools for data collection and

preservation.

• Leverage established evidence handling

procedures.

Activate the insider

threat playbook

• Notify key stakeholders, both internal and

external entities.

• Identify relevant evidence sources.

• Conduct witness and subject interviews.

Assemble the incident

response team

• Work closely with HR and legal counsel

communications.

• Involve LE at the right time and with legal

counsel advice.

• Engage digital forensics for investigative

support.


42

Contain and eradicate the threat

• Take steps to contain and eradicate any

previous, ongoing or future threats.

• Block traffic, disable accounts.

• Rebuild systems, remove malware.

Conduct personnel interviews

• Interview witnesses to provide additional

insight.

• Interview suspected insiders to determine

nature of activity.

• Involve HR and legal counsel.


Prevention andmitigation

The Insider Threat:


Insider threat

44

Special "privileged" abuse

• Company was in the midst of a buyout; details were close

hold.

• Middle manager bragged about details exceeding his

authorization level.

• Anonymous employee tip indicated middle manager was

accessing CEO's email.

• CEO system, middle manager system and email log exam

yielded negative results.Threat actors with some level of trust and privilege causing a data

breach through malicious intent.

the Rotten Apple

Lead Investigator

verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf

45

Insider Threat—the Rotten Apple


• Further investigation revealed onsite SPAM filter logged CEO email;

only select sys admins had access.

• Interviews determined sys admin knew middle manager; sys admin

system exam found account accessed CEO email.

• Sys admin interview revealed middle manager obtained credentials via

personal relationship.

• HR confronted middle manager with digital forensic findings; middle

manager terminated.

Attack-defend card

46

Insider threat—the Rotten Apple

Lessons learned

• Brace for the negative impacts of org changes; maintain strict "need to

know."

• Use login banners, screen savers and desktop backgrounds to remind

employees of actions being monitored.

• Train and sensitize employees to recognize and report suspicious

activity.

• Create an insider threat playbook; regularly review, test and

update it.

47

Maintain physical security

• Limit access to physical facilities and

sensitive areas.

• Use security cameras, employee badges

and audit trails.

• Verify security devices have updated

firmware and software patches.

Start a personnel security

program

• Vet employees through background

checks and screening interviews.

• Enforce least privilege, duty separation

and duty rotation for sensitive jobs.

• Keep employee-related cybersecurity

policies up-to-date.

Deter insider threat activities

• Implement acceptable use, BYOD,

information security and physical security

policies.

• Use login banners, screen savers and

desktop banners for reminders.

• Consider publishing anonymized security

violation statistics.

Prevention and mitigation

48

Prepare for organization

changes

• Brace for org change impacts; maintain a

"need-to-know."

• Coordinate restructuring and

reassignments with HR and

management.

• Establish termination protocols

for notifications.

Harden the digital environment,

part I

• Restrict sensitive system access; use

MFA for remote traffic.

• Remove unneeded apps; patch

necessary apps.

• Use host-based anti-virus and firewalls.

Harden the digital environment,

part II

• Eliminate or restrict portable storage

devices.

• Encrypt network traffic, systems and

devices.

• Remove local admin rights; disable

unneeded accounts.


Takeaways

The Insider Threat:


50

Takeaways

Personnel security program

Insider threat

deterrence

Physical security

measures

Digital environment hardening

Organizational change

preparation

Suspicious activity

reporting

User activity

monitoring

Sensitive data

accountability

Insider playbook activation

Response team

assembly

Collection and

preservation

Containment and

eradication

Personnel interview

conducting




51

It takes a team

Chief Information Officer Chief Information Security Officer Legal Counsel Human Resources Corporate Communications

Financial pretexting Crypto malware Partner misuse Disgruntled employee Website defacement

Incident Commander Internal Investigator IT Security Manager SOC Analyst EDR Technician

IoT calamity USB infection Cloud storming DDoS attack Unknown unknowns

Data breach reporting

52

Use the lessons learned from analyzing nearly 2,000

confirmed data breaches.

Read the 2017 DBD

VerizonEnterprise.com/DataBreachDigest

Read the 2017 DBIR

VerizonEnterprise.com/DBIR2017

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/


http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/


53

Cybersecurity awareness resources2017 Data Breach Investigations Report

The Verizon Data Breach Investigations Report (DBIR) is back. Now in its tenth year, it's an unparalleled source of information on

cybersecurity threats.

verizonenterprise.com/verizon-insights-lab/dbir/2017/

2017 Data Breach Digest: Perspective is Reality

Our 16 new cybercrime case studies provide insight into the biggest threats you face—plus tips on how to prevent them.


Insider Threat: Protecting the Keys to the Kingdom

Discover how to spot the signs of an Insider Threat using our cybercrime case studies and in doing so put measures in place to help

protect the keys to your kingdom.


Verizon Product Responsibility

Securing yourself against cyber attacks (covers five data breach scenarios).

verizon.com/about/responsibility/cybersecurity

Verizon Corporate Responsibility

Cybersecurity tips to help you stay safe online (covers the same five scenarios as above).

verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/responsibility/cybersecurity

http://www.verizon.com/about/responsibility/cybersecurity







Thank you.

Cybersecurity threat

Technology

Webinar-The cybersecurity threat by Verizon Enterprise