Signs You Have An Insider Threat

Brian Butler, CSE

Changes in Attack Behavior

“It’s not about the 98% you catch, it’s about the 2% you miss.”

– NSS Labs: Analyst Brief

• Financial gain

• Selling stolen data or directly competing with their former employer

• Convenience

• Using unapproved workarounds to speed things up or assist an end user

Insider Threat Motivations

– 2015 Verizon Data Breach Investigations Report

Top Insider Threats by Role

End user

Cashier

Finance

Executive

11.2%

10.4%

37.6%

16.8%

– 2015 Verizon Data Breach Investigations Report

• Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane.

• Malicious Insiders – Insiders who intentionally steal data or destroy systems.

• Compromised Insiders – Insiders whose access credentials and/or computer have been compromised by an outside attacker.

Who is Attacking the Network?

• Bring Your Own Device (BYOD)

Smart phones, tablets, storage

• Open Networks

Guest, partner and contractor Access

• Social Engineering

Fishing, muleware

• Cloud Infrastructure

Are You Ready!!

Trends In Enterprise Networks

AWS Shared Responsibility Model

“While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security

they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for

applications in an on-site datacenter.”

-Amazon Web Services

• Internal East-West Traffic

Monitoring traffic from host to host

Compromised recourses cost

• External Traffic

Traffic crossing the gateway

Infiltrated data

DDoS external and internal

Cloud Security

Social Engineering

Techniques

Shoulder Surfing

Dumpster Diving

Trojan Horse

Surfing Online

Social Engineering

Phishing

Role Playing

• Search for Public Facing Data

Contact info

Company infrastructure

• Employee Education and Policy

Alerting end users

Not allowing .ZIP etc.

Social Engineering Made Easy

What is Muleware?

Muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign.

“Up until this point, cybercriminals have attained their resources by exploiting and compromising devices, but wouldn’t it be more efficient and much more

profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain?”

– Lancope CTO, TK Keanini

5 Signs of Insider Threat Activity

Policy

Violations

Stolen

Credentials

Suspicious

Behavior

Unauthorized

Access

Unusual Data

Movement

Stolen Credentials

“Two out of three breaches exploit weak or stolen passwords”

– Verizon, 2014 Data Breach Investigations Report

Recent Data Breaches using Compromised Credentials

Target

70,000,000

Adobe

36,000,000

Home Depot

56,000,000

Jimmy John’s

Subs

217 Locations

Breaches Have in Common

“Four replaced credit cards within two years!”

5 Signs of Insider Threat Activity

Policy

Violations

Stolen

Credentials

Suspicious

Behavior

Unauthorized

Access

Unusual Data

Movement

Suspicious Behavior

Communicating or attempting to with

internal host that is ‘not normal’.

Host or End-UserConnecting to the ‘not normal’

outside hosts

Geographic Traffic Anomaly

Does the company conduct business in China?

Geographic Traffic Anomaly

Historical Application Graph display FTP traffic to china in the past.

Pattern Traffic Anomaly

Abnormal traffic pattern produced by host or network segment.

Graph reporting a 3 layer DDoS attack as smoke screen hiding Data Exfiltration.

Time of Day Anomaly

Network and/or host activity at abnormal hours.

Graph reporting Servers Response Time greatly increasing at 1:45 AM and 4:00 AM.

5 Signs of Insider Threat Activity

Policy

Violations

Stolen

Credentials

Suspicious

Behavior

Unauthorized

Access

Unusual Data

Movement

Unauthorized Access

Unauthorized Segments or HostsCommunications

or Attempts Host or End-User

Unauthorized Access

Segmentation, compliance and sensitive data visibility

Multiple Login

Ethel has logged in one hour apart in to locations several hundred miles

apart.

Malicious Insiders

Research indicates that insider threats typically conduct their attacks within 30

days of giving their resignation.

– CERT Insider Threat Center

Malicious Insiders

Suspect Employee Visibility

© 2014 Lancope, Inc. All rights reserved.

Scenario: The organization is at risk from a

targeted attack!

The adversary is already in using stolen

credentials so what are we defending

against:

• Sabotage

• Espionage

• Data Loss

• Fraud

Security events have triggered indicating

there is internal recon activity, a

compromised server, and data exfiltration

ALERT: Targeted Attack 1. Internal user performing recon

2. Finds server, performs port scan to find

method to steal data, disables endpoint

protection and begins collecting data

3. Encrypts data and exfiltrates out to

Dropbox

10.201.3.149

10.201.0.0/24

10.201.1.0/24

10.201.2.0/24

10.201.3.149

.

.

10.201.0.72

10.201.3.149

.

.

60.10.254.10

5 Signs of Insider Threat Activity

Policy

Violations

Stolen

Credentials

Suspicious

Behavior

Unauthorized

Access

Unusual Data

Movement

Unusual Data Movement

Unauthorized Segments or HostsHost or End-User

Unusual Protocol Behavior

Typical DNS protocol behavior

Unusual Protocol Behavior

Not typical protocol behavior

Application / Payload Mismatch

Port 53 used to move P2P data.

Data Hoarding

• One to a few host reaching out and pulling data from multiple hosts in the enterprise

• Many more host touched than in a normal day’s work flow

Data Exfiltration

• One to a few host sending data to hosts outside of the enterprise

• Typically seen after Data Hoarding is completed

© 2014 Lancope, Inc. All rights reserved.

Scenario: An internal user is stealing data!

The user could be a:

• Disgruntled employee

• Person about to leave the company

• Person with privileged credentials

• Person stealing and selling trade secrets

Security events have triggered indicating a

user is connecting to a terminal server,

collecting data from a sensitive database,

and tunneling the traffic out of the network

using P2P through UDP port 53 (DNS port).

ALERT: Insider Threat 1. Internal user connects to Terminal Server

2. Terminal server used to collect sensitive

data from within the same subnet inside

the datacenter.

3. Terminal server used to encrypt data and

tunnel through DNS port to an upload

server

10.201.3.18 10.201.0.23

.

.

10.201.0.23

.

.

10.201.0.55

10.201.0.23

.

.

74.213.99.97

5 Signs of Insider Threat Activity

Policy

Violations

Stolen

Credentials

Suspicious

Behavior

Unauthorized

Access

Unusual Data

Movement

Policy Violations

Enterprise Network Host End-User

Policy Violations

While this isn’t always indicative of an insider threat, violations of

company network policies could represent an employee attempting

to subvert perimeter defenses.

– Brian Butler, CSE

Audit Firewall Rules

... is listed in a major DNS Black List use ip/dnsbl.

Contractor Violations

Contractor Violations

Contractor Violations

Contractor Violations

http://www.lancope.com

Thank You

Questions & Answers