5 Signs you have an Insider Threat
-
Upload
lancope-inc -
Category
Technology
-
view
632 -
download
0
Transcript of 5 Signs you have an Insider Threat
![Page 1: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/1.jpg)
Signs You Have An Insider Threat
Brian Butler, CSE
![Page 2: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/2.jpg)
Changes in Attack Behavior
“It’s not about the 98% you catch, it’s about the 2% you miss.”
– NSS Labs: Analyst Brief
![Page 3: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/3.jpg)
• Financial gain
• Selling stolen data or directly competing with their former employer
• Convenience
• Using unapproved workarounds to speed things up or assist an end user
Insider Threat Motivations
– 2015 Verizon Data Breach Investigations Report
![Page 4: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/4.jpg)
Top Insider Threats by Role
End user
Cashier
Finance
Executive
11.2%
10.4%
37.6%
16.8%
– 2015 Verizon Data Breach Investigations Report
![Page 5: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/5.jpg)
• Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane.
• Malicious Insiders – Insiders who intentionally steal data or destroy systems.
• Compromised Insiders – Insiders whose access credentials and/or computer have been compromised by an outside attacker.
Who is Attacking the Network?
![Page 6: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/6.jpg)
• Bring Your Own Device (BYOD)
Smart phones, tablets, storage
• Open Networks
Guest, partner and contractor Access
• Social Engineering
Fishing, muleware
• Cloud Infrastructure
Are You Ready!!
Trends In Enterprise Networks
![Page 7: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/7.jpg)
AWS Shared Responsibility Model
“While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security
they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for
applications in an on-site datacenter.”
-Amazon Web Services
![Page 8: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/8.jpg)
• Internal East-West Traffic
Monitoring traffic from host to host
Compromised recourses cost
• External Traffic
Traffic crossing the gateway
Infiltrated data
DDoS external and internal
Cloud Security
![Page 9: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/9.jpg)
Social Engineering
Techniques
Shoulder Surfing
Dumpster Diving
Trojan Horse
Surfing Online
Social Engineering
Phishing
Role Playing
![Page 10: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/10.jpg)
• Search for Public Facing Data
Contact info
Company infrastructure
• Employee Education and Policy
Alerting end users
Not allowing .ZIP etc.
Social Engineering Made Easy
![Page 11: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/11.jpg)
What is Muleware?
Muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign.
“Up until this point, cybercriminals have attained their resources by exploiting and compromising devices, but wouldn’t it be more efficient and much more
profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain?”
– Lancope CTO, TK Keanini
![Page 12: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/12.jpg)
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
![Page 13: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/13.jpg)
Stolen Credentials
“Two out of three breaches exploit weak or stolen passwords”
– Verizon, 2014 Data Breach Investigations Report
![Page 14: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/14.jpg)
Recent Data Breaches using Compromised Credentials
Target
70,000,000
Adobe
36,000,000
Home Depot
56,000,000
Jimmy John’s
Subs
217 Locations
![Page 15: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/15.jpg)
Breaches Have in Common
“Four replaced credit cards within two years!”
![Page 16: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/16.jpg)
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
![Page 17: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/17.jpg)
Suspicious Behavior
Communicating or attempting to with
internal host that is ‘not normal’.
Host or End-UserConnecting to the ‘not normal’
outside hosts
![Page 18: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/18.jpg)
Geographic Traffic Anomaly
Does the company conduct business in China?
![Page 19: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/19.jpg)
Geographic Traffic Anomaly
Historical Application Graph display FTP traffic to china in the past.
![Page 20: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/20.jpg)
Pattern Traffic Anomaly
Abnormal traffic pattern produced by host or network segment.
Graph reporting a 3 layer DDoS attack as smoke screen hiding Data Exfiltration.
![Page 21: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/21.jpg)
Time of Day Anomaly
Network and/or host activity at abnormal hours.
Graph reporting Servers Response Time greatly increasing at 1:45 AM and 4:00 AM.
![Page 22: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/22.jpg)
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
![Page 23: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/23.jpg)
Unauthorized Access
Unauthorized Segments or HostsCommunications
or Attempts Host or End-User
![Page 24: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/24.jpg)
Unauthorized Access
Segmentation, compliance and sensitive data visibility
![Page 25: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/25.jpg)
Multiple Login
Ethel has logged in one hour apart in to locations several hundred miles
apart.
