part 3: surprising insider threat findings in enterprise ... · example 2: healthcare . 17 ....
TRANSCRIPT
© 2016 Imperva, Inc. All rights reserved.
Part 3: Surprising Insider Threat Findings in Enterprise Environments
Carrie McDaniel Emerging Products Lead
Imperva
2
Reconnaissance Lateral Movment Data & Core Access Exfitration
Tool effectiveness over breach lifecycle
Vendor1 Vendor2 Imperva CounterBreach
Data Access & Collection
UBA Solution Network Analysis Solution
Lateral Movement
Imperva UBA Kill Chain Study
Server IP
User domain
Clie
nt p
ort
OS user
Endpoint host name
Server IP
Operation response time File name
Affected rows
SQL operation and type
Table name
Schema
File type
Serv
er re
spon
se ti
me File type
Number of rows
Data sensitivity
Database error code
File operation File path
Table name
Data sensitivity
File
type
Dat
abas
e us
er n
ame
File share IP
OS
user
User identity
Client IP
User department
OS user
Schema
Learning the Data Access Environment
4
OR ?
Enterprise Databases
Application Interactive User
Learning the Data Access Environment
5
OR
OR
?
?
Enterprise Databases
Application Interactive User
Service Account Personal DB Account
Learning the Data Access Environment
6
OR
OR
OR
?
?
?
Enterprise Databases
Application Interactive User
Service Account Personal DB Account
Business Critical Data Metadata
Machine Takeover
Suspicious Application Data Access
Key Indicators of Data Access Abuse
7
Excessive Failed Logins by User
Excessive Failed Logins from App Server
Service Account Abuse
Excessive Database or File Access
Data Access Outside of Working Hours
Machine Takeover
Suspicious Application Data Access
Key Indicators of Data Access Abuse
8
Excessive Failed Logins by User
Excessive Failed Logins from App Server
Service Account Abuse
Excessive Database or File Access
Data Access Outside of Working Hours
Machine Takeover
Suspicious Application Data Access
Key Indicators of Data Access Abuse
9
Excessive Failed Logins by User
Excessive Failed Logins from App Server
Service Account Abuse
Excessive Database or File Access
Data Access Outside of Working Hours
Machine Takeover
Suspicious Application Data Access
Key Indicators of Data Access Abuse
10
Excessive Failed Logins by User
Excessive Failed Logins from App Server
Service Account Abuse
Excessive Database or File Access
Data Access Outside of Working Hours
© 2016 Imperva, Inc. All rights reserved.
Example 1: Transportation
11
Transportation
12
Suspicious Application Data Access
Service Account Abuse
Database Used by FBI
Transportation
13
Suspicious Application Data Access
Service Account Abuse
Database Used by FBI
Application FBI Personnel
Transportation
14
Suspicious Application Data Access
Service Account Abuse
Interactive User “Liana” Database Used
by FBI
Application FBI Personnel Query Tool “redgate”
Transportation
15
Suspicious Application Data Access
Service Account Abuse
Interactive User “Liana”
Service Account “CrimeDB” Database Used
by FBI
Application FBI Personnel Query Tool “redgate”
Transportation
16
Suspicious Application Data Access
Service Account Abuse
Interactive User “Liana”
Service Account “CrimeDB” Database Used
by FBI
Application FBI Personnel
• Malicious user access sensitive database using highly privileged account • Bypasses access controls • Activity is untraceable
Query Tool “redgate”
© 2016 Imperva, Inc. All rights reserved.
Example 2: Healthcare
17
Healthcare
18
Suspicious Application Data Access
Application “hrP”
Sensitive HR Employee Feedback
Authorized User
Healthcare
19
Suspicious Application Data Access
Interactive User “Tyler”
Application “hrP”
Sensitive HR Employee Feedback
Authorized User Query Tool
“MS SQL Server Mgmt Studio”
Personal DB Account “domain/tyler”
Healthcare
20
Suspicious Application Data Access
Interactive User “Tyler”
Application “hrP”
Sensitive HR Employee Feedback
Authorized User Query Tool
“MS SQL Server Mgmt Studio”
Personal DB Account “domain/tyler”
Healthcare
21
Suspicious Application Data Access
• Unauthorized access to a large quantity of sensitive HR data • Investigation shows that the AD account was locked (contractor) • User retrieved data before leaving the company
Interactive User “Tyler”
Application “hrP”
Sensitive HR Employee Feedback
Authorized User Query Tool
“MS SQL Server Mgmt Studio”
Personal DB Account “domain/tyler”
© 2016 Imperva, Inc. All rights reserved.
Example 3: Financial Services
22
Financial Services
23
Excessive Database or File Access
“AuditLog” Database Tables
Application .net sqlclient
Financial Services
24
Excessive Database or File Access
“AuditLog” Database Tables
Interactive User “Rick”
Application .net sqlclient
Personal DB Account “domain/rick”
Query Tool “Aqua Data Studio”
Financial Services
25
Excessive Database or File Access
“AuditLog” Database Tables
Interactive User “Rick”
Application .net sqlclient
Retrieves 9.7M rows
Personal DB Account “domain/rick”
Query Tool “Aqua Data Studio”
Financial Services
26
Excessive Database or File Access
• Interactive user retrieves 9.7M rows from “auditlog” tables • Direct access using DB query tool, not the app account • Flagged as possible attempt to modify audit log data
“AuditLog” Database Tables
Interactive User “Rick”
Application .net sqlclient
Retrieves 9.7M rows
Personal DB Account “domain/rick”
Query Tool “Aqua Data Studio”
© 2016 Imperva, Inc. All rights reserved.
Q & A