Insider Threat Trends in the Utilities Sector
Transcript of Insider Threat Trends in the Utilities Sector
1Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Insider Threat Trends in the Utilities Sector
Dan Costa
2Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Document Markings
Copyright 2020 Carnegie Mellon University.
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM20-0857
3Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
The CERT National Insider Threat Center
Conducting research,
modeling, analysis, and
outreach to develop socio-
technical solutions to
combat insider threats since
2001
Splunk Query Name: Last 30 Days - Possible Theft of IP
Terms: 'host=HECTOR [search host="zeus.corp.merit.lab" Message="A user account was disabled. *"
| eval Account_Name=mvindex(Account_Name, -1) | fields Account_Name | strcat Account_Name
"@corp.merit.lab" sender_address | fields - Account_Name] total_bytes > 50000 AND
recipient_address!="*corp.merit.lab" startdaysago=30 | fields client_ip, sender_address,
recipient_address, message_subject, total_bytes'
4Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
NITC Corpus: Insider Threat Incidents by Industry / Sector
415
287
128 12790 89
6945 38 33 29 18 15 12 11 21
0
50
100
150
200
250
300
350
400
450
Nu
mb
er
of
Inci
de
nts
5Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Verizon Insider Threat Study
https://enterprise.verizon.com/resources/reports/insider-threat-report.pdf
6Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Financial Impact
32
4
10
3
0
2
4
6
8
10
12
7Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Incident Types
7
6
1
4
1 11 1
0
1
2
3
4
5
6
7
8
Fraud Sabotage Sabotage andFraud
Fraud and Theftof IP
Miscellaneous
Energy
Water
Nuclear
8Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
CERT’s Insider Fraud Model
Source: The CERT® Guide to Insider Threats
9Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
CERT’s Insider Sabotage Model
Source: The CERT® Guide to Insider Threats
10Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Critical Path to Insider Risk – Utilities Observables
•Used Compromised Account (18.2%)
•Denial of Service Attack (18.2%)
•Used Their Account After Termination/Resignation (13.6%)
•Privileged Access Abuse (13.6%)
•Deleted Critical Data (13.6%)
•Modified Critical Data (9.1%)
Hostile Acts
•Employee Extortion, Threats, or Legal Demands (18.2%)
•Suspicious Foreign Travel (13.6%)
•Bypassed Physical Security of Organization Facilities (9.1%)
Concerning Behaviors
•Terminated (27.3%)
•Resigned (22.7%)
•Changed Positions Internally (9.1%)
Stressors
•Possible Psychological Issues (9.1%)
•Substance Abuse (4.5%)
•A History Of Financial Problems (4.5%)
Personal Predispositions
11Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
The Goal for an Insider Threat Program…
https://insights.sei.cmu.edu/insider-threat/2020/01/maturing-your-insider-threat-program-into-an-insider-risk-management-program.html
Is to reduce insider risks to critical assets to acceptable levels
12Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Asset
Manage-
ment Logs
Wireless
Spectrum
Monitoring
Logs
Perform-
ance
Evaluat-
ions
Foreign
Contacts
Reporting
Help Desk
Ticket
System
Logs
Back-
ground
Investig-
ations Corporate
Credit Card
Records
Authentic-
ation Logs
DNS Logs
File Access
Logs
Intrusion
Detection/
Prevention
Logs Network
Monitoring
Logs
Permiss-
ion Change
Monitor
Logs
User
Activity
Monitoring
Logs
Configurat-
ion Change
Logs
Physical
Access
Records
Security
Clearance
Records
Remov-
able Media
Manager
Logs
Antivirus
Logs
Account
Creation
Logs
Telephone
Records
Conflict of
Interest
Reporting
Printer/
Scanner/
Copier/Fax
Logs
Data Loss
Prevention
Logs
Disciplin-
ary
Records
Firewall
Logs Mobile
Device
Manager
Logs
Travel
Reporting
Personnel
Records
Email Logs
Chat Logs
IP Policy
Violation
Records
Active
Directory
Logs
AUP
Violation
Records
HTTP/SSL
Proxy Logs
Application
Logs
VPN Logs
Physical
Security
Violation
Records
Network
Packet
Tags
Anony-
mous
Reporting
Technical Data SourcesNon-Technical Data Sources
Data Sources for
Insider Threat
Detection, Prevention,
and Response
13Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Best Practices from the CERT Common Sense Guide to Mitigating Insider Threats
1 - Know and protect your critical assets. 12 - Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
2 - Develop a formalized insider threat program. 13 - Monitor and control remote access from all endpoints, including mobile
devices.
