INSIDER THREAT BREACH

CASE STUDYAny Questions?

20/10/2017 Public 1

Case Study + Process + Don’t be a victim

What is an insider threat?

“An insider threat is a malicious threat to an organisation that comes from

people within the organisation, such as employees, former employees,

contractors or business associates, who have inside information concerning the

organisation's security practices, data and computer systems.”

Source: Wikipedia

20/10/2017 Public 2

Do we have any examples of this type of attack?

In • 1995 rogue trader Nick Leeson lost £800m and destroyed Barings Bank whilst working as chief trader for Barings Futures in Singapore

In • 2008 the French bank Societe Generale revealed that rogue trader Jerome Kerviel had lost the bank £7bn

In • 2011 Swiss bank UBS uncovered unauthorised trading by a member of staff, Kweku Adoboli, producing losses of some £1.5bn. Additionally, confidence in the bank’s reputation was clearly harmed, with an immediate 7% fall in its share value

In • 2013 Edward Snowdon leaked CIA and NSA classified information

In • 2016 Mossack Fonseca saw a disgruntled ex-employee expose the tax affairs and other dealings (legitimate or otherwise) of a considerable number of high profile individuals, criminals, terrorists and the like

20/10/2017 Public 3

Business as usual or malicious threat?

20/10/2017 Public 4

The specifics of this case

• Trusted 3rd party development contractor

• Long standing partner with a working contract for 6 years plus

• The 3rd parties employee was in long term employment with the contractor for 8 years plus

• No previous issues with the employee, no behavioural problems, no previous disciplinary matters, he was a trusted employee

• It later transpired that the employee had developed a gambling addiction and was burdened with debt – that motivated him to perpetrate the attack in an attempt to raise cash

• Because trust had been established over a period of years, the 3rd party contractor and its employees were not considered as a potential risk by the client organisation!

20/10/2017 Public 5

Attack overview

20/10/2017 Public 6

The attack• 60 servers and over 4,000 end points within the environment (35 were Win2k, but that’s another story!)

• Attacker set up a phishing server (web/mail) via Google

• Attacker accessed the environment via a legitimate route

• He ran a number of SQL queries against the databases until he was able to extract the customer data that he needed to launch the phishing attack

• He created a number of test files (text and csv) to store the extracted data, and then pulled it back to the jump server and then back to his laptop

• 28mb of customer data was extracted from the network, which comprised of 135,412 customer records, including 1,719 primary account numbers (credit card numbers)

• Attacker used that data to launch a phishing attack on the customers contained within the stolen data

• 30 unique customers accessed the phishing site, 6 uploaded personal information to the phishing server

• Only came to light when an astute customer flagged the phishing email as suspicious to the company

20/10/2017 Public 7

How the access route was modified

Approved access route Modified access route

20/10/2017 Public 8

The investigation

20/10/2017 Public 9

Points to prove

• A credible suspect was identified, but we needed to prove the following:

• Identify the smart phone

• Link the suspect to the smart phone

• Link the suspect to the laptop

• Put the suspect at or near the keyboard at the times of the attack

• Link the suspect to the phishing server

20/10/2017 Public 10

The techie stuff that we did• Pulled as many logs as we could identify whilst forensic imaging was under way – all remote

• The client’s legal team worked with Google to obtain a copy of the phishing server – proved critical in proving the case

• From the above we identified the IP address relating to the smart phone – Austrian telecoms provider

• Tracked the use of that IP address to a single user account (the suspect)

• Identified a number of SQL queries used by the attacker to obtain the customer data from the databases

• Identified a number of filename references (not the files themselves) that were used to extract the data from the network to the attackers laptop – in registry entries and in volatile memory images

• Linked the phone to the owner of the user account in question – his own phone (we never got possession of the phone itself)

• With the assistance of German law enforcement, call data and cell site analysis was conducted to put him in or close to his workplace at the time of the attack

• Workplace CCTV and door entry systems analysed to place him in the workplace. The CCTV proved negative – the door entry systems placed him in the office where his desk was at the time of the attack.

20/10/2017 Public 11

The outcome

What happened to the suspect? The final kicker

• We also found evidence of a “pass the

hash” attack within their environment

during the course of this investigation.

• This was not related to the insider

threat attack

• Upon further investigation we found an

external intrusion and another major

breach of their network as well!

20/10/2017 Public 12

The process of successful incident management

20/10/2017 Public 13

Steps to successful incident management

20/10/2017 Public 14

Ideally you only need this

Preparation

Detection Analysis

Containment Eradication

Recovery Review

Customer

Customer

Customer

Customer

Customer

Customer

Preparation• Identification and classification of critical data

• Risk assessing the IT & Business environment

• Creation of breach identification values (what actually is a breach)

• Determining “normal” behaviour

• Implementation of monitoring tools IDS/NOC/SOC/FIM/SIEM

• Creation of an Incident Response Plan

• Testing the Incident Response Plan

• Staff training as First Responders

• Prepare a media strategy

• Designate an Incident Response Team

20/10/2017 Public 15

Detection

Identifying • “abnormal” behaviour

Monitoring network traffic•

Monitoring specific file access•

Monitoring email messages•

Identifying known malware•

Identifying compromised data•

Identifying unexpected devices•

Usage of monitoring tools IDS/FIM/SIEM/DLP•

20/10/2017 Public 16

Analysis• Determining the type of breach

• Identifying scale of breach/compromised data

• Determine ingress and egress points

• Determining malware actions

• Identifying attack signatures

• Identifying known vulnerabilities

• Identifying new vulnerabilities

• Identifying affected 3rd parties

• Identify the attack vector (internal or external)

