8. 8
Andy Thompson
▪ Strategic Advisor – CyberArk Software
▪ B.S. MIS – University of Texas at
Arlington
▪ COMPTIA A+ & Sec+
▪ (ISC)2 SSCP & CISSP
▪ GIAC – Certified Penetration Tester
(GPEN) and Advisory Board Member
SANS – CISSP Instructor
▪ Member of Shadow Systems Hacker
Collective
▪ Member of Dallas Hackers Association
14. 14
Corporate Espionage
Cadence Design Systems vs Avant!
▪ Stolen Source Code
▪ Criminal case filed.
■ Restitution of $200
million.
▪ Civil Case filed.
■ $265 million in restitution.
15. 15
▪ Jan 2016 - Anthony
Levandowski abruptly leaves
Waymo (Google) and starts
Otto.
▪ Otto almost immediately
acquired by Uber for $700
mil.
▪ Lawsuit claims Levandowski
stole confidential trade
secrets from Google.
▪ Case is currently in
arbitration.
Google vs Uber
16. 17
The Insider Threat:
Georgia-Pacific Paper
▪ Brian Johnson, former
Systems Administrator
▪ Fired. And then…
■ Logged in via VPN from
home.
■ Caused over $1 mil in
damages to Industrial
control systems.
▪ Sentenced to 3 years in jail.
▪ Ordered to repay $1,134,818
in damages.
17. 18
The Insider Threat: Columbia Sportswear
▪ Michael Lepper, Senior Director
of Technology Infrastructure
▪ 2 Backdoors
■ Accessed over 700 times
■ Stole relevant data to Denali.
▪ Case is still in court today.
19. 20
Same Results Either Way.
4 Main Type of Damage.
▪ IT Sabotage
▪ Theft or modification for
financial gain
▪ Theft of modification for
business advantage
▪ Miscellaneous
20. 21
Breakdown by Category
IT Sabotage
40%
Theft for
Miscellaneous
Reasons
9%
Theft or Modification for
Financial Gain
39%
Theft for Business
Advantage
12%
21. 22
Interesting Stats on Sysadmin Motivation
▪ Only 1.5% of espionage
cases use sysadmin
privileges for financial gain or
business advantage.
▪ 90% of IT sabotage cases
use sysadmin privileges.
23. 24
CERT’s definition of “Malicious Insider”
▪ A current or former employee, contractor, or
business partner who:
■ Has or had authorized access to an organization’s
network, system, or data and
■ Intentionally exceeded or misused that access in a
manner that negatively affected the confidentially,
integrity, or availability of the organization’s
information or information systems.
25. 26
Profile of a Malicious Insider
▪ Introversion
▪ Greed/financial need
▪ Vulnerability to blackmail
▪ Compulsive and
destructive behavior
▪ Rebellious, passive
aggressive
▪ Ethical “flexibility”
▪ Reduced loyalty
▪ Entitlement – narcissism
(ego/self-image)
▪ Minimizing their mistakes
or faults
▪ Inability to assume
responsibility for their
actions
▪ Intolerance of criticism
▪ Self-perceived value
exceeds performance
▪ Lack of empathy
▪ Predisposition towards law
enforcement
▪ Pattern of frustration and
disappointment
▪ History of managing crises
ineffectively.
26. 27
Use Case of Data Loss
1. Reconnaissance
2. Circumvention
3. Aggregation
4. Obfuscation
5. Exfiltration
Reconnaissance
Circumvention
Aggregation
Obfuscation
Exfiltration
27. 28
Step One: Reconnaissance
▪ Accessing a new or unusual location in
a document repository.
▪ An unusual increase in error or access
denied messages.
▪ Failed attempts to mount USB devices
and access external websites.
▪ Unusually rapid rate of opening files in a
short period of time.
▪ Network scanning and use of network
tools.
▪ Running applications that they’ve never
run before — especially hacking
applications.
28. 29
Step Two: Circumvention
▪ Use of tools like TOR, VPNs and proxy
servers to engage in untraceable
internet activity.
▪ File transfers through instant
messaging, to evade DLP restrictions.
▪ Sharing information online, whether it
be through copy/paste sites like
PasteBin, communities like Reddit, or
social networks like Facebook or
LinkedIn.
▪ Disabling or bypassing security
software, or researching how to do so.
