Insider Threat
•Descargar como PPTX, PDF•
4 recomendaciones•423 vistas
Protecting your Enterprise from Corporate Espionage and Insider Threat.
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Insider Threat
Similar a Insider Threat (20)
Último
Último (20)
Insider Threat
- 1. 1 Protecting Your Enterprise from Corporate Espionage: Keeping Insider Threats Outside Andy Thompson, CISSP SSCP GPEN
- 2. 2 Story Time
- 3. 3
- 4. 4
- 5. 5
- 6. 6
- 7. 7
- 8. 8 Andy Thompson ▪ Strategic Advisor – CyberArk Software ▪ B.S. MIS – University of Texas at Arlington ▪ COMPTIA A+ & Sec+ ▪ (ISC)2 SSCP & CISSP ▪ GIAC – Certified Penetration Tester (GPEN) and Advisory Board Member SANS – CISSP Instructor ▪ Member of Shadow Systems Hacker Collective ▪ Member of Dallas Hackers Association
- 9. 9 The REAL hacker in the family!
- 10. 10 Kinley – The Artist.
- 11. 11 Charlotte- The Apple Didn’t Fall Far from the Tree.
- 12. 12 ▪ Historical cases. ▪ Profile of a malicious insider & attack flow. ▪ Defense strategy ■ Malicious Insider Kill-Chain ■ Technical Controls ▪ Insider Threat Pro-Tips Agenda
- 13. 13 Corporate Espionage & Insider Threats Case Study
- 14. 14 Corporate Espionage Cadence Design Systems vs Avant! ▪ Stolen Source Code ▪ Criminal case filed. ■ Restitution of $200 million. ▪ Civil Case filed. ■ $265 million in restitution.
- 15. 15 ▪ Jan 2016 - Anthony Levandowski abruptly leaves Waymo (Google) and starts Otto. ▪ Otto almost immediately acquired by Uber for $700 mil. ▪ Lawsuit claims Levandowski stole confidential trade secrets from Google. ▪ Case is currently in arbitration. Google vs Uber
- 16. 17 The Insider Threat: Georgia-Pacific Paper ▪ Brian Johnson, former Systems Administrator ▪ Fired. And then… ■ Logged in via VPN from home. ■ Caused over $1 mil in damages to Industrial control systems. ▪ Sentenced to 3 years in jail. ▪ Ordered to repay $1,134,818 in damages.
- 17. 18 The Insider Threat: Columbia Sportswear ▪ Michael Lepper, Senior Director of Technology Infrastructure ▪ 2 Backdoors ■ Accessed over 700 times ■ Stole relevant data to Denali. ▪ Case is still in court today.
- 18. 19 Espionage & Insiders inside the Fed.
- 19. 20 Same Results Either Way. 4 Main Type of Damage. ▪ IT Sabotage ▪ Theft or modification for financial gain ▪ Theft of modification for business advantage ▪ Miscellaneous
- 20. 21 Breakdown by Category IT Sabotage 40% Theft for Miscellaneous Reasons 9% Theft or Modification for Financial Gain 39% Theft for Business Advantage 12%
- 21. 22 Interesting Stats on Sysadmin Motivation ▪ Only 1.5% of espionage cases use sysadmin privileges for financial gain or business advantage. ▪ 90% of IT sabotage cases use sysadmin privileges.
- 23. 24 CERT’s definition of “Malicious Insider” ▪ A current or former employee, contractor, or business partner who: ■ Has or had authorized access to an organization’s network, system, or data and ■ Intentionally exceeded or misused that access in a manner that negatively affected the confidentially, integrity, or availability of the organization’s information or information systems.
