Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
1. (c) 2014 All rights reserved. Insider Threat Kill Chain 1
Insider Threat Kill Chain
Detecting Human Factors of Compromise
Tarun Gupta
Information Security Expert
email@tgupta.com
2. (c) 2014 All rights reserved. Insider Threat Kill Chain 2
“Your organization’s greatest
asset is also its greatest threat.”
PEOPLE.
3. Case Study : Insider Threat
(c) 2014 All rights reserved. Insider Threat Kill Chain 3
Hosting Company; Location Confidential (NDA)
Disgruntled System Admin; No bonus for last 4 years
5000+ e-Commerce Websites Down; Holiday Season (--$$$$)
< 2 minutes and 100 characters of code
Moved Apache Config File; Service Did not re-Start
Disgruntled Web Server Administrator Breaking Bad
4. Research & Statistics : Insider Threat
(Forrester)
(c) 2014 All rights reserved. Insider Threat Kill Chain 4Source : Forrester Study “Understand the State of Data Security and Privacy. 2013”
Bottom-line : Insiders carry on as a major source
of data breach
5. Research : Insider Threat (PWC)
(c) 2014 All rights reserved. Insider Threat Kill Chain 5
Source : PWC 2013 US Cybercrime Survey Report
6. Insider Threat Intentions
(c) 2014 All rights reserved. Insider Threat Kill Chain 6
Intentions
Financial Gain
Career Advancement;
Promotion
Revenge; Disgruntled
Thrill; Curiosity
Personal Motive
Accidental; Human Error
Political Cause (Hacktivist)
THREAT = CAPABILITY x
INTENT
Source : CERT breakdown of Insider Threats
IT Sabotage,
21%
Fraud, 37%
IP Theft, 15%
Espionage ,
19%
Others, 8%
7. Case Study : Insider Threat
(c) 2014 All rights reserved. Insider Threat Kill Chain 7
7 May 2014 ; Nicholas Paul Knight, 27 (a.k.a. “nuclear black hat”)
Attempt to hack naval database; while on ship
Member of Hacking Group; Hacked Pentagon Earlier
Motivation : Anti-government Sentiment, Boredom and Thrill-
seeking
Boasted NAVY.MIL Owned
Network Admin Allegedly Hacked Navy ; While on Carrier
Source : http://www.wired.com/2014/05/navy-sysadmin-hacking/
8. Insider Threat Kill Chain
(c) 2014 All rights reserved. Insider Threat Kill Chain 8
Recruitment/
Tipping Point
Search/
Recon
Acquisition/
Collection
Exfiltration/
Action
Timeline
Prevent Detect Respond
Authorized Credentials
Defensive Controls
Security Policies
Awareness & Training
Access Control
Split Access
Least Privilege
Controls
Event Logging & Review
Integrity Checking
Independent Auditing
Mandatory Rotation
Large Data Transfers
Controls
Backup & Recovery Process
Insider Response Plan
Network & System Audit
Forensics
Quarantine User & Systems
Credential Revoke Process
Indicators
(Technical & Non Technical i.e. HR, Legal, Facility etc.)
9. Prevent : Human Indicators of Compromise
Consistently First In & Last Out of Office (always aware & in
control)
12 Month+ Unused Vacation
Lifestyle Changes (Spending, Socializing, Marital Status)
Resigned ; Serving Notice Period
Lay-Off Notification (Redundant Position)
Passed over for Promotion/ Raise
Pending Disciplinary Action or Investigation
Recommended Control – Create HR Watch List
10. Prevent : Awareness & Training
Consider Threats from Insiders & Partners in Risk Assessments
Background Checks (Positions of Trust & Higher Access)
Clearly Document & Enforce Policies and Controls (Code of
Conduct etc.)
