insider threat kill chain: detecting human indicators of compromise

INSIDER THREAT KILL CHAIN

DETECTING HUMAN INDICATORS OF COMPROMISE

INSIDER THREAT KILL CHAINDETECTING HUMAN INDICATORS OF COMPROMISE

Ken WestinProduct Marketing Managerkwestin@tripwire.com

3

Your organization’s greatest asset is also its greatest threat.

People.

4

MY FIRST EXPERIENCE WITH TRIPWIREADMINISTRATOR BREAKING BAD

5

INSIDER THREAT INTENTIONSTHREAT = CAPABILITY * INTENT

IT Sabotage21%

Fraud37%

IP Theft15%

Espionage19%

Other8%

Source: CERT Breakdown of Insider Crimes in the United States

6

• IT Contractor fired for but allowed to finish working the day

• Had admin access to the company’s 4K servers

• Wrote logic bomb to disable logins and wipe logs on Jan 1, 2009

• Another engineer found the code before it could execute

• Sentenced to 41 months in prison

• Before being caught had gone on to work for Bank of America, Amtrak and GE as Sr. Systems Administrator

Rajendrasinh Babubhai Makwana

ADMINS GONE WILD

7

INSIDER THREAT KILL CHAIN

Insider

DETECTPREVENT RESPOND

Timeline

DAMAGERecruitment/Tipping Point

Search/ReconAcquisition/Collection

Exfiltration/Action

8

INSIDER THREAT KILL CHAIN

Insider

DETECTPREVENT RESPOND

Timeline

DAMAGE

Human ResourcesLegal

Non-Technical Indicators

Recruitment/Tipping Point

Search/ReconAcquisition/Collection

Exfiltration/Action

9

INSIDER THREAT KILL CHAIN

Insider

DETECTPREVENT RESPOND

Timeline

Technical Indicators

DAMAGE

Human ResourcesLegal

Non-Technical Indicators

Recruitment/ Tipping Point

Search/ReconAcquisition/Collection

Exfiltration/ Action

10

PREVENT: HUMAN INDICATORS OF COMPROMISE

Risk Indicator

Consistently first in and last out of office

12 Months+ unused vacation

Life change: martial status change

Gives notice

Lay-off notification

Passed over for promotion/raise

Disciplinary action

11

PREVENT

1. Consider threats from insiders and partners in risk assessments

2. Background checks

3. Clearly document and enforce policies and controls

4. Periodic security awareness training for all employees

5. Monitor and respond to suspicious or disruptive behavior

6. Anticipate and manage negative workplace issues

7. Track and secure physical environment

8. Establish clear lines of communication and procedures between HR, Legal and IT

AWARENESS & TRAINING

12

PREVENT: HUMAN TO MACHINE INDICATORS

Risk Indicator

Increasing number of logins, variation in remote/local

Logging into network at odd times

Logging in frequently during vacation times

Remote logging using different employee credentials

Changes in websites visited, work vs. personal

Increased printer usage

Export of large reports/downloads from internal systems

13

PREVENT & DETECT

1. Implement strict password and account policies

2. Enforce separation of duties and least privilege

3. Extra caution with system administrators and technical or privileged users

4. Implement system change controls

5. Deactivate computer access following termination

6. Log, monitor, and audit employee network activities

POLICY & TECHNOLOGY

14

LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA

CONFIG DATA

PHYSICAL ACCESS

SECURITY DEVICES

USER ACTIVITY

HOSTS & SERVER

APP ACTIVITY

DATABASE ACTIVITY

ACTIVE DIRECTORY

VULNERABILITY DATA

15

LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA

CONFIG DATA

PHYSICAL ACCESS

SECURITY DEVICES

USER ACTIVITY

HOSTS & SERVER

APP ACTIVITY

DATABASE ACTIVITY

ACTIVE DIRECTORY

VULNERABILITY DATA

16

LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA

CONFIG DATA

PHYSICAL ACCESS

SECURITY DEVICES

USER ACTIVITY

HOSTS & SERVER

APP ACTIVITY

DATABASE ACTIVITY

ACTIVE DIRECTORY

VULNERABILITY DATA

17

ACTIONABLE INTELLIGENCE

LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA

CONFIG DATA

PHYSICAL ACCESS

SECURITY DEVICES

USER ACTIVITY

HOSTS & SERVER

APP ACTIVITY

DATABASE ACTIVITY

ACTIVE DIRECTORY