• Forensic imaging of affected devices

• Forensic analysis of affected devices and/or logs

20/10/2017 Public 17

Containment & Eradication

Containment

• Preventing further spread of the compromise

• Blocking unauthorised access

• Disabling access to affected devices

• Usage of disaster recovery site

• Notification to affected 3rd parties

• Notification to media

Eradication

• Removal of any identified malware

• Removal of any unauthorised devices/accounts

• Securing ingress and egress points

• Fixing exploited vulnerabilities

• Verification of removal

20/10/2017 Public 18

Recovery

• Restoration of modified data

• Rebuilding of affected devices

• Restoring system access

• Testing of recovered data/devices

• Implementation of most recent patches

• Forensic recovery of missing/corrupted data

20/10/2017 Public 19

Review

• Does the breach need to be reported (GDPR / PCI-DSS)

• Does law enforcement need to be informed

• Documenting the breach and any affected data

• Identifying business impact

• Reviewing policies and procedures

• Agreeing future preventative measures

• Verifying preventative measures are implemented correctly

• Updating documentation

20/10/2017 Public 20

How do you avoid being compromised in the first place?

20/10/2017 Public 21

Invest in the basics - 1

Map business processes and flows of data through the organisation (you will have to do this •for POPI / GDPR / PCI)

Classify information based on criticality and sensitivity•

Design systems and solutions to protect the most sensitive data, and ensure segmentation •works as designed

Record all of your assets so IT and the business can produce a protection strategy•

Use technology that you know how to use and IT teams can support and secure•

Monitor networks, systems and applications regularly and have incident response procedures •and contracts in place

Patch everything • – all critical patches should be applied within 30 days

20/10/2017 Public 22

Invest in the basics - 2

• Assess vulnerabilities regularly and close the gaps within 30 days

• Use benchmarks and secure devices, using good working practices

• Control access using least privilege, and need to know

• Assess / audit your 3rd parties, understand their 3rd parties so you know

where your data is

• Educate, use sanctions and compensate with technology to ensure you are

not wholly reliant upon your users

20/10/2017 Public 23

THANK YOUAny Questions?

20/10/2017 Public 24

Steve Marshall –Chief Operating OfficerProfessional

Experience

Steve is a world class consultant and business executive that has focused on high profile projects for the government and leading commercial organisations. Steve specialisesin business consulting, payments, compliance, breach clean-up, enterprise architecture validation, assurance, corporate/information security, security restructures and risk insector leading organisations across many business verticals and markets. A balance of technical excellence and keen business acumen enables Steve to provide cost effectiverobust strategies for business.

Steve’s early career focused on system and network administration / engineering / security on high throughput transactional platforms, video content delivery, high profilewebsites and hosting infrastructure. Steve then moved into management and senior management within several system integrators and consulting companies. Havingdeveloped several practices in the UK and worked for many companies and organisations Steve setup PTP Consulting now Risk-X with his team to provide leading audit,advisory, assurance and digital forensics globally.

To date Steve has also been involved in :

• High profile security consulting for government organisations

• Headed up and consulted on numerous global retailers payments and PCI DSS compliance programmes

• Provided compliance strategy to global telecommunication, retail, transit, banking and UK building societies

• Provided architecture validation and security consulting to many enterprise customers

• Provided threat analysis and forensic readiness consulting to many commercial organisations

• Public speaking events themed around security, compliance and IT risk management to audiences in the UK and internationally

Industry Sector

Experience

• Financial Services

• Retail

• Media / Leisure / Entertainment

• Telecoms / ISP / Hosting

• Government / Public Sector

• Energy and Utilities

• Transit

• BPO’s / Call Centres / Outsourcers

• Gambling and Gaming

Qualifications • BSc (Hons)

• Payment Card Industry Qualified Security Assessor (QSA)

• Payment Card Industry Forensic Investigator (PFIcore)

• IBITG Certified ISO/IEC 27001 Lead Auditor

• PECB Certified ISO/IEC 27001 Lead Implementer

• (ISC)2 System Security Certified Professional (SSCP)

20/10/2017 Public 25

About us

• Risk-X is a global provider of Audit, Advisory, Digital Forensics, Incident Response andAssurance services. We were formed by a team originally from the roots of majorcorporate consulting. Becoming disillusioned with the corporate consulting world thatwas not acting in the best interests of customers or their end consumers, we formedRisk-X. We knew that we could do better, and we have (just ask our customers).

• Over the last five years we have bolstered our expertise from specialists gained fromlaw enforcement, military services, niche service providers and the best from the bigfour consulting houses. This, led from the same management and investment team,has seen sustained growth and the addition of allied services. We are well financed,motivated, hungry for your business and seek to delight in every engagement.

• When it comes to security and specialist resources, we have real world experienceacross all market sectors and verticals. We only take on work we know we cancomplete in line with your requirements, and only charge for what we do. We support‘plain English’ and do not hide behind fancy lawyers, so engaging with us is easy andsimple.

• Steve Marshall

• Chief Operating Officer

• steve.marshall@risk-x.co.uk

• +44 7770 352438

• +27800990116 = Incident Response Toll Free

• +27800990155 = General Enquiries Toll Free

20/10/2017 Public 26