29. 30
Step Three: Aggregation
▪ Unusual amounts of file copies,
movements, and deletions.
▪ Unusual amounts of file activity in
high-risk locations and sensitive
file types.
▪ Unusual creation of files that are
all exactly the same size.
▪ Saving files to an usual location
on a user’s endpoint.
30. 31
Step Four: Obfuscation
▪ Unusual rates and sizes of file
compression.
▪ Clearing cookies and event
viewer logs, or unusual use of
browser “stealth” settings like
Chrome’s Incognito mode.
▪ Hiding sensitive information in
image, video, or other
misleading file types.
▪ Unusual rates of file renaming,
especially to a different file
type.
33. 34
Not a“Cyber Security” issue alone.
▪ Policies & Procedures
▪ Regular scheduled
training
▪ Prevent at hiring process
▪ HR anticipating negative
workplace issues
▪ Focus on deterrence not
just detection.
■ Can’t detect outliers if
P&P’s don’t exist.
Human
Resources
Legal
Information
Technology
Operations
34. 35
The Insider Threat Kill-Chain
Recruitment/
Tipping Point
Search/Recon
Acquisition/
Collection
Exfiltration/
Action
Prevent Detect Respond
Human Resources
Legal
Non-Technical Indicators
Technical Indicators
38. 39
▪ Excellent for preventing
data exfiltration.
■ Hard to implement
successfully.
■ ProTip: Identify and
classify data before
deploying DLP
▪ DLP is not an access
control system and
not be seen as a
replacement to one.
▪ Systems still vulnerable to
sabotage
Data Loss Prevention
Web
Ext.HD
DATA
39. 40
▪ Remove privileged
access as soon as
notice is tendered.
▪ D/C immediately upon
termination.
■ No Exceptions!
▪ Use Functional Account
Model.
Deactivate Access
42. 43
▪ Prevents users from
exceeding boundaries.
■ Malicious
■ Accidental
▪ Prevents malicious
software installation.
▪ Prevents malicious
activities.
Least Privilege & Application Control
43. 44
▪ Good in a defense in depth
strategy.
■ Not so much with
espionage & malicious
insiders
▪ Authorized users bypass
the control…by design.
▪ Malicious insiders can
siphon off to non-encrypted
media.
▪ Story Time with Phineas
Fisher…
Encryption
44. 45
Insider Threat in the SDLC
▪ Not all attacks start in
Prod.
▪ Logic bombs lay
dormant…
■ Until the “perfect” time.
▪ Solutions:
■ Code review
■ Integrity monitoring
■ Change control
Software
Development
Life-Cycle
Analyze User
Requirements
Design the
Program
Build the
System
Documents &
Test the
System
Operate &
Maintain the
System
45. 46
▪ Backups are sensitive to
attack.
▪ Offsite & disconnected
▪ Availability is a target.
▪ Solution:
■ DR Tests
■ Integrity checks
• Full restores
• Incrementals too!
Secure Backup & Recovery
46. 47
▪ Discover & Manage
■ Complex
■ Frequently Changing
■ Unique
▪ Single Conduit for
Privileged Accounts.
▪ Limit an attacker’s
window & scope of
attack opportunity.
Privileged Account Management
47. 48
▪ Centralized logging to
prevent log tampering.
▪ Gain visibility into the
session itself.
■ Not just metadata.
▪ Can assist with
recovering from
sabotage
Logging, Monitoring, & Auditing
48. 49
Know Your People
Work Schedule
Badge# 1337
Serial# 07734
972-445-1313
Patterns of Activity
Sally@CyberArk.com
Works for
Network Team
IP: 172.16.54.24
49. 50
SIEMs, Analytics, & Heuristic Detection
▪ Suspected credential theft.
▪ Unmanaged privileged
access.
▪ Access via irregular hours.
▪ Access from irregular IP’s.
▪ Active vs dormant users.
▪ Anomalous access to
multiple machines.
▪ Suspicious activities
detected in privileged
sessions.
50. 51
Look for Outliers in Behavioral Analytics
▪ Detect malicious privileged
user behavior.
▪ Compare current activity to
user and entity profiles.
▪ Patented CyberArk analytic
technology detects and
alerts on malicious
behavior.
▪ Reduces the attacker’s
window of opportunity.
▪ One solution to detect both
advanced external and
insider threats.
