insider threat kill chain: detecting human indicators of compromise
DESCRIPTION
Your organization’s greatest assets are also its greatest threat: People. Your greatest risk are those you trust. Last year, more than a third of data breaches were perpetrated by a malicious insider, such as an employee, contractor or trusted business partner. On average, an attack by an insider is also more likely to cost the most, averaging $412K per incident. The intentions of these insiders can be sabotage, fraud, intellectual property theft or espionage. However, in many cases, patterns of detectable behavior and network activity emerge that provide indicators of risk, assist in early detection and in speeding up response time of an actual incident. In this webinar we discussed: - how human resources, legal and IT can work together to help prevent insider threats before they become a problem. - how to dentify risk indicators with employee attitudes and behavior and how it correlates to their patterns of activity on your network. - how you can use log intelligence and security analytics to automate actions and alerts and rapid reporting and forensics. The recorded webcast for this presentaion can be found here: http://www.tripwire.com/register/insider-threat-kill-chain-detecting-human-indicators-of-compromise/TRANSCRIPT
INSIDER THREAT KILL CHAIN
DETECTING HUMAN INDICATORS OF COMPROMISE
INSIDER THREAT KILL CHAINDETECTING HUMAN INDICATORS OF COMPROMISE
Ken WestinProduct Marketing [email protected]
3
Your organization’s greatest asset is also its greatest threat.
People.
4
MY FIRST EXPERIENCE WITH TRIPWIREADMINISTRATOR BREAKING BAD
5
INSIDER THREAT INTENTIONSTHREAT = CAPABILITY * INTENT
IT Sabotage21%
Fraud37%
IP Theft15%
Espionage19%
Other8%
Source: CERT Breakdown of Insider Crimes in the United States
6
• IT Contractor fired for but allowed to finish working the day
• Had admin access to the company’s 4K servers
• Wrote logic bomb to disable logins and wipe logs on Jan 1, 2009
• Another engineer found the code before it could execute
• Sentenced to 41 months in prison
• Before being caught had gone on to work for Bank of America, Amtrak and GE as Sr. Systems Administrator
Rajendrasinh Babubhai Makwana
ADMINS GONE WILD
7
INSIDER THREAT KILL CHAIN
Insider
DETECTPREVENT RESPOND
Timeline
DAMAGERecruitment/Tipping Point
Search/ReconAcquisition/Collection
Exfiltration/Action
8
INSIDER THREAT KILL CHAIN
Insider
DETECTPREVENT RESPOND
Timeline
DAMAGE
Human ResourcesLegal
Non-Technical Indicators
Recruitment/Tipping Point
Search/ReconAcquisition/Collection
Exfiltration/Action
9
INSIDER THREAT KILL CHAIN
Insider
DETECTPREVENT RESPOND
Timeline
Technical Indicators
DAMAGE
Human ResourcesLegal
Non-Technical Indicators
Recruitment/ Tipping Point
Search/ReconAcquisition/Collection
Exfiltration/ Action
10
PREVENT: HUMAN INDICATORS OF COMPROMISE
Risk Indicator
Consistently first in and last out of office
12 Months+ unused vacation
Life change: martial status change
Gives notice
Lay-off notification
Passed over for promotion/raise
Disciplinary action
11
PREVENT
1. Consider threats from insiders and partners in risk assessments
2. Background checks
3. Clearly document and enforce policies and controls
4. Periodic security awareness training for all employees
5. Monitor and respond to suspicious or disruptive behavior
6. Anticipate and manage negative workplace issues
7. Track and secure physical environment
8. Establish clear lines of communication and procedures between HR, Legal and IT
AWARENESS & TRAINING
12
PREVENT: HUMAN TO MACHINE INDICATORS
Risk Indicator
Increasing number of logins, variation in remote/local
Logging into network at odd times
Logging in frequently during vacation times
Remote logging using different employee credentials
Changes in websites visited, work vs. personal
Increased printer usage
Export of large reports/downloads from internal systems
13
PREVENT & DETECT
1. Implement strict password and account policies
2. Enforce separation of duties and least privilege
3. Extra caution with system administrators and technical or privileged users
4. Implement system change controls
5. Deactivate computer access following termination
6. Log, monitor, and audit employee network activities
POLICY & TECHNOLOGY
14
LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA
CONFIG DATA
PHYSICAL ACCESS
SECURITY DEVICES
USER ACTIVITY
HOSTS & SERVER
APP ACTIVITY
DATABASE ACTIVITY
ACTIVE DIRECTORY
