2. Outline
About Insider Threat
Definition and Research
Motivations and Statistics,
US military cases: Snowden and others
US Government and DOD Measures
Solutions to Insider Threat:
Public Information and Veramine projects with US DOD, DHS and Airforce
Strongly supported by Solutions for External Threats, i.e. EDR and Deception
UAM, UEBA: Detections by AI, Rules, and Controls over Data, User and Device
Forensics and Logs: Collecting Artifacts, Variety, Details, Realtime, Filtered
Incident Response Actions on Hosts, Users… Threat Hunting with Yara and Search
Veramine Inc.
Advanced Endpoint Security
3. About Insider Threat
Definition of Insider Threat (Wikipedia)
- malicious to an organization
- comes from people within the organization
- have inside information of the organization’s IT systems
- involve fraud or theft of confidential or commercially valuable information
- or theft of intellectual property, or sabotage of computer systems
Research: CERT Insider Threat Center of Carnegie-Mellon University
- database of 850+ insider threat cases, including fraud, theft and sabotage
- blog to help organizations defend themselves against insider crime
- Insider Threat Test Datasets for Data Analysis and Machine Learning
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099
Veramine Inc.
Advanced Endpoint Security
5. Motivations
Veramine Inc.
Advanced Endpoint Security
2500INTERNAL SECURITY BREACHES OCCURRING IN US BUSINESS EVERY DAY
https://www.isdecisions.com/insider-threat/statistics.htm
6. Motivations
Veramine Inc.
Advanced Endpoint Security
According to insider threat statistics from a Ponemon
Institute study, accidental insider threat cost roughly $283,000
per incident, but due to their frequency, these incidents racked
up to $3.8 million per year, per organization
7. Motivations
Veramine Inc.
Advanced Endpoint Security
The figures come from Verizon's Insider Threat
Report, a report released this week that reframes
data from the company's 2018 Data Breach
Investigations Report (DBIR)
8. Edward Snowden Case
- was a Central Intelligence Agency (CIA) employee and subcontractor
- given full administrator privileges with virtually unlimited access to NSA data
- copied and leaked thousands of highly classified information from the National
Security Agency (NSA) in June 2013
- the disclosures revealed numerous global surveillance programs, run by NSA,
European governments, Five Eyes Intelligence Alliance, telecom companies
Snowden is very technical
- six months training full-time at CIA's secret school for technology specialists
- former NSA co-worker said Snowden was a "genius among geniuses" who
created a widely implemented backup system for the NSA and often pointed
out security flaws to the agency
- offered a position on NSA's elite team of hackers, Tailored Access Operations
Veramine Inc.
Advanced Endpoint Security
9. Other US military cases
Chelsea Manning
- former US Army soldier, assigned in 2009 to an Army unit in Iraq as an
intelligence analyst
- disclosed to WikiLeaks nearly 750,000 classified, or unclassified but sensitive,
military and diplomatic documents, in early 2010
Harold T. Martin III
- accused of stealing approximately 50 terabytes of data
- from the Central Intelligence Agency, the National Security Agency, the
United States Cyber Command, the United States Department of Defense
and the National Reconnaissance Office
- US gov agencies failed to effectively detect and respond to Martin's
practices and behaviors over 10 to 20 years, until 2016
Veramine Inc.
Advanced Endpoint Security
10. US Gov Reactions to Insider Threat
October 2011, US President Obama issued Executive Order 13587
establishing the National Insider Threat Task Force (NITTF)
2017 NITTF Insider Threat Guide and NITTF Tech Bulletin 20180527: How
Committee on National Security Systems Directive 504 (CNSSD 504 - technical
cores of insider threat prevention) Defines User Activity Monitoring (UAM)
November 1, 2018, NITTF released the Insider Threat Program Maturity
Framework, an aid for advancing federal agencies’ programs beyond the
Minimum Standards, and builds upon 2017 NITTF Insider Threat Guide
Veramine Inc.
Advanced Endpoint Security
11. Committee on National Security Systems
Directive 504 (CNSSD 504) - 2016
Technical functionality that a user activity monitoring (UAM) solution must have to meet the Directive’s
requirements
UAM “technical capability to observe and record the actions and activities of an individual, at any time, on
any device accessing U.S. Government information in order to detect insider threats and to support
authorized investigations.“
- a structured, consistent, and continuous collection and reporting process
- across the whole of an organization at the device level
- for identifying, assessing, deciding upon responses to, and acting
- upon specific analysis of insider threat behaviors
Every department and agency (D/A) should have five minimum technical capabilities to collect user activity
data
- keystroke monitoring,
- full application content (e.g., email, chat, data import, data export),
- screen capture,
- file shadowing for all lawful purposes (i.e., the ability to track documents when the names and locations
have changed)
- collected UAM data must be attributable to a specific user. The D/A should incorporate UAM data into
an analysis system that is capable of identifying anomalous behavior.
Veramine Inc.
Advanced Endpoint Security
12. Cybersecurity Maturity Model
Certification (CMMC)
July 16, 2019 DoD Announces the Cybersecurity Maturity Model Certification
(CMMC) Initiative
- a framework aimed at assessing and enhancing the cybersecurity posture of
the Defense Industrial Base (“DIB”), particularly controlled unclassified
information (“CUI”)
- in response to a series of high profile breaches of DoD information.
- all companies conducting business with the DoD, including subcontractors,
must be certified.
Veramine Inc.