Detect
Detecting abnormal privileged
accounts activity
Ongoing Profiling
Profiling normal behavior
Collect
Collecting privileged accounts
activity
51. 52
Exhibit A: Time of Day. Critical Indicator
▪ “…we were able to identify their working
hours. Here is the average working hours for
a week (the hour on the graph is UTC+1):
Figure 1: Attackers working hours generally,
the attackers worked between 2AM and
10AM from Monday to Saturday included.”
▪ The attacks came during the day in China,
which is after hours in Europe and the US
Mandiant, APT1 Report – February 2013
56. 57
Conclusion
▪ Your organization's
greatest asset is also its
greatest threat.
▪ “It takes a village…”
▪ Technical Controls
provide layers of security.
▪ Takeaways of things to
monitor against.
Insider activity—both malicious and simple error—accounts for a growing share of data breaches. Statistics are difficult to come by because requirements for reporting security incidents are not consistent across sectors. But some studies show they account for more than half of those breaches analyzed.
According to the Protenus Breach Barometer for February, a monthly analysis of reported breaches in the healthcare industry, 58 percent were related to insiders. This was divided about evenly between intentional wrongdoing and error. Outside hacking accounted for just 13 percent. The problem is not confined to any single industry. New York State Attorney General Eric T. Schneiderman reported in March that his office received a record number of data breach reports in 2016, nearly 1,300. Employee negligence and wrongdoing were blamed for 37 percent.
Because the insider doesn’t have to penetrate perimeter defenses, these breaches can be difficult to discover. According to the Protenus report, breaches reported in February were on average 478 days old at the time of discovery. In two instances, it was more than five years before breaches were discovered.
Dealing with the insider threat is difficult for any organization. But it is imperative, and you can guard against it with the right tools if know what to look for.
In the early ’90s allegations came to light that Avant!, a Silicon Valley software company, had stolen code from a rival company, Cadence Design Systems. This became more than a simple case of unscrupulous business practices when prosecutors filed charges and, in 2001, Avant! was ordered to pay $182 million in restitution plus interest and fees, for a total of $200 million.
Worse still for Avant!, the closing of the criminal case meant that Cadence was finally able to proceed with its own civil case. Not content with a paltry $200 million, Cadence settled with Avant!, who’d since been bought by Synopsys, for a further $265 million. If a company could figure out a way to arrange this kind of profit, they wouldn’t be doing badly.
http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/3/
In 1981 Hitachi mysteriously came into possession of an almost full set of IBM’s Adirondack Workbooks. It seems that the fact that they contained IBM design documents full of IBM technical secrets and were prominently marked FOR INTERNAL IBM USE ONLY didn’t prompt Hitachi to return them.
IBM counterintelligence staff and FBI personnel worked tirelessly until the arrest of several IBM officials proved the fruits of their labor. Hitachi settled out of court, and paid IBM a sum that has been reported as US$300 million.
http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/5/
One malicious insider will be jailed for a revenge attack he took out on a former employer. Brian Johnson, former sysadmin for US paper manufacturer Georgia-Pacific pleaded guilty to Intentionally Damaging Protected Computers last February. A Louisiana Court sentenced Johnson to 34 months in jail and ordered him to repay the US$1,134,828 (£909900) of damage that his vengeance apparently caused.
The indictment reads that Johnson, “knowingly caused the transmission of programs, information, code, and commands, and, as a result of such conduct, intentionally caused damage, without authorization, to protected computers, and such conduct caused loss to Georgia-Pacific LLC, Georgia pacific Consumer operations LLC and Georgia-Pacific Consumer Products LP during the one year period from February 14, 2014 to February 13, 2015.”
After Johnson was fired from his role in February 2014, he re-accessed Georgia-Pacific through a VPN and spent the next couple of weeks doing upwards of a million dollars in damage. Once Johnson was in, he started messing with the industrial control systems of Georgia Pacific's toilet paper factory in Port Hudson, Louisiana.
One day shy of two weeks after Johnson's employment was terminated, the US Federal Bureau of Investigation raided his house. Agents found a connection into his former employer on a seized laptop and before long, Johnson was arrested.
https://www.scmagazineuk.com/insider-comes-back-for-revenge-sentenced-to-three-years-inside/article/638988/
Michael Leeper was employed by Oregon based sportswear company, Columbia Sportswear for four years, eventually reaching the role of senior director of technology infrastructure. In 2014, he left the position to work for Denali Advanced Integration, a purveyor of IT products and services.