3 - Clearly document and consistently enforce policies and controls. 14 - Establish a baseline of normal behavior for both networks and employees
4 - Beginning with the hiring process, monitor and respond to suspicious or
disruptive behavior.
15 - Enforce separation of duties and least privilege.
5 - Anticipate and manage negative issues in the work environment. 16 - Define explicit security agreements for any cloud services, especially
access restrictions and monitoring capabilities.
6 - Consider threats from insiders and business partners in enterprise-wide risk
assessments.
17 - Institutionalize system change controls.
7 - Be especially vigilant regarding social media. 18 - Implement secure backup and recovery processes.
8 - Structure management and tasks to minimize unintentional insider stress and
mistakes.
19 - Close the doors to unauthorized data exfiltration.
9 - Incorporate malicious and unintentional insider threat awareness into
periodic security training for all employees.
20 - Develop a comprehensive employee termination procedure.
10 - Implement strict password and account management policies and practices. 21 - Adopt positive incentives to align the workforce with the organization.
11 - Institute stringent access controls and monitoring policies on privileged
users.http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=540644
14Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
An Overview of Insider Threat Program Components
15Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Acceptable Levels?
Deploying controls doesn’t necessarily reduce the
likelihood of a threat occurring to 0%, especially for insider
threats.
How much insider risk is our organization willing or able to
withstand while still carrying out its mission?
• To begin to answer this question, we need quantifiable
and actionable risk appetite statements
- To do this, we need reliable, sound methods for measuring
the likelihood and impact of insider threats
Impact
ThreatVulnerabilities
Risk
Likelihood
16Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Questions / Presenter Contact Information
Dan Costa, CISSP, PSEM
Technical Manager, CERT National Insider Threat Center
www.cert.org/insider-threat
17Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Case Studies and Resources
18Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Theft of IP
19Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Fraud
20Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Sabotage and Fraud
21Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Featured Research from the CERT National Insider Threat Center – 1
The Common Sense Guide to Mitigating Insider Threats, Sixth Edition – a collection of 21
best practices for insider threat mitigation, complete with case studies and statistics
• https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=540644
Balancing Organizational Incentives to Counter Insider Threat – a study on how positive
incentives can complement traditional security practices to provide a better balance for
organizations’ insider threat programs
• https://ieeexplore.ieee.org/abstract/document/8424655
22Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Featured Research from the CERT National Insider Threat Center – 2
Navigating the Insider Threat Tool Landscape: Low Cost Technical Solutions to Jump-
Start an Insider Threat Program – an exploration of the types of tools that organizations
can use to prevent, detect, and respond to multiples types of insider threats
• https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_521706.pdf
Insider Threats Across Industry Sectors – a multi-part blog series that contains the most
up-to-date statistics from our database on sector-specific insider threats
• https://insights.sei.cmu.edu/insider-threat/2018/10/insider-threat-incident-analysis-by-
sector-part-1-of-9.html
23Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Featured Research from the CERT National Insider Threat Center – 3Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls
• https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=446367
Analytic Approaches to Detect Insider Threats
• https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=451065
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments
• https://web.archive.org/web/20170122065908/http:/resources.sei.cmu.edu/library/asset-view.cfm?assetid=48668
24Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Featured Research from the CERT National Insider Threat Center – 4Workplace Violence & IT Sabotage: Two Sides of the Same Coin?
• https://resources.sei.cmu.edu/asset_files/Presentation/2016_017_001_474306.pdf
An Insider Threat Indicator Ontology
• https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=454613
25Insider Threat Trends in the Utilities Sector© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited
distribution.]
Our insider threat program manager, vulnerability
assessor, and program evaluator certificate programs and
insider threat analyst training courses are now available in
live-online delivery formats!
For more information, please visit
www.sei.cmu.edu/education-outreach/courses/index.cfm
Training from the CERT National Insider Threat Center