- 24. 25 4 Types of Malicious Insider ▪ Compromised actors ▪ Negligent actors ▪ Malicious insiders ▪ Tech savvy actors
- 25. 26 Profile of a Malicious Insider ▪ Introversion ▪ Greed/financial need ▪ Vulnerability to blackmail ▪ Compulsive and destructive behavior ▪ Rebellious, passive aggressive ▪ Ethical “flexibility” ▪ Reduced loyalty ▪ Entitlement – narcissism (ego/self-image) ▪ Minimizing their mistakes or faults ▪ Inability to assume responsibility for their actions ▪ Intolerance of criticism ▪ Self-perceived value exceeds performance ▪ Lack of empathy ▪ Predisposition towards law enforcement ▪ Pattern of frustration and disappointment ▪ History of managing crises ineffectively.
- 26. 27 Use Case of Data Loss 1. Reconnaissance 2. Circumvention 3. Aggregation 4. Obfuscation 5. Exfiltration Reconnaissance Circumvention Aggregation Obfuscation Exfiltration
- 27. 28 Step One: Reconnaissance ▪ Accessing a new or unusual location in a document repository. ▪ An unusual increase in error or access denied messages. ▪ Failed attempts to mount USB devices and access external websites. ▪ Unusually rapid rate of opening files in a short period of time. ▪ Network scanning and use of network tools. ▪ Running applications that they’ve never run before — especially hacking applications.
- 28. 29 Step Two: Circumvention ▪ Use of tools like TOR, VPNs and proxy servers to engage in untraceable internet activity. ▪ File transfers through instant messaging, to evade DLP restrictions. ▪ Sharing information online, whether it be through copy/paste sites like PasteBin, communities like Reddit, or social networks like Facebook or LinkedIn. ▪ Disabling or bypassing security software, or researching how to do so.
- 29. 30 Step Three: Aggregation ▪ Unusual amounts of file copies, movements, and deletions. ▪ Unusual amounts of file activity in high-risk locations and sensitive file types. ▪ Unusual creation of files that are all exactly the same size. ▪ Saving files to an usual location on a user’s endpoint.
- 30. 31 Step Four: Obfuscation ▪ Unusual rates and sizes of file compression. ▪ Clearing cookies and event viewer logs, or unusual use of browser “stealth” settings like Chrome’s Incognito mode. ▪ Hiding sensitive information in image, video, or other misleading file types. ▪ Unusual rates of file renaming, especially to a different file type.
- 32. 33 How to Defend
- 33. 34 Not a“Cyber Security” issue alone. ▪ Policies & Procedures ▪ Regular scheduled training ▪ Prevent at hiring process ▪ HR anticipating negative workplace issues ▪ Focus on deterrence not just detection. ■ Can’t detect outliers if P&P’s don’t exist. Human Resources Legal Information Technology Operations
- 34. 35 The Insider Threat Kill-Chain Recruitment/ Tipping Point Search/Recon Acquisition/ Collection Exfiltration/ Action Prevent Detect Respond Human Resources Legal Non-Technical Indicators Technical Indicators
- 35. 36 Observable vs Cyber Actions
- 37. 38 Technical Controls ▪ Consider Threats from SLDC. ■ Visibility into Change Control. ▪ Secure backup/recovery. ▪ Strong password management ▪ Log, monitor, & audit privileged actions. ▪ SIEM – behavioral analytics. ▪ DLP solutions. ▪ Deactivate computer access following termination. ▪ Separation of duties. ▪ Least Privilege. ■ Application control. ▪ Encryption.