According to Columbia, Denali didn't just benefit from Leeper's infosecurity expertise. Leeper is alleged to have installed two backdoors on Columbia's network and in his new position, accessed his former employer's networks over 700 times and steal data that might be relevant to Denali, whose services had previously been purchased by the company. Denali has denied any involvement.
The claim examines one particular case in which Leeper is meant to have accessed the email accounts of one particular Columbia employee in order to gain inside information about transactions between Columbia and other IT services.
https://www.scmagazineuk.com/it-admin-sued-by-ex-employer-for-alleged-malicious-insider-data-theft/article/645458/
IT sabotage: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization’s data, systems, and/or daily business operations.
Theft or modification for financial gain: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of stealing or modifying confidential or proprietary information from the organization for financial gain.
Theft or modification for business advantage: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of stealing confidential or proprietary information from the organization with the intent to use it for a business advantage.
Miscellaneous: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of stealing confidential or proprietary information from the organization, not motivated by financial gain or business advantage.
.
FBI states that 1.5% of espionage cases reviewed involve the use of sysadmin privileges for financial gain or business advantage.
CMU CERT shows different stats for IT Sabotage.
90% of IT Saboteurs were sysadmins
http://www.cert.org/blog/insider_threat/2010/09/insider_threat_deep_dive_it_sabotage.html
Compromised actors: Insiders with access credentials or computing devices that have been compromised by an outside threat actor. These insiders are more challenging to address since the real attack is coming from outside, posing a much lower risk of being identified.
Negligent actors: Insiders who expose data accidentally — such as an employee who accesses company data through public WiFi without the knowledge that it’s unsecured. A large number of data breach incidents result from employee negligence towards security measures, policies and practices.
Malicious insiders: Insiders who steal data or destroy company networks intentionally – such as a former employee who injects malware in corporate computers on his last day at work.
Tech savvy actors: Insiders who react to challenges. They use their knowledge of weaknesses and vulnerabilities to breach clearance and access sensitive information. Tech savvy actors can pose some of the most dangerous insider threats, and are likely to sell confidential information to external parties or black market bidders.
Taken from National Cybersecurity and Communications Integration Center (Homeland Security)
As they’re planning an insider attack, users start by seeking out files and data to steal. The key to catching a user in this stage is to keep an eye on users who access unusual locations or run unusual applications. This way, you can get an early indication that a user may be preparing for an attack.
Next, users research options for getting data out of an organization. Sometimes this can happen through straightforward means, like file-sharing websites. Other times, IT savvy users can use more technical methods like proxy servers and VPN connections.
When they’re ready to act, users aggregate the data they’re preparing to steal. This means that you’ll need to keep an eye out for various forms of unusual file activity, from copying, to movement, to deletion.
Users almost always attempt to cover their tracks before stealing data. Their methods can range from the simple, like renaming files, to the complex, like disabling security tools altogether. In order to catch the culprit at this stage, you need to have a detailed view of everything happening within your organization.
This is the actual theft of sensitive data and information. Hopefully, you caught the rogue insider long before they get to this point. You should have already seen the signs from their previous actions, and if you didn’t, then chances are your internal visibility is sorely lacking and you probably won’t catch them here until it’s too late.
This is the stage where the user actually takes the data out of the organization. This means that the important thing to look for isn’t just the size and volume of file transfers, but their destination. You should be looking for large numbers of files that are being moved to an external drive or uploaded to an outside network.
Technical Controls
DLP, Track & Secure physical environments & assets, full disk encryption, deactivate computer access following termination, separation of duties, least privilege, consider threats from SLDC, Take extra care with SYSADMINS, Implement Change control, implement secure backup/recovery process, Log/monitor/&Audit privileged actions, SIEM,
Discover privileged accounts. CyberArk Enterprise Password Vault automatically discovers and inventories accounts throughout the IT environment. Administrators can select which accounts or groups of accounts should be protected and automatically provision them to the Digital Vault.
Now if we look at data from one of our customers around the usage of a particular user , where each * is an access to an account by that user, you can see his normal working hours and activity very clearly.
Yet in further analyzing the data, there are 2 outliers that don’t fit the profile…one back on Dec 28 2013 and the other in February of this year.
When we gave this data to our customer…they said what/???