Periodic Security Awareness Training (Employees, Contractors,
Partners)
Monitor & Respond to Suspicious or Disruptive Behavior
Anticipate & Manage Negative Workplace Issues
Secure and Track Physical Environment
Establish Clear Lines of Communication and Process between
HR, Legal & IT regarding Information Security
11. Prevent : Human to Machine Indicators
Increasing Number of Logins; Variation in Local/Remote
Logging into Network, Systems, Applications at Odd Times or
Holidays
Logging in Frequently during Vacation Times
Remote Logging Using Different Employee Credentials
Logging from Multiple Locations (Proxy, VPN)
Changes in Websites Visit; Work vs Personal
Increased Printer/ Copier/ Scanner Usage
Export of Large Reports/Data/Downloads from Internal Systems
(USB)
Executing Broad Database Queries (Select All ….)
12. Prevent & Detect : Policy & Technology
Controls
Implement Strict Account & Password Policy
Enforce Separation of Duties, Split Authority & Least Privilege
Extra Caution with System, Network, Application & Database
Administrators
Administer and Review Privileged Users
Implement System Change Controls (Integrity Checker; Change
Management Process)
Deactivate System & Network Access on Termination or
Resignation
Log, Monitor & Audit Employees Network Activity
13. What to Log ?
Firewall & Remote Access Logs
Unsuccessful Login Attempts
Intrusion Detection Systems (IDS/IPS) Logs
Web Proxies (Internet Gateway)
DNS Logs
Antivirus Alerts
Change Management Events (Ex. Integrity)
Bare Minimum to Start
14. Log Intelligence & Analytics
Vulnerability Data
User Activity
Host & Server Activity
Database Activity
Application Activity
Configuration Data Security Devices
Physical Access
Directory
Compliance Reports
Real-Time Correlation “Means” BIG DATA
Actionable
Intelligence
Analytics
Forensics
Retention
15. All Logs Considered
Determine Log Volume – Events per Second; Redundant
Information
Establish Log Management Policies & Procedures – Should
Include Enabling, Retention & Security of Logs; Consult Legal &
Compliance
– What is Collected ?
– Who Manages Logging Systems ? (Segregation of Duties)
False Positives – Tune Systems; Reduce Noise
Establish a Baseline – What is Normal Behavior ? , Identify
Anomalies
Accessing Information – Multiple Departments need to Access;
Challenges with Log Intelligence & SIEM
16. Insider Threat Response
Implement Secure Backup & Recovery Processes
– Data, Configuration, Documents & Logs
Quickly Audit User’s Network & System Behavior
Quarantine User
– Disconnect User from network (LAN, WAN, Remote)
– Revoke Credentials
– Cease Workstation, Mobile Devices & Equipment
– Disable Physical Facility Access
Develop an Insider Response Plan (Inter Departmental; IT, HR)
– Communication Protocol (engaging with Insider, confrontation)
– Synchronize with HR Watch List, Resignation etc.
17. (c) 2014 All rights reserved. Insider Threat Kill Chain 17
Thank You.
DISCLAIMER
The views and opinions expressed herein are those of the author and are based on best practice, research or information
available in public domain. The information contained herein is of a general nature, education and professional use only and is
not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
The information contained in the attached document is not legal advice but is rather intended to provide guidance or education
use only. While every care has been taken in the preparation of the attached document you should refer to your own legal
counsel for advice on your specific business requirements.
Examples, values and/or sample data is indicative and by no means conclusive. It is strictly for educational and information use
only. Users need to evaluate their business processes and infrastructure to define appropriate levels best suited for business
needs.
All brands and trademarks mentioned in document are possibly registered or protected by third parties are solely subject to the
trademark and ownership rights of the registered owner. The author gives due credit to person/ organization or agency for its
original work or publication.
Notas del editor
The “Kill Chain” is a traditional warfare term most often used by the US Air Force in defining the command and control process for targeting and destroying enemy forces in order to make it most difficult for the enemy to continue in battle.
Tipping Point – Good employee going bad,
Often insiders have higher access and authorized credentials