Identify and Stop Insider Threats

Insider Threat

Matthew McKinley, Technical Product Marketing [email protected] (770) 225-6500

Insider Threat

Matthew McKinley, Technical Product Marketing [email protected] (770) 225-6500

• Why am I interested in Insider Threat? – Motives – Types

• Who commits insider computer crimes and why do they do it? • An observation • Using StealthWatch to combat different insider threats

– The Kill Chain – How can we see Insider Threats? – Use Cases

• Lancope Pro Tip

3

Overview

© 2012 Lancope, Inc. All rights reserved.

4

Why am I interested in Insider Threats?


AlgoSec Survey of 182 IT Security Professionals

• Verizon 2012 Data Breach Investigations Report

• 2012 – 98% stemmed from external agents – 4% implicated internal employees

• 2011 – 92% stemmed from external agents – 17% implicated insiders

• 2010 – 70% stemmed from external agents – 48% were caused by insiders

• Hacking in 2012

– 3% involved SQL Injection – 55% involved default credentials – 40% involved stolen credentials – 29% involved brute force or dictionary attacks

5

Why Insider Threats? – The Verizon Breach Report


6

What are the motives?


• 12 years of history • Over 700 insider

threat cases • IT Sabotage

– Average: $1.7 million – Mean: $50,000

• IP Theft – Average: $13.5

million – Mean: $337,000

7

Insider Threats


• Much of the practice of computer security has to do with making sure the doors are locked. We spent little effort trying to find out if the bad guys are in. – We tend to assume that if the bad guys are in, its game over.

• Systems will stop working or money will be instantly stolen. (This isn’t always true.)

– It is useful to disrupt ongoing attacks even if you can’t prevent them.

• StealthWatch can help

8

An Observation


• A sophisticated attack on a network involves a series of steps • Traditional thinking views any system compromise as a successful breach • Any successful action taken to stop an infection prior to data exfiltration can be

considered a win • This is the Kill Chain concept introduced by Mike Cloppert at Lockheed • StealthWatch provides visibility at each stage of the chain

9

Visibility through out the Kill Chain


Recon Exploitation

(Social Engineering?) Initial

Infection

Internal Pivot

Data Preparation

& Exfiltration

Command and

Control

• Seeing user activity – Who, what, when, where

• Detecting data exfiltration – Filtering suspicious events from normal network “noise”

• Detecting bad actors on the network • Detecting other behavioral anomalies

– When activity on the network deviates from established norms, this can be a sign of attack

– When hosts on the network behave in ways that they normally wouldn’t or shouldn’t

10

Seeing the Insider Threat What’s in the bag, Mr.?

• Knowing – Who it was – what do you know about this user? – What they were using – was it an approved device? – When they logged on – was it late at night? – Where they logged on from – Locally? VPN?

• …is critical to combating the insider threat • Cisco ISE Integration and the StealthWatch IDentity solution

provide this visibility

11

Monitoring User Activity

Who? What? When? Where?

• Who, what, when, and where is nice, but… – What were they doing? – NetFlow provides transactional information related to network events

• StealthWatch correlates user information with flow records to add deeper context such as – Who they were communicating with – What apps they were using

12

Monitoring User Activity

Data from NetFlow Application data

• Activity at strange times and strange durations can be suspect • Alarms and thresholds automate the discovery process

13

Detecting Data Exfiltration

5 hour SSH connection??

• Who was it? • How have

they behaved in the past?

• StealthWatch answers these questions

• Pivot from charts to detail – the benefits of users + flow

• You’re not alone – pre-configured and configurable alarms

14

Detecting Data Exfiltration

Who? How Long?

To whom?

How much?

• NetFlow allows you to see all transactions on the network, without having to decide what’s to be ignored

• Automated tools such as the worm tracker identify the source and path of spreading malware

• The Concern Index highlights hosts that are behaving “oddly”

15

Bad Actors on the Network

• Alarms and informative graphics combine to provide visibility into problems without the hassle of digging them out mountains of data

16

Bad Actors on the Network

Alarm info

Source and spread of a worm

• StealthWatch can help you: – Perform targeted monitoring of employees who are “on the HR radar” – Unusual Access Times (Could be any account) – Access after termination (!) (accounts or open sessions) – Monitor access to specific parts of the network

• Host Groups – Monitor behaviors that show malicious activity

• SYN Floods • Scanning

17

Use Case: Detecting IT Sabotage


See access from here

To here

• StealthWatch can help you: – Monitor access to sensitive areas of the network with

• Host Groups – Logins coming from another user’s machine (different user logins to

different systems from the same address) – Long flows from sensitive servers to outside hosts

• Used in data loss detection

18

Use Case: Detecting Fraud


• Key window – 30 days before and after resignation/termination

• 54% of CERT’s exfiltration cases occurred over the network (most email)

• StealthWatch can help you spot: – Email with large attachments to third party destinations – Large amounts of traffic to the printer – Useful for data Infiltration and Exfiltration

19

Use Case: Detect Theft of Intellectual Property


• IT cannot address insider threat by itself

– People have a tendency to think that IT is solely responsible for all computer security issues.

• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently?

20

Lancope Pro Tip: Combating Insider Threat is a multidisciplinary challenge


IT

LEGAL HR

Thank You

Matthew McKinley, Technical Product Marketing [email protected] +1 (770) 225-6500

Identify and Stop Insider Threats

Technology