This presentation was delivered at RSA 2016 and discussed measures to defeat insider threat. It focused on real investigations that I have performed and how the victim companies could have prevented the associated harm.
1. SESSION
ID:
#RSAC
Andrew
Case
Proac.ve
Measures
to
Mi.gate
Insider
Threat
HUM-‐W03
Director
of
Research
Volexity
@a@rc
2. #RSAC
Insider
Threats
–
Sta.s.cs
2
! PWC
2015:
! Roughly
70%
of
incidents
at
financial
insMtuMons
involved
current
and
former
employees
! 60%
at
industrial
manufacturing
organizaMons
! Verizon
DBIR
2015:
20.6%
of
breaches
are
characterized
as
“insider
misuse”
3. #RSAC
Insider
Threat
Defenses
–
Passive/Default
3
! Examples
! ProducMon
systems
without
extra
logging
or
security
measures
! No
automated
alerts
or
remote
logs
generated
! Pros
! Simplest
to
implement
! Provides
the
evidence
needed
for
post-‐mortem
forensics
! Cons
! Only
useful
aYer
damage
is
caused
! Can
be
fully
disrupted
by
anM-‐forensics
! OYen
very
expensive
and
non-‐repeatable
4. #RSAC
Insider
Threat
Defenses
-‐
Detec.on
4
! Examples
! Log
file
accesses,
soYware
installaMon,
and
USB
device
usage
! Generate
alerts
on
access
to
file
storage
services
(e.g.,
Dropbox)
! Pros
! If
implemented
correctly,
finds
acMvity
before
it
causes
harm
! Less
inhibiMng
than
full
prevenMon
! Cons
! If
implemented
incorrectly,
finds
acMvity
aYer
irreparable
harm
! Requires
acMve
effort
by
the
security
team
5. #RSAC
Insider
Threat
Defenses
-‐
Preven.on
5
! Examples
! Prevent
all
removable
media
from
being
used
! Block
access
to
personal
email
and
file
storage
services
! Block
end-‐users
from
installing
soYware
! Pros
! Stops
a
technique
before
it
can
be
used
! Cheapest
once
implemented
! Cons
! OYen
clashes
with
a
company’s
office
culture
! Can
inhibit
department-‐specific
producMvity
6. #RSAC
Applica.on
to
Real
World
Cases
6
! We
will
now
look
at
several
real-‐world
insider-‐threat
cases
that
I
invesMgated
! Combined,
the
insiders
took
over
100
million
dollars
of
IP/
customers
from
their
previous
employers
(my
clients)
! As
I
describe
these
cases,
think
about
how
your
company
would
currently
fare
against
such
malicious
acMvity
and
what,
if
any,
mechanism(s)
you
have
in
place
to
detect
the
acMvity
before
irreparable
harm
is
done
7. #RSAC
The
Bank
Heist
-‐
Background
7
! Employee
of
a
financial
insMtuMon
sees
greener
pastures
at
a
compeMtor
! Contacts
compeMtor
about
bringing
him
and
his
team
to
the
compeMtor
! Along
with
their
very
wealthy
clients
! Proceeds
to
take
nearly
every
document
related
to
the
clients,
his
team’s
records,
and
client
management
forms
8. #RSAC
The
Bank
Heist
–
Forensic
Analysis
8
! File
servers
and
internal
web
apps
were
scraped
for
sensiMve
informaMon
! Moved
data
out
of
organizaMon
control
through
USB,
personal
email,
and
prinMng
! Files
were
locally
deleted
aYer
being
exfiltrated
! The
forensic
Mmeline
showed
over
100
files
taken
and
the
precise
Mmes
that
the
acMons
occurred
10. #RSAC
Proac.ve
Measures
–
File
Exfiltra.on
10
! USB
! PrinMng/Scanning
! Personal
Email
! Cloud
Storage*
*
This
case
is
several
years
old
and
cloud
services
were
not
very
popular
then
but
are
used
extensively
in
modern,
similar
scenarios
11. #RSAC
Abuse
of
Power
-‐
Background
11
! Plant
manager
at
a
manufacturing
company
was
using
“down
Mme”
of
the
company’s
machines
to
run
a
side
business
! He
purchased
some
materials
on
his
own,
some
were
ordered
through
the
company’s
accounts
! Was
only
caught
through
a
machine
malfuncMon
12. #RSAC
Abuse
of
Power
–
Forensic
Analysis
12
! The
rogue
manager
had
logged
into
control
systems
during
non-‐
client
billable
hours
! The
manager
scheduled
manufacturing
jobs
outside
of
any
legiMmate
work
order
! The
manager
deleted
associated
files
in
a
failed
a@empt
to
cover
his
tracks
13. #RSAC
Proac.ve
Measures
–
Accounts
&
Systems
13
! Technical
measures
! Monitor
user
logins
! Monitor
system
usage
! Business
measures
! No
criMcal
business
processes
should
be
controlled
by
one
person
14. #RSAC
Offline
Exfiltra.on
-‐
Background
14
! VicMm
organizaMon
had
very
Mght
data
exfiltraMon
controls
! Laptops
uMlized
full
disk
encrypMon
(FDE)
! ...