Advanced Endpoint Security
13. User and Entity Behavior Analytics
(UEBA)
Examples of machine-learning detection algorithms:
User tracking: deviances from norms of user logon & logoff behaviorSMB tracking:
deviances from normal SMB behaviors indicating lateral movement
Printing tracking: deviances from normal printing behaviors of each user
Process profiling: deviances from norms of process behavior
“Data Exfiltration” detection
Insiders can gather important data (database of classified, ssn, financials,
secrets...), compress and encrypt it, and then exfil it to external sites
deviances from historical and seasonal norms of network volume
Several other detections about anomalies in certs, networks, eop registries,
process tampering, user activities…
Deep Learning, Bayesian network, Naïve Bayes, Regression…
Veramine Inc.
Advanced Endpoint Security
15. CNN: AlexNet
= ⋮ ⋮
227×227 ×3
55×55 × 96 27×27 ×96 27×27 ×256 13×13 ×256
13×13 ×384 13×13 ×384 13×13 ×256 6×6 ×256 9216 4096
⋮
4096
11 × 11
s = 4
3 × 3
s = 2
MAX-POOL
5 × 5
same
3 × 3
s = 2
MAX-POOL
3 × 3
same
3 × 3 3 × 3 3 × 3
s = 2
MAX-POOL
Softmax
1000
[Krizhevsky et al., 2012. ImageNet classification with deep convolutional neural networks] From Coursera
16. Summary of RNN types
One to one One to many Many to one
Many to many Many to many
From Coursera
17. User Activities Monitoring (UAM)
User Control
Keylogging, Screenshot
captures, Activities on
Browsing, Email, SMB
Data on User, Sessions,
Console, RDP…
Use case example: Monitoring
activities on most important
servers, such as AD, DB, SMB,
Data Center servers, and
designated computers
accessing those servers.
Video Capability: near-real
time “video” capability to view
user activities at endpoints
Veramine Inc.
Advanced Endpoint Security
18. User Activities Monitoring (UAM)
Device Control
Devices Policy defines
a list of USBs based on
their Vendor Id,
Product Id, Serial.
When such a device is
plugged-in, sensor can
block / allow access to
this USB device based
on policy settings.
History of USB activities
such as Inserts,
Removals
Veramine Inc.
Advanced Endpoint Security
19. Specific device,
vendor, or product ID
can be given:
No Access (blocked)
Read-Only Access
Read-Write Access
All by policy
Veramine Inc.
Advanced Endpoint Security
User Activities Monitoring (UAM)
Device Control
20. Based on Velociraptor,
collecting artifacts from
endpoints
Includes ~60 Windows
artifacts
Instantly send an action
to one host or many.
Actions send
immediately to
connected hosts, queue
for disconnected hosts
Veramine Inc.
Advanced Endpoint Security
Forensics
21. Can define built-in collection tasks or define new ones
VQL: SELECT [Columns] FROM [plugins(args)] WHERE [Conditions]
Veramine Inc.
Advanced Endpoint Security
Forensics
22. VQL, simply improved
from SQL, allows artifact
collection tasks to be
quickly programmed,
automated and shared.
Turn-around from IOC to
full hunt: a few minutes.
E.g. VQL to collect files
(artifacts) in users’ temp
directory which have
been created within the
last week, or changed in
the last hour. Its
parameters:
Target group of hosts
Directory to search
Required age of files
Veramine Inc.
Advanced Endpoint Security
Forensics
23. Forensics tab has
searching, sorting, filtering
Cancel Queued Collection
jobs, Delete Results from
already run jobs
Veramine Inc.
Advanced Endpoint Security
Forensics
24. New Forensics tab under “Response”
List of jobs + state (queued, in progress, completed, error)
Veramine Inc.
Advanced Endpoint Security
Forensics
25. We show Velociraptor JSON, sortable, searchable
Results ZIP has TXT, CSV, JSON, collected files
Veramine Inc.
Advanced Endpoint Security
Forensics
26. Combined with Solutions for External
Threats
3 endpoint solutions that can also be packaged into 3-in-1:
- Endpoint Detection and Response (EDR), a main anti-APT tool set, to
effectively provide Detection, Investigation, Response, Data Collection...
- Dynamic Deception System (DDS), a Platform of Traps, such as Deceptive
services, processes, mutexes, credentials, network listeners, data shares,
registry helper, virtual boxes, VMs..., as Active Defense to Detect and Prevent
attacks
- Insider Threat Prevention (ITP), combining Advanced Controls of Users, Data
and Devices, such as Key loggers, Screenshots, Browsing, Email activities, USB
Tracking and Permissions, Digital Forensics...
Veramine Inc.
Advanced Endpoint Security
27. Detection and Tracking of insider threats through SMB network share access;
SMB file share tracking; where people copy files from a network share to their local drive
captures files, exfiltration
Look for compromised accounts, using mimikatz to obtain credentials
EDR Detection for Insider Threat
Veramine Inc.
Advanced Endpoint Security
28. IR Investigation: Yara Memory Search
Sensor reports processes matching yara expression (per process, not
only system match)
Veramine Inc.
Advanced Endpoint Security
29. Customers can Save + Update commonly-used Yara expressions
Schedule periodic Yara memory search
Veramine Inc.
Advanced Endpoint Security
Yara Memory Search Easy UX
36. Performance
On average taking less than 1% CPU and 20 MB RAM.
On average, per host, network traffic is less than 30 MB / 1 day.
Network traffic can be further tuned using collection policies which allows
to configure which events are collected by sensors.
Veramine Inc.
Advanced Endpoint Security