VULNERABILITY DATA
15
LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA
CONFIG DATA
PHYSICAL ACCESS
SECURITY DEVICES
USER ACTIVITY
HOSTS & SERVER
APP ACTIVITY
DATABASE ACTIVITY
ACTIVE DIRECTORY
VULNERABILITY DATA
16
LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA
CONFIG DATA
PHYSICAL ACCESS
SECURITY DEVICES
USER ACTIVITY
HOSTS & SERVER
APP ACTIVITY
DATABASE ACTIVITY
ACTIVE DIRECTORY
VULNERABILITY DATA
17
ACTIONABLE INTELLIGENCE
LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA
CONFIG DATA
PHYSICAL ACCESS
SECURITY DEVICES
USER ACTIVITY
HOSTS & SERVER
APP ACTIVITY
DATABASE ACTIVITY
ACTIVE DIRECTORY
VULNERABILITY DATA
18
ACTIONABLE INTELLIGENCE
LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA
CONFIG DATA
PHYSICAL ACCESS
SECURITY DEVICES
USER ACTIVITY
HOSTS & SERVER
APP ACTIVITY
DATABASE ACTIVITY
ACTIVE DIRECTORY
VULNERABILITY DATA
19
ANALYTICS, FORENSICS & STORAGE
ACTIONABLE INTELLIGENCE
LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA
CONFIG DATA
PHYSICAL ACCESS
SECURITY DEVICES
USER ACTIVITY
HOSTS & SERVER
APP ACTIVITY
DATABASE ACTIVITY
ACTIVE DIRECTORY
VULNERABILITY DATA
20
INSIDER THREAT CORRELATIONTRIPWIRE LOG CENTER EXAMPLE RULES
Logon attempt from terminated employee/contractor
Odd remote logon patterns from employee on watch list
Logons from employee at odd times
Logon to high value asset from unauthorized system
Creation and deletion of user account within interval
Add and delete a user account from group within interval
Employee disables anti-virus
Employee visits blocked websites frequently
Leaving employee downloads large files from Intranet or CRM
Employee installs and uses Tor on company system
Employee installs scanning/hacking tools on system
21
WHAT TO LOG?
• Firewall logs• Unsuccessful login attempts• Intrusion Detection Systems (IDS/IPS) logs• Web proxies• Antivirus alerts• Change management
BARE MINIMUM TO START
22
ALL LOGS CONSIDERED
• Determine log volume: Identify number of events per second before selecting log management tool
• Establish log management policies and procedure: Ensure this includes log retention policies (work with legal counsel for requirements), what is collected and who manages logging systems
• False positives: Security devices make a lot of noise, tune system to reduce false positives and focus on events that matter
• Establish a baseline: What is normal behavior? Set baselines to distinguish anomalies from true threats
• Accessing information: Multiple departments need to access data to determine what information will be collected and who has permission to view…not just SOC
CHALLENGES WITH LOG INTELLIGENCE & SIEM
23
LOGGING REAL PROBLEMS
• Employee behavior shows potential risk to business
• Let’s monitor to see if he connects to to servers outside the network
• Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)
24
LOGGING REAL PROBLEMS
• Employee behavior shows potential risk to business
• Let’s monitor to see if he connects to to servers outside the network
• Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)
<event name=”Suspicious connection by risky employee”> <logTime>2014-04-07T12:17:32</logtime> <suser>maliciousinsider</suser><src>10.0.0.1</src>
<shost>insider_system</shost> <prot>TCP</prot> <dpt>{22,23,3389}</dpt> <start>17:00:00</start> <end>08:00:00</end></event>
25
Tripwire Log Center Dashboard
26
Physical Security Meets DigitalKEY FOB SYSTEMS GENERATE LOGS TOO
27
CUSTOMER STORY: POWER COMPANY
• Deployment Tripwire Log Center immediately discovered account of terminated system admin in use
• Account was logging into network at 4AM on a Wednesday
• Also discovered logging disabled on key firewall
MALICIOUS INSIDERS UNVEILED
28
CUSTOMER STORY: DON’T TREAD ON ME
• Deployed PoC of Tripwire Log Center and Tripwire Enterprise at large tire retailer
• Discovered backdoor setup by terminated employee that was actively being accessed
MALICIOUS INSIDERS UNVEILED
29
RESPOND
1. Implement secure backup and recovery processes
2. Quickly audit user’s network behavior
3. Develop an insider incident response plan (inter-departmental)
30
I’m On A Boat! Network Admin Hacked Navy—While on an Aircraft Carrier
http://www.wired.com/2014/05/navy-sysadmin-hacking/
31
INSIDER THREAT KILL CHAIN
Insider
DETECTPREVENT RESPOND
Timeline
Technical Indicators
DAMAGE
Human ResourcesLegal
Non-Technical Indicators
Recruitment/Tipping Point
Search/ReconAcquisition/Collection
Exfiltration/Action