- 38. 39 ▪ Excellent for preventing data exfiltration. ■ Hard to implement successfully. ■ ProTip: Identify and classify data before deploying DLP ▪ DLP is not an access control system and not be seen as a replacement to one. ▪ Systems still vulnerable to sabotage Data Loss Prevention Web Ext.HD DATA
- 39. 40 ▪ Remove privileged access as soon as notice is tendered. ▪ D/C immediately upon termination. ■ No Exceptions! ▪ Use Functional Account Model. Deactivate Access
- 40. 41
- 41. 42 Functional Account Model ADM-AThompson ADM-JVealey ADM-CBotello ADM-KJermyn ADM-PLI 5 Privileged Accounts ADM-Functional-Account 1 Privileged Account AThompson JVealey CBotello KJermyn PLi AThompson JVealey CBotello KJermyn PLi
- 42. 43 ▪ Prevents users from exceeding boundaries. ■ Malicious ■ Accidental ▪ Prevents malicious software installation. ▪ Prevents malicious activities. Least Privilege & Application Control
- 43. 44 ▪ Good in a defense in depth strategy. ■ Not so much with espionage & malicious insiders ▪ Authorized users bypass the control…by design. ▪ Malicious insiders can siphon off to non-encrypted media. ▪ Story Time with Phineas Fisher… Encryption
- 44. 45 Insider Threat in the SDLC ▪ Not all attacks start in Prod. ▪ Logic bombs lay dormant… ■ Until the “perfect” time. ▪ Solutions: ■ Code review ■ Integrity monitoring ■ Change control Software Development Life-Cycle Analyze User Requirements Design the Program Build the System Documents & Test the System Operate & Maintain the System
- 45. 46 ▪ Backups are sensitive to attack. ▪ Offsite & disconnected ▪ Availability is a target. ▪ Solution: ■ DR Tests ■ Integrity checks • Full restores • Incrementals too! Secure Backup & Recovery
- 46. 47 ▪ Discover & Manage ■ Complex ■ Frequently Changing ■ Unique ▪ Single Conduit for Privileged Accounts. ▪ Limit an attacker’s window & scope of attack opportunity. Privileged Account Management
- 47. 48 ▪ Centralized logging to prevent log tampering. ▪ Gain visibility into the session itself. ■ Not just metadata. ▪ Can assist with recovering from sabotage Logging, Monitoring, & Auditing
- 48. 49 Know Your People Work Schedule Badge# 1337 Serial# 07734 972-445-1313 Patterns of Activity Sally@CyberArk.com Works for Network Team IP: 172.16.54.24
- 49. 50 SIEMs, Analytics, & Heuristic Detection ▪ Suspected credential theft. ▪ Unmanaged privileged access. ▪ Access via irregular hours. ▪ Access from irregular IP’s. ▪ Active vs dormant users. ▪ Anomalous access to multiple machines. ▪ Suspicious activities detected in privileged sessions.
- 50. 51 Look for Outliers in Behavioral Analytics ▪ Detect malicious privileged user behavior. ▪ Compare current activity to user and entity profiles. ▪ Patented CyberArk analytic technology detects and alerts on malicious behavior. ▪ Reduces the attacker’s window of opportunity. ▪ One solution to detect both advanced external and insider threats. Detect Detecting abnormal privileged accounts activity Ongoing Profiling Profiling normal behavior Collect Collecting privileged accounts activity
- 51. 52 Exhibit A: Time of Day. Critical Indicator ▪ “…we were able to identify their working hours. Here is the average working hours for a week (the hour on the graph is UTC+1): Figure 1: Attackers working hours generally, the attackers worked between 2AM and 10AM from Monday to Saturday included.” ▪ The attacks came during the day in China, which is after hours in Europe and the US Mandiant, APT1 Report – February 2013
- 52. 53 Activities During Irregular Hours December 28th, 2012 February 13th, 2013
- 53. 54 Insider Threat: Pro-Tips ▪ Look for Resume.doc ▪ Monitor frequent web traffic to: ■ LinkedIn ■ Monster.com, Jobs.com, etc ■ Pastebin, data dump sites ■ Competitors ▪ Pay close attention to disenfranchised employees ■ Passed over for promotion ■ Low performance evaluations ■ Recent HR events
- 54. 55 A Robust Insider Threat Program Illustrated
- 55. 56 <Insert sleeping CISO picture>
- 56. 57 Conclusion ▪ Your organization's greatest asset is also its greatest threat. ▪ “It takes a village…” ▪ Technical Controls provide layers of security. ▪ Takeaways of things to monitor against.
- 57. 58 Questions?
