5 signs you have an insider threat
TRANSCRIPT
Signs You Have An Insider Threat
Brian Butler, CSE
Changes in Attack Behavior
“It’s not about the 98% you catch, it’s about the 2% you miss.”
– NSS Labs: Analyst Brief
• Financial gain
• Selling stolen data or directly competing with their former employer
• Convenience
• Using unapproved workarounds to speed things up or assist an end user
Insider Threat Motivations
– 2015 Verizon Data Breach Investigations Report
Top Insider Threats by Role
End user
Cashier
Finance
Executive
11.2%
10.4%
37.6%
16.8%
– 2015 Verizon Data Breach Investigations Report
• Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane.
• Malicious Insiders – Insiders who intentionally steal data or destroy systems.
• Compromised Insiders – Insiders whose access credentials and/or computer have been compromised by an outside attacker.
Who is Attacking the Network?
• Bring Your Own Device (BYOD)
Smart phones, tablets, storage
• Open Networks
Guest, partner and contractor Access
• Social Engineering
Fishing, muleware
• Cloud Infrastructure
Are You Ready!!
Trends In Enterprise Networks
AWS Shared Responsibility Model
“While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security
they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for
applications in an on-site datacenter.”
-Amazon Web Services
• Internal East-West Traffic
Monitoring traffic from host to host
Compromised recourses cost
• External Traffic
Traffic crossing the gateway
Infiltrated data
DDoS external and internal
Cloud Security
Social Engineering
Techniques
Shoulder Surfing
Dumpster Diving
Trojan Horse
Surfing Online
Social Engineering
Phishing
Role Playing
• Search for Public Facing Data
Contact info
Company infrastructure
• Employee Education and Policy
Alerting end users
Not allowing .ZIP etc.
Social Engineering Made Easy
What is Muleware?
Muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign.
“Up until this point, cybercriminals have attained their resources by exploiting and compromising devices, but wouldn’t it be more efficient and much more
profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain?”
– Lancope CTO, TK Keanini
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Stolen Credentials
“Two out of three breaches exploit weak or stolen passwords”
– Verizon, 2014 Data Breach Investigations Report
Recent Data Breaches using Compromised Credentials
Target
70,000,000
Adobe
36,000,000
Home Depot
56,000,000
Jimmy John’s
Subs
217 Locations
Breaches Have in Common
“Four replaced credit cards within two years!”
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Suspicious Behavior
Communicating or attempting to with
internal host that is ‘not normal’.
Host or End-UserConnecting to the ‘not normal’
outside hosts
Geographic Traffic Anomaly
Does the company conduct business in China?
Geographic Traffic Anomaly
Historical Application Graph display FTP traffic to china in the past.
Pattern Traffic Anomaly
Abnormal traffic pattern produced by host or network segment.
Graph reporting a 3 layer DDoS attack as smoke screen hiding Data Exfiltration.
Time of Day Anomaly
Network and/or host activity at abnormal hours.
Graph reporting Servers Response Time greatly increasing at 1:45 AM and 4:00 AM.
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Unauthorized Access
Unauthorized Segments or HostsCommunications
or Attempts Host or End-User
Unauthorized Access
Segmentation, compliance and sensitive data visibility
Multiple Login
Ethel has logged in one hour apart in to locations several hundred miles
apart.
Malicious Insiders
Research indicates that insider threats typically conduct their attacks within 30
days of giving their resignation.
– CERT Insider Threat Center
Malicious Insiders
Suspect Employee Visibility
© 2014 Lancope, Inc. All rights reserved.
Scenario: The organization is at risk from a
targeted attack!
The adversary is already in using stolen
credentials so what are we defending
against:
• Sabotage
• Espionage
• Data Loss
• Fraud
Security events have triggered indicating
there is internal recon activity, a
compromised server, and data exfiltration
ALERT: Targeted Attack 1. Internal user performing recon
2. Finds server, performs port scan to find
method to steal data, disables endpoint
protection and begins collecting data
3. Encrypts data and exfiltrates out to
Dropbox
10.201.3.149
10.201.0.0/24
10.201.1.0/24
10.201.2.0/24
10.201.3.149
.
.
10.201.0.72
10.201.3.149
.
.
60.10.254.10
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Unusual Data Movement
Unauthorized Segments or HostsHost or End-User
Unusual Protocol Behavior
Typical DNS protocol behavior
Unusual Protocol Behavior
Not typical protocol behavior
Application / Payload Mismatch
Port 53 used to move P2P data.
Data Hoarding
• One to a few host reaching out and pulling data from multiple hosts in the enterprise
• Many more host touched than in a normal day’s work flow
Data Exfiltration
• One to a few host sending data to hosts outside of the enterprise
• Typically seen after Data Hoarding is completed
© 2014 Lancope, Inc. All rights reserved.
Scenario: An internal user is stealing data!
The user could be a:
• Disgruntled employee
• Person about to leave the company
• Person with privileged credentials
• Person stealing and selling trade secrets
Security events have triggered indicating a
user is connecting to a terminal server,
collecting data from a sensitive database,
and tunneling the traffic out of the network
using P2P through UDP port 53 (DNS port).
ALERT: Insider Threat 1. Internal user connects to Terminal Server
2. Terminal server used to collect sensitive
data from within the same subnet inside
the datacenter.
3. Terminal server used to encrypt data and
tunnel through DNS port to an upload
server
10.201.3.18 10.201.0.23
.
.
10.201.0.23
.
.
10.201.0.55
10.201.0.23
.
.
74.213.99.97
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Policy Violations
Enterprise Network Host End-User
Policy Violations
While this isn’t always indicative of an insider threat, violations of
company network policies could represent an employee attempting
to subvert perimeter defenses.
– Brian Butler, CSE
Audit Firewall Rules
... is listed in a major DNS Black List use ip/dnsbl.
Contractor Violations
Contractor Violations
Contractor Violations
Contractor Violations
http://www.lancope.com
Thank You
Questions & Answers