part 1: anatomy of an insider threat attack · malicious insiders: the worst nightmare scenario •...
TRANSCRIPT
![Page 1: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/1.jpg)
© 2016 Imperva, Inc. All rights reserved.
Part 1: Anatomy of an Insider Threat Attack
Shiri Margel Data Security Research Team Lead
Imperva
Carrie McDaniel Emerging Products Team Lead
Imperva
![Page 2: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/2.jpg)
© 2016 Imperva, Inc. All rights reserved.
Shiri Margel
2
• Data Security Research Team Lead • Masters of Science in Computer Science and
Mathematics • 15+ Years Algorithmic Experience • 3+ Years Information Security Experience
• Session moderated by Carrie McDaniel • Emerging Products Team Lead
![Page 3: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/3.jpg)
© 2016 Imperva, Inc. All rights reserved.
“70% of insider breaches took months or years to discover” “16.3% of data breaches attributed to insider and privilege misuse” Verizon DBIR April 2016
3
![Page 4: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/4.jpg)
Insider Threat Hacker Intelligence Initiative March 2016
• Insider threat events were present in 100 percent of the studied environments
• Insider threat incidents were not identified by any existing in-place security infrastructure
• Identified insider threats spanned malicious, compromised and careless insiders
4
![Page 5: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/5.jpg)
The Research – Behavioral Analysis
• Collected live production data from several volunteer customers of Imperva
• Imperva SecureSphere audit logs - full database and file server audit trail
– Provides full visibility into which users accessed what data
• Machine learning algorithms identify “actors” and “good behavior” in order
to identify “meaningful anomalies”
5
![Page 6: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/6.jpg)
© 2016 Imperva, Inc. All rights reserved.
Actors
![Page 7: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/7.jpg)
© 2016 Imperva, Inc. All rights reserved.
Good Behavior
![Page 8: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/8.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
8
Compromised Malicious Careless
![Page 9: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/9.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
9
Compromised Malicious Careless
![Page 10: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/10.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insiders: The Worst Nightmare Scenario
• Trusted insiders that intentionally steal data for their own purpose
• > 15% of the breaches are done by malicious insiders
• Motivation: Financial, Espionage or Grudge
• Examples: Edward Snowden, Chelsea Manning (born Bradley Manning)
10
![Page 11: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/11.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis Finds the IP Hoarder
• A Technical Writing employee copied > 100,000 files
• Employee was authorized to access data
• Operation took 3 weeks
• Each copy contained a few thousand files
• Some copies - in the middle of the night and/or on the weekend
![Page 12: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/12.jpg)
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• The employee/department never copied this amount of files • The employee never worked on weekends/middle of the night
![Page 13: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/13.jpg)
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• The employee/department never copied this amount of files • The employee never worked on weekends/middle of the night
Employee was authorized
to access data
![Page 14: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/14.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis finds the IP Hoarder
Organization’s Feedback:
• The employee was planning to leave the organization shortly after the incident
took place
![Page 15: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/15.jpg)
© 2016 Imperva, Inc. All rights reserved.
Application Database Clients
Applicative Tables
DBA
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
![Page 16: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/16.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
• A DBA from IT retrieved and modified multiple records from PeopleSoft
application tables on a specific day
• Didn’t access these tables through the PeopleSoft interface
bypassed PeopleSoft logging and retrieval limitations
Application Database Clients
Applicative Tables
DBA
![Page 17: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/17.jpg)
© 2016 Imperva, Inc. All rights reserved.
• Retrieved many records:
Compared to their usual activity…
Compared to other users…
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
![Page 18: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/18.jpg)
© 2016 Imperva, Inc. All rights reserved.
• Modified several thousands of records in one table
• Used highly privileged DB account
• The tables contained sensitive financial information
Should a DBA from IT have direct access to
financial information?
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
![Page 19: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/19.jpg)
© 2016 Imperva, Inc. All rights reserved.
Organization Feedback:
• A DBA from IT should never be exposed to financial information
• Certainly not modify this information outside of application processes
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
![Page 20: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/20.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
20
Compromised Malicious Careless
![Page 21: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/21.jpg)
© 2016 Imperva, Inc. All rights reserved.