Notas del editor
- Insider activity—both malicious and simple error—accounts for a growing share of data breaches. Statistics are difficult to come by because requirements for reporting security incidents are not consistent across sectors. But some studies show they account for more than half of those breaches analyzed. According to the Protenus Breach Barometer for February, a monthly analysis of reported breaches in the healthcare industry, 58 percent were related to insiders. This was divided about evenly between intentional wrongdoing and error. Outside hacking accounted for just 13 percent. The problem is not confined to any single industry. New York State Attorney General Eric T. Schneiderman reported in March that his office received a record number of data breach reports in 2016, nearly 1,300. Employee negligence and wrongdoing were blamed for 37 percent. Because the insider doesn’t have to penetrate perimeter defenses, these breaches can be difficult to discover. According to the Protenus report, breaches reported in February were on average 478 days old at the time of discovery. In two instances, it was more than five years before breaches were discovered. Dealing with the insider threat is difficult for any organization. But it is imperative, and you can guard against it with the right tools if know what to look for.
- In the early ’90s allegations came to light that Avant!, a Silicon Valley software company, had stolen code from a rival company, Cadence Design Systems. This became more than a simple case of unscrupulous business practices when prosecutors filed charges and, in 2001, Avant! was ordered to pay $182 million in restitution plus interest and fees, for a total of $200 million. Worse still for Avant!, the closing of the criminal case meant that Cadence was finally able to proceed with its own civil case. Not content with a paltry $200 million, Cadence settled with Avant!, who’d since been bought by Synopsys, for a further $265 million. If a company could figure out a way to arrange this kind of profit, they wouldn’t be doing badly. http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/3/
- In 1981 Hitachi mysteriously came into possession of an almost full set of IBM’s Adirondack Workbooks. It seems that the fact that they contained IBM design documents full of IBM technical secrets and were prominently marked FOR INTERNAL IBM USE ONLY didn’t prompt Hitachi to return them. IBM counterintelligence staff and FBI personnel worked tirelessly until the arrest of several IBM officials proved the fruits of their labor. Hitachi settled out of court, and paid IBM a sum that has been reported as US$300 million. http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/5/
- One malicious insider will be jailed for a revenge attack he took out on a former employer. Brian Johnson, former sysadmin for US paper manufacturer Georgia-Pacific pleaded guilty to Intentionally Damaging Protected Computers last February. A Louisiana Court sentenced Johnson to 34 months in jail and ordered him to repay the US$1,134,828 (£909900) of damage that his vengeance apparently caused. The indictment reads that Johnson, “knowingly caused the transmission of programs, information, code, and commands, and, as a result of such conduct, intentionally caused damage, without authorization, to protected computers, and such conduct caused loss to Georgia-Pacific LLC, Georgia pacific Consumer operations LLC and Georgia-Pacific Consumer Products LP during the one year period from February 14, 2014 to February 13, 2015.” After Johnson was fired from his role in February 2014, he re-accessed Georgia-Pacific through a VPN and spent the next couple of weeks doing upwards of a million dollars in damage. Once Johnson was in, he started messing with the industrial control systems of Georgia Pacific's toilet paper factory in Port Hudson, Louisiana. One day shy of two weeks after Johnson's employment was terminated, the US Federal Bureau of Investigation raided his house. Agents found a connection into his former employer on a seized laptop and before long, Johnson was arrested. https://www.scmagazineuk.com/insider-comes-back-for-revenge-sentenced-to-three-years-inside/article/638988/
- Michael Leeper was employed by Oregon based sportswear company, Columbia Sportswear for four years, eventually reaching the role of senior director of technology infrastructure. In 2014, he left the position to work for Denali Advanced Integration, a purveyor of IT products and services. According to Columbia, Denali didn't just benefit from Leeper's infosecurity expertise. Leeper is alleged to have installed two backdoors on Columbia's network and in his new position, accessed his former employer's networks over 700 times and steal data that might be relevant to Denali, whose services had previously been purchased by the company. Denali has denied any involvement. The claim examines one particular case in which Leeper is meant to have accessed the email accounts of one particular Columbia employee in order to gain inside information about transactions between Columbia and other IT services. https://www.scmagazineuk.com/it-admin-sued-by-ex-employer-for-alleged-malicious-insider-data-theft/article/645458/
- IT sabotage: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization’s data, systems, and/or daily business operations. Theft or modification for financial gain: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of stealing or modifying confidential or proprietary information from the organization for financial gain. Theft or modification for business advantage: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of stealing confidential or proprietary information from the organization with the intent to use it for a business advantage. Miscellaneous: cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of stealing confidential or proprietary information from the organization, not motivated by financial gain or business advantage. .
