insider threat kill chain
DESCRIPTION
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.TRANSCRIPT
(c) 2014 All rights reserved. Insider Threat Kill Chain 1
Insider Threat Kill ChainDetecting Human Factors of Compromise
Tarun Gupta
Information Security [email protected]
(c) 2014 All rights reserved. Insider Threat Kill Chain 2
“Your organization’s greatest asset is also its greatest threat.”
PEOPLE.
(c) 2014 All rights reserved. Insider Threat Kill Chain 3
Case Study : Insider Threat
Hosting Company; Location Confidential (NDA) Disgruntled System Admin; No bonus for last 4 years 5000+ e-Commerce Websites Down; Holiday Season (--$$
$$) < 2 minutes and 100 characters of code Moved Apache Config File; Service Did not re-Start
Disgruntled Web Server Administrator Breaking Bad
(c) 2014 All rights reserved. Insider Threat Kill Chain 4
Research & Statistics : Insider Threat (Forrester)
Source : Forrester Study “Understand the State of Data Security and Privacy. 2013”
Bottom-line : Insiders carry on as a major source of data breach
(c) 2014 All rights reserved. Insider Threat Kill Chain 5
Research : Insider Threat (PWC)
Source : PWC 2013 US Cybercrime Survey Report
(c) 2014 All rights reserved. Insider Threat Kill Chain 6
Insider Threat Intentions
Intentions Financial Gain Career Advancement;
Promotion Revenge; Disgruntled Thrill; Curiosity Personal Motive Accidental; Human Error Political Cause (Hacktivist)
THREAT = CAPABILITY x INTENT
Source : CERT breakdown of Insider Threats
IT Sabotage; 21%
Fraud; 37%
IP Theft; 15%
Espionage ; 19%
Others; 8%
(c) 2014 All rights reserved. Insider Threat Kill Chain 7
Case Study : Insider Threat
7 May 2014 ; Nicholas Paul Knight, 27 (a.k.a. “nuclear black hat”)
Attempt to hack naval database; while on ship Member of Hacking Group; Hacked Pentagon Earlier Motivation : Anti-government Sentiment, Boredom and
Thrill-seeking Boasted NAVY.MIL Owned
Network Admin Allegedly Hacked Navy ; While on Carrier
Source : http://www.wired.com/2014/05/navy-sysadmin-hacking/
(c) 2014 All rights reserved. Insider Threat Kill Chain 8
Insider Threat Kill Chain
Recruitment/ Tipping Point
Search/Recon
Acquisition/ Collection
Exfiltration/ Action
Timeline
Prevent Detect Respond
Authorized Credentials
Defensive ControlsSecurity PoliciesAwareness & TrainingAccess ControlSplit AccessLeast Privilege
ControlsEvent Logging & ReviewIntegrity CheckingIndependent AuditingMandatory Rotation Large Data Transfers
ControlsBackup & Recovery ProcessInsider Response PlanNetwork & System AuditForensics Quarantine User & SystemsCredential Revoke Process
Indicators (Technical & Non Technical i.e. HR, Legal, Facility etc.)
Prevent : Human Indicators of Compromise Consistently First In & Last Out of Office (always aware &
in control) 12 Month+ Unused Vacation Lifestyle Changes (Spending, Socializing, Marital Status) Resigned ; Serving Notice Period Lay-Off Notification (Redundant Position) Passed over for Promotion/ Raise Pending Disciplinary Action or Investigation
Recommended Control – Create HR Watch List
Prevent : Awareness & Training
Consider Threats from Insiders & Partners in Risk Assessments
Background Checks (Positions of Trust & Higher Access) Clearly Document & Enforce Policies and Controls (Code of
Conduct etc.) Periodic Security Awareness Training (Employees,
Contractors, Partners) Monitor & Respond to Suspicious or Disruptive Behavior Anticipate & Manage Negative Workplace Issues Secure and Track Physical Environment Establish Clear Lines of Communication and Process
between HR, Legal & IT regarding Information Security
Prevent : Human to Machine Indicators
Increasing Number of Logins; Variation in Local/Remote Logging into Network, Systems, Applications at Odd Times
or Holidays Logging in Frequently during Vacation Times Remote Logging Using Different Employee Credentials Logging from Multiple Locations (Proxy, VPN) Changes in Websites Visit; Work vs Personal Increased Printer/ Copier/ Scanner Usage Export of Large Reports/Data/Downloads from Internal
Systems (USB) Executing Broad Database Queries (Select All ….)
Prevent & Detect : Policy & Technology Controls Implement Strict Account & Password Policy Enforce Separation of Duties, Split Authority & Least
Privilege Extra Caution with System, Network, Application &
Database Administrators Administer and Review Privileged Users Implement System Change Controls (Integrity Checker;
Change Management Process) Deactivate System & Network Access on Termination or
Resignation Log, Monitor & Audit Employees Network Activity
What to Log ?
Firewall & Remote Access Logs Unsuccessful Login Attempts Intrusion Detection Systems (IDS/IPS) Logs Web Proxies (Internet Gateway) DNS Logs Antivirus Alerts Change Management Events (Ex. Integrity)
Bare Minimum to Start
Log Intelligence & Analytics
Vulnerability Data
User Activity
Host & Server Activity
Database Activity
Application Activity
Configuration Data Security Devices
Physical Access
Directory
Compliance Reports
Real-Time Correlation “Means” BIG DATA
Actionable Intelligence
AnalyticsForensics Retention
All Logs Considered
Determine Log Volume – Events per Second; Redundant Information
Establish Log Management Policies & Procedures – Should Include Enabling, Retention & Security of Logs; Consult Legal & Compliance
– What is Collected ?– Who Manages Logging Systems ? (Segregation of Duties)
False Positives – Tune Systems; Reduce Noise Establish a Baseline – What is Normal Behavior ? , Identify
Anomalies Accessing Information – Multiple Departments need to
Access; Not Only SOC or Security Team
Challenges with Log Intelligence & SIEM
Insider Threat Response
Implement Secure Backup & Recovery Processes– Data, Configuration, Documents & Logs
Quickly Audit User’s Network & System Behavior Quarantine User
– Disconnect User from network (LAN, WAN, Remote)– Revoke Credentials– Cease Workstation, Mobile Devices & Equipment– Disable Physical Facility Access
Develop an Insider Response Plan (Inter Departmental; IT, HR)
– Communication Protocol (engaging with Insider, confrontation) – Synchronize with HR Watch List, Resignation etc.
(c) 2014 All rights reserved. Insider Threat Kill Chain 17
Thank You.
DISCLAIMERThe views and opinions expressed herein are those of the author and are based on best practice, research or information available in public domain. The information contained herein is of a general nature, education and professional use only and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.The information contained in the attached document is not legal advice but is rather intended to provide guidance or education use only. While every care has been taken in the preparation of the attached document you should refer to your own legal counsel for advice on your specific business requirements.Examples, values and/or sample data is indicative and by no means conclusive. It is strictly for educational and information use only. Users need to evaluate their business processes and infrastructure to define appropriate levels best suited for business needs.All brands and trademarks mentioned in document are possibly registered or protected by third parties are solely subject to the trademark and ownership rights of the registered owner. The author gives due credit to person/ organization or agency for its original work or publication.