![Page 26: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/26.jpg)
Malicious Insiders
Research indicates that insider threats typically conduct their attacks within 30
days of giving their resignation.
– CERT Insider Threat Center
![Page 27: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/27.jpg)
Malicious Insiders
Suspect Employee Visibility
![Page 28: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/28.jpg)
© 2014 Lancope, Inc. All rights reserved.
Scenario: The organization is at risk from a
targeted attack!
The adversary is already in using stolen
credentials so what are we defending
against:
• Sabotage
• Espionage
• Data Loss
• Fraud
Security events have triggered indicating
there is internal recon activity, a
compromised server, and data exfiltration
ALERT: Targeted Attack 1. Internal user performing recon
2. Finds server, performs port scan to find
method to steal data, disables endpoint
protection and begins collecting data
3. Encrypts data and exfiltrates out to
Dropbox
10.201.3.149
10.201.0.0/24
10.201.1.0/24
10.201.2.0/24
10.201.3.149
.
.
10.201.0.72
10.201.3.149
.
.
60.10.254.10
![Page 29: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/29.jpg)
![Page 30: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/30.jpg)
![Page 31: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/31.jpg)
![Page 32: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/32.jpg)
![Page 33: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/33.jpg)
![Page 34: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/34.jpg)
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
![Page 35: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/35.jpg)
Unusual Data Movement
Unauthorized Segments or HostsHost or End-User
![Page 36: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/36.jpg)
Unusual Protocol Behavior
Typical DNS protocol behavior
![Page 37: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/37.jpg)
Unusual Protocol Behavior
Not typical protocol behavior
![Page 38: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/38.jpg)
Application / Payload Mismatch
Port 53 used to move P2P data.
![Page 39: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/39.jpg)
Data Hoarding
• One to a few host reaching out and pulling data from multiple hosts in the enterprise
• Many more host touched than in a normal day’s work flow
![Page 40: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/40.jpg)
Data Exfiltration
• One to a few host sending data to hosts outside of the enterprise
• Typically seen after Data Hoarding is completed
![Page 41: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/41.jpg)
© 2014 Lancope, Inc. All rights reserved.
Scenario: An internal user is stealing data!
The user could be a:
• Disgruntled employee
• Person about to leave the company
• Person with privileged credentials
• Person stealing and selling trade secrets
Security events have triggered indicating a
user is connecting to a terminal server,
collecting data from a sensitive database,
and tunneling the traffic out of the network
using P2P through UDP port 53 (DNS port).
ALERT: Insider Threat 1. Internal user connects to Terminal Server
2. Terminal server used to collect sensitive
data from within the same subnet inside
the datacenter.
3. Terminal server used to encrypt data and
tunnel through DNS port to an upload
server
10.201.3.18 10.201.0.23
.
.
10.201.0.23
.
.
10.201.0.55
10.201.0.23
.
.
74.213.99.97
![Page 42: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/42.jpg)
![Page 43: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/43.jpg)
![Page 44: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/44.jpg)
![Page 45: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/45.jpg)
![Page 46: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/46.jpg)
![Page 47: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/47.jpg)
![Page 48: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/48.jpg)
![Page 49: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/49.jpg)
![Page 50: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/50.jpg)
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
![Page 51: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/51.jpg)
Policy Violations
Enterprise Network Host End-User
![Page 52: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/52.jpg)
Policy Violations
While this isn’t always indicative of an insider threat, violations of
company network policies could represent an employee attempting
to subvert perimeter defenses.
– Brian Butler, CSE
![Page 53: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/53.jpg)
Audit Firewall Rules
... is listed in a major DNS Black List use ip/dnsbl.
![Page 54: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/54.jpg)
Contractor Violations
![Page 55: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/55.jpg)
Contractor Violations
![Page 56: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/56.jpg)
Contractor Violations
![Page 57: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/57.jpg)
Contractor Violations
![Page 58: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/58.jpg)
http://www.lancope.com
Thank You
![Page 59: 5 Signs you have an Insider Threat](https://reader034.fdocuments.us/reader034/viewer/2022042706/5870beca1a28ab0b4a8b6a05/html5/thumbnails/59.jpg)
Questions & Answers