Negligent Insiders: The Road to Hell is Paved with Good Intentions
• Do not have malicious intent
• Expose sensitive enterprise data due to careless behavior - cut corners or simplifying daily tasks
21
![Page 22: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/22.jpg)
• Bypass the organization’s permissions and privileges
• Provide people with access that they are not entitled to
• Leave incorrect access trail to the data
• Sharing is not caring!
22
Negligent User Example 1: Behavioral Analysis Flags Account Sharing
![Page 23: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/23.jpg)
Negligent User Example 1: Behavioral Analysis Flags Account Sharing
• A and B share privileges
• C and D use B’s account
• H uses the accounts of E, G
• J uses the accounts of G, I
• L uses the account of K
23 USER A B C D E F G H I J K L
![Page 24: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/24.jpg)
© 2016 Imperva, Inc. All rights reserved.
Negligent User Example 2: File Exfiltration
• An employee copied 1500 files from the file share
• Each file copy operation – 14 seconds on average
• An average normal file copy – 1 second
![Page 25: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/25.jpg)
© 2016 Imperva, Inc. All rights reserved.
Negligent User Example 2: File Exfiltration
• An employee copied 1500 files from the file share
• Each file copy operation – 14 seconds on average
• An average normal file copy – 1 second
• Slow copy rate may indicate a file exfiltration attempt – Connect through VPN
– Copy files to a device outside the organization
• Exfiltration of a large amount of files is concerning and uncommon
![Page 26: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/26.jpg)
© 2016 Imperva, Inc. All rights reserved.
Our Recommendation
Further investigation required –
• Which files were copied?
• What other activities were done by the employee related to unstructured data
(File shares? Databases?)
![Page 27: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/27.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
27
Compromised Malicious Careless
![Page 28: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/28.jpg)
© 2016 Imperva, Inc. All rights reserved.
Compromised Insiders: More Dangerous Than You Think
Compromised users: “external threats” that act with the same level of freedom as the trusted insider • 30% of recipients click on phishing emails
• 12% went on to open attachments or click links
• Top 10 known vulnerabilities accounted for 85% of successful exploits
• 63% of data breaches involved weak, default or stolen passwords
28
Source - Verizon DBIR 2016
![Page 29: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/29.jpg)
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How Failed Logins are Flagged as Anomalous
29
• Failed logins to a database are not uncommon
• In this example, a user tried to access a database they never accessed
before, using several different DB accounts
![Page 30: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/30.jpg)
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How Failed Logins are Flagged as Anomalous
30
• Failed logins to a database are not uncommon
• In this example, a user tried to access a database they never accessed
before, using several different DB accounts
• 4 failed login attempts in an hour
– One attempt used credentials of the user on another database
– The other 3 attempts in less than 10 minutes
![Page 31: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/31.jpg)
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How Failed Logins are Flagged as Anomalous
31
• Failed logins to a database are not uncommon
• In this example, a user tried to access a database they never accessed
before, using several different DB accounts
• 4 failed login attempts in an hour
– One attempt used credentials of the user on another database
– The other 3 attempts in less than 10 minutes
• The user succeeded on their 5th attempt
– Insufficient privileges Couldn’t perform any operations
![Page 32: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/32.jpg)
Compromised Users : How Failed Logins are Flagged as Anomalous
• Baseline period
– The user always
successfully logs into DB1
using “red” account
– never logs into DB2
• On the day of the incident
– The user tried and failed to
log into DB2 11 times using
4 different account
– Succeeded using 5th account 32
![Page 33: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/33.jpg)
© 2016 Imperva, Inc. All rights reserved.
• Malicious • Careless • Compromised
33
Compromised Malicious Careless
![Page 34: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/34.jpg)
Learn More – Read the HII Report
34
Imperva.com/DefenseCenter
![Page 35: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/35.jpg)
© 2016 Imperva, Inc. All rights reserved.
Q & A
![Page 36: Part 1: Anatomy of an Insider Threat Attack · Malicious Insiders: The Worst Nightmare Scenario • Trusted insiders that intentionally steal data for their own purpose • > 15%](https://reader034.vdocuments.site/reader034/viewer/2022043010/5fa2cf0b48ba2f0cbd6b9229/html5/thumbnails/36.jpg)
© 2016 Imperva, Inc. All rights reserved.
5 Minute Break