Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.

1. (c) 2014 All rights reserved. Insider Threat Kill Chain 1
Insider Threat Kill Chain
Detecting Human Factors of Compromise
Tarun Gupta
Information Security Expert
email@tgupta.com

2. (c) 2014 All rights reserved. Insider Threat Kill Chain 2
“Your organization’s greatest
asset is also its greatest threat.”
PEOPLE.

3. Case Study : Insider Threat
(c) 2014 All rights reserved. Insider Threat Kill Chain 3
 Hosting Company; Location Confidential (NDA)
 Disgruntled System Admin; No bonus for last 4 years
 5000+ e-Commerce Websites Down; Holiday Season (--$$$$)
 < 2 minutes and 100 characters of code
 Moved Apache Config File; Service Did not re-Start
Disgruntled Web Server Administrator Breaking Bad

4. Research & Statistics : Insider Threat
(Forrester)
(c) 2014 All rights reserved. Insider Threat Kill Chain 4Source : Forrester Study “Understand the State of Data Security and Privacy. 2013”
Bottom-line : Insiders carry on as a major source
of data breach

5. Research : Insider Threat (PWC)
(c) 2014 All rights reserved. Insider Threat Kill Chain 5
Source : PWC 2013 US Cybercrime Survey Report

6. Insider Threat Intentions
(c) 2014 All rights reserved. Insider Threat Kill Chain 6
Intentions
 Financial Gain
 Career Advancement;
Promotion
 Revenge; Disgruntled
 Thrill; Curiosity
 Personal Motive
 Accidental; Human Error
 Political Cause (Hacktivist)
THREAT = CAPABILITY x
INTENT
Source : CERT breakdown of Insider Threats
IT Sabotage,
21%
Fraud, 37%
IP Theft, 15%
Espionage ,
19%
Others, 8%

7. Case Study : Insider Threat
(c) 2014 All rights reserved. Insider Threat Kill Chain 7
 7 May 2014 ; Nicholas Paul Knight, 27 (a.k.a. “nuclear black hat”)
 Attempt to hack naval database; while on ship
 Member of Hacking Group; Hacked Pentagon Earlier
 Motivation : Anti-government Sentiment, Boredom and Thrill-
seeking
 Boasted NAVY.MIL Owned
Network Admin Allegedly Hacked Navy ; While on Carrier
Source : http://www.wired.com/2014/05/navy-sysadmin-hacking/

8. Insider Threat Kill Chain
(c) 2014 All rights reserved. Insider Threat Kill Chain 8
Recruitment/
Tipping Point
Search/
Recon
Acquisition/
Collection
Exfiltration/
Action
Timeline
Prevent Detect Respond
Authorized Credentials
Defensive Controls
Security Policies
Awareness & Training
Access Control
Split Access
Least Privilege
Controls
Event Logging & Review
Integrity Checking
Independent Auditing
Mandatory Rotation
Large Data Transfers
Controls
Backup & Recovery Process
Insider Response Plan
Network & System Audit
Forensics
Quarantine User & Systems
Credential Revoke Process
Indicators
(Technical & Non Technical i.e. HR, Legal, Facility etc.)

9. Prevent : Human Indicators of Compromise
 Consistently First In & Last Out of Office (always aware & in
control)
 12 Month+ Unused Vacation
 Lifestyle Changes (Spending, Socializing, Marital Status)
 Resigned ; Serving Notice Period
 Lay-Off Notification (Redundant Position)
 Passed over for Promotion/ Raise
 Pending Disciplinary Action or Investigation
Recommended Control – Create HR Watch List

10. Prevent : Awareness & Training
 Consider Threats from Insiders & Partners in Risk Assessments
 Background Checks (Positions of Trust & Higher Access)
 Clearly Document & Enforce Policies and Controls (Code of
Conduct etc.)
 Periodic Security Awareness Training (Employees, Contractors,
Partners)
 Monitor & Respond to Suspicious or Disruptive Behavior
 Anticipate & Manage Negative Workplace Issues
 Secure and Track Physical Environment
 Establish Clear Lines of Communication and Process between
HR, Legal & IT regarding Information Security

11. Prevent : Human to Machine Indicators
 Increasing Number of Logins; Variation in Local/Remote
 Logging into Network, Systems, Applications at Odd Times or
Holidays
 Logging in Frequently during Vacation Times
 Remote Logging Using Different Employee Credentials
 Logging from Multiple Locations (Proxy, VPN)
 Changes in Websites Visit; Work vs Personal
 Increased Printer/ Copier/ Scanner Usage
 Export of Large Reports/Data/Downloads from Internal Systems
(USB)
 Executing Broad Database Queries (Select All ….)

12. Prevent & Detect : Policy & Technology
Controls
 Implement Strict Account & Password Policy
 Enforce Separation of Duties, Split Authority & Least Privilege
 Extra Caution with System, Network, Application & Database
Administrators
 Administer and Review Privileged Users
 Implement System Change Controls (Integrity Checker; Change
Management Process)
 Deactivate System & Network Access on Termination or
Resignation
 Log, Monitor & Audit Employees Network Activity

13. What to Log ?
 Firewall & Remote Access Logs
 Unsuccessful Login Attempts
 Intrusion Detection Systems (IDS/IPS) Logs
 Web Proxies (Internet Gateway)
 DNS Logs
 Antivirus Alerts
 Change Management Events (Ex. Integrity)
Bare Minimum to Start

14. Log Intelligence & Analytics
Vulnerability Data
User Activity
Host & Server Activity
Database Activity
Application Activity
Configuration Data Security Devices
Physical Access
Directory
Compliance Reports
Real-Time Correlation “Means” BIG DATA
Actionable
Intelligence
Analytics
Forensics
Retention

15. All Logs Considered
 Determine Log Volume – Events per Second; Redundant
Information
 Establish Log Management Policies & Procedures – Should
Include Enabling, Retention & Security of Logs; Consult Legal &
Compliance
– What is Collected ?
– Who Manages Logging Systems ? (Segregation of Duties)
 False Positives – Tune Systems; Reduce Noise
 Establish a Baseline – What is Normal Behavior ? , Identify
Anomalies
 Accessing Information – Multiple Departments need to Access;
Challenges with Log Intelligence & SIEM

16. Insider Threat Response
 Implement Secure Backup & Recovery Processes
– Data, Configuration, Documents & Logs
 Quickly Audit User’s Network & System Behavior
 Quarantine User
– Disconnect User from network (LAN, WAN, Remote)
– Revoke Credentials
– Cease Workstation, Mobile Devices & Equipment
– Disable Physical Facility Access
 Develop an Insider Response Plan (Inter Departmental; IT, HR)
– Communication Protocol (engaging with Insider, confrontation)
– Synchronize with HR Watch List, Resignation etc.

17. (c) 2014 All rights reserved. Insider Threat Kill Chain 17
Thank You.
DISCLAIMER
The views and opinions expressed herein are those of the author and are based on best practice, research or information
available in public domain. The information contained herein is of a general nature, education and professional use only and is
not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
The information contained in the attached document is not legal advice but is rather intended to provide guidance or education
use only. While every care has been taken in the preparation of the attached document you should refer to your own legal
counsel for advice on your specific business requirements.
Examples, values and/or sample data is indicative and by no means conclusive. It is strictly for educational and information use
only. Users need to evaluate their business processes and infrastructure to define appropriate levels best suited for business
needs.
All brands and trademarks mentioned in document are possibly registered or protected by third parties are solely subject to the
trademark and ownership rights of the registered owner. The author gives due credit to person/ organization or agency for its
original work or publication.