but
desktops
did
not!
! Path
to
exfiltraMon:
1. Copy
sensiMve
files
to
desktop
during
business
hours
2. Remove
hard
drive
before
leaving
and
take
home
3. Offline
mount
hard
drive
and
copy
files
15. #RSAC
Offline
Exfiltra.on
–
Forensic
Analysis
15
! If
done
properly,
this
leaves
no
traces
for
(reasonable)
forensics
to
find
! The
employee
in
this
instance
could
create,
modify,
and
delete
files
from
the
disk
at
will
! Was
only
caught
aYer
making
other
“mistakes”
and
confessing
to
the
disk
removal
16. #RSAC
Proac.ve
Measures
-‐
Full
Disk
Encryp.on
16
! UMlize
FDE
for
everything!
! Be
wary
of
offline
decrypt
capabiliMes
! The
user
knows
his/her
own
password…
17. #RSAC
An.-‐Forensics
-‐
Background
17
! Two
key
employees
leave
the
vicMm
company
simultaneously
! Soon
aYer,
important
clients
end
contracts
! Previous
employees’
equipment
invesMgated
for
signs
of
improper
client
interacMons
18. #RSAC
An.-‐Forensics
–
Forensics
Analysis
18
! Employees
uMlized
heavy
anM-‐forensics
! Both
factory
reset
their
company
provided
Android
phones
! Employee
1
ran
CCleaner
before
returning
his
computer
! Employee
2
replaced
the
hard
drive
with
one
bought
from
Amazon
20. #RSAC
Proac.ve
Measures
–
Employee
Termina.on
20
! Companies
work
against
themselves
by
not
properly
assessing
and
preserving
employee
equipment
(laptops,
desktops,
phones,
tablets)
post
terminaMon
! These
policies,
or
lack
thereof,
can
inhibit
forensic
invesMgaMon,
legal
proceeding,
and
recovery
and
understanding
of
stolen
data
21. #RSAC
Bad
Policy
Examples
21
! Re-‐install/re-‐purpose
systems
immediately
upon
employee
terminaMon
! No
check
of
all
system
components
against
IT
inventory
! No
check
of
historical
removable
media
usage
22. #RSAC
Get
Proac.ve
Against
Insider
Threat
22
! Within
a
month
you
should
be
able
to
idenMfy:
! Deficiencies
that
could
allow
for
exfiltraMon
! Deficiencies
in
key
employee
oversight
! Policy
deficiencies
related
to
employee
terminaMon
! Within
three
months
be
able
to:
! Remediate
criMcal
deficiencies
! Have
a
working
plan
to
remediate
all
deficiencies
23. #RSAC
Wrapping
Up
&
Q/A
23
! If
you
aren’t
being
proacMve
then
you
are
just
waiMng
to
become
a
vicMm
! While
insider
threats
are
the
most
prevalent,
they
are
also
the
most
preventable
through
proacMve
policy
and
technical
controls
! Contact
info:
! acase@volexity.com
(3DE6E0C8)
! @a@rc