VULNERABILITY DATA

18

ACTIONABLE INTELLIGENCE

LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA

CONFIG DATA

PHYSICAL ACCESS

SECURITY DEVICES

USER ACTIVITY

HOSTS & SERVER

APP ACTIVITY

DATABASE ACTIVITY

ACTIVE DIRECTORY

VULNERABILITY DATA

19

ANALYTICS, FORENSICS & STORAGE

ACTIONABLE INTELLIGENCE

LOG INTELLIGENCE & ANALYTICSREAL-TIME CORRELATION MEETS BIG DATA

CONFIG DATA

PHYSICAL ACCESS

SECURITY DEVICES

USER ACTIVITY

HOSTS & SERVER

APP ACTIVITY

DATABASE ACTIVITY

ACTIVE DIRECTORY

VULNERABILITY DATA

20

INSIDER THREAT CORRELATIONTRIPWIRE LOG CENTER EXAMPLE RULES

Logon attempt from terminated employee/contractor

Odd remote logon patterns from employee on watch list

Logons from employee at odd times

Logon to high value asset from unauthorized system

Creation and deletion of user account within interval

Add and delete a user account from group within interval

Employee disables anti-virus

Employee visits blocked websites frequently

Leaving employee downloads large files from Intranet or CRM

Employee installs and uses Tor on company system

Employee installs scanning/hacking tools on system

21

WHAT TO LOG?

• Firewall logs• Unsuccessful login attempts• Intrusion Detection Systems (IDS/IPS) logs• Web proxies• Antivirus alerts• Change management

BARE MINIMUM TO START

22

ALL LOGS CONSIDERED

• Determine log volume: Identify number of events per second before selecting log management tool

• Establish log management policies and procedure: Ensure this includes log retention policies (work with legal counsel for requirements), what is collected and who manages logging systems

• False positives: Security devices make a lot of noise, tune system to reduce false positives and focus on events that matter

• Establish a baseline: What is normal behavior? Set baselines to distinguish anomalies from true threats

• Accessing information: Multiple departments need to access data to determine what information will be collected and who has permission to view…not just SOC

CHALLENGES WITH LOG INTELLIGENCE & SIEM

23

LOGGING REAL PROBLEMS

• Employee behavior shows potential risk to business

• Let’s monitor to see if he connects to to servers outside the network

• Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)

24

LOGGING REAL PROBLEMS

• Employee behavior shows potential risk to business

• Let’s monitor to see if he connects to to servers outside the network

• Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)

<event name=”Suspicious connection by risky employee”> <logTime>2014-04-07T12:17:32</logtime> <suser>maliciousinsider</suser><src>10.0.0.1</src>

<shost>insider_system</shost> <prot>TCP</prot> <dpt>{22,23,3389}</dpt> <start>17:00:00</start> <end>08:00:00</end></event>

25

Tripwire Log Center Dashboard

26

Physical Security Meets DigitalKEY FOB SYSTEMS GENERATE LOGS TOO

27

CUSTOMER STORY: POWER COMPANY

• Deployment Tripwire Log Center immediately discovered account of terminated system admin in use

• Account was logging into network at 4AM on a Wednesday

• Also discovered logging disabled on key firewall

MALICIOUS INSIDERS UNVEILED

28

CUSTOMER STORY: DON’T TREAD ON ME

• Deployed PoC of Tripwire Log Center and Tripwire Enterprise at large tire retailer

• Discovered backdoor setup by terminated employee that was actively being accessed

MALICIOUS INSIDERS UNVEILED

29

RESPOND

1. Implement secure backup and recovery processes

2. Quickly audit user’s network behavior

3. Develop an insider incident response plan (inter-departmental)

30

I’m On A Boat! Network Admin Hacked Navy—While on an Aircraft Carrier

http://www.wired.com/2014/05/navy-sysadmin-hacking/

31

INSIDER THREAT KILL CHAIN

Insider

DETECTPREVENT RESPOND

Timeline

Technical Indicators

DAMAGE

Human ResourcesLegal

Non-Technical Indicators

Recruitment/Tipping Point

Search/ReconAcquisition/Collection

Exfiltration/Action

32

Questions?

Ken Westin

kwestin@tripwire.com

Twitter: @kwestin