- FBI states that 1.5% of espionage cases reviewed involve the use of sysadmin privileges for financial gain or business advantage. CMU CERT shows different stats for IT Sabotage. 90% of IT Saboteurs were sysadmins http://www.cert.org/blog/insider_threat/2010/09/insider_threat_deep_dive_it_sabotage.html
- Compromised actors: Insiders with access credentials or computing devices that have been compromised by an outside threat actor. These insiders are more challenging to address since the real attack is coming from outside, posing a much lower risk of being identified. Negligent actors: Insiders who expose data accidentally — such as an employee who accesses company data through public WiFi without the knowledge that it’s unsecured. A large number of data breach incidents result from employee negligence towards security measures, policies and practices. Malicious insiders: Insiders who steal data or destroy company networks intentionally – such as a former employee who injects malware in corporate computers on his last day at work. Tech savvy actors: Insiders who react to challenges. They use their knowledge of weaknesses and vulnerabilities to breach clearance and access sensitive information. Tech savvy actors can pose some of the most dangerous insider threats, and are likely to sell confidential information to external parties or black market bidders.
- Taken from National Cybersecurity and Communications Integration Center (Homeland Security)
- As they’re planning an insider attack, users start by seeking out files and data to steal. The key to catching a user in this stage is to keep an eye on users who access unusual locations or run unusual applications. This way, you can get an early indication that a user may be preparing for an attack.
- Next, users research options for getting data out of an organization. Sometimes this can happen through straightforward means, like file-sharing websites. Other times, IT savvy users can use more technical methods like proxy servers and VPN connections.
- When they’re ready to act, users aggregate the data they’re preparing to steal. This means that you’ll need to keep an eye out for various forms of unusual file activity, from copying, to movement, to deletion.
- Users almost always attempt to cover their tracks before stealing data. Their methods can range from the simple, like renaming files, to the complex, like disabling security tools altogether. In order to catch the culprit at this stage, you need to have a detailed view of everything happening within your organization.
- This is the actual theft of sensitive data and information. Hopefully, you caught the rogue insider long before they get to this point. You should have already seen the signs from their previous actions, and if you didn’t, then chances are your internal visibility is sorely lacking and you probably won’t catch them here until it’s too late. This is the stage where the user actually takes the data out of the organization. This means that the important thing to look for isn’t just the size and volume of file transfers, but their destination. You should be looking for large numbers of files that are being moved to an external drive or uploaded to an outside network.
- Technical Controls DLP, Track & Secure physical environments & assets, full disk encryption, deactivate computer access following termination, separation of duties, least privilege, consider threats from SLDC, Take extra care with SYSADMINS, Implement Change control, implement secure backup/recovery process, Log/monitor/&Audit privileged actions, SIEM,
- Discover privileged accounts. CyberArk Enterprise Password Vault automatically discovers and inventories accounts throughout the IT environment. Administrators can select which accounts or groups of accounts should be protected and automatically provision them to the Digital Vault.
- Now if we look at data from one of our customers around the usage of a particular user , where each * is an access to an account by that user, you can see his normal working hours and activity very clearly. Yet in further analyzing the data, there are 2 outliers that don’t fit the profile…one back on Dec 28 2013 and the other in February of this year. When we gave this data to our customer…they said what/???