InsiderThreat-2016NDITS
-
Upload
mike-saunders -
Category
Documents
-
view
81 -
download
0
Transcript of InsiderThreat-2016NDITS
Detecting and Preventing the Insider Threat
Mike Saunders Hardwater Information Security
About Mike
18 Years in IT
9 Years in Security
CISSP, GPEN, GWAPT, GCIH
Speaker: DerbyCon, BSidesMSP, ND IT Symposium, NDSU CyberSecurity Conference
Defining the threat
Mistakes
Sensitive data exposed
Unintentional data destruction or contamination
Outages caused by misconfigurations
Malware outbreaks
Defining the threatBad actors
Theft of IP, sensitive data, $$$
Insider trading
Intentional data corruption, deletion
Denial of Service
Terry Childs - 2008
The Insider Threat
Verizion 2016 DBIR
≈ 18% of all breaches due to insider actions
riskbasedsecurity.com
32% of all exposed records in 2015 due to insider mistake. 191M in one event.
≈ 49% of all exposed records due to all insider actions
’15 Exposed Records by Threat Vector
riskbasedsecurity.com (2015 statistics)
Insider Threat Statistics
2015 Verizon DBIR
Prevention
Prevention - web
Block outbound web access by default
Require all users to go through web proxy
Block access to external email providers
Ensure local/regional ISP mail systems are also blocked
Prevention - web
Block access to known file sharing sites
Use proxy vendor classifications
Block access to all uncategorized websites
Prevent egress from servers
Prevention - networkDeny by default
Ensure all egress avenues are blocked, including SSH, telnet, SMB, CIFS, HTTP/HTTPS
Grant unrestricted egress by exception only
Tie to user ID, not IP
Disable split tunneling on VPN connections
Prevention - applications
Consider whitelisting technologies to prevent unknown executables from running
Significant management overhead initially
Worth it in the long run
Removable Media
Deny access to use removable media
USB AND CD/DVD-R
Permit by authorized exception only
Regularly review removable media authorizations
Encrypt all removable media
Prevention - physical
Restrict access to sensitive ares
Document storage
Datacenter & network closets
Physical security controls
Monitor for abnormal activity
Data Classification
Implement data classification scheme
Identify what data is sensitive
Separate storage of sensitive and non-sensitive data
A word about DLP
DLP is not a panacea
Useless without a data classification program
You MUST perform HTTPS inspection
What about encrypted zip in email?
A meme about DLP
Privilege ManagementRestrict access to local AND directory administrator groups
Separate accounts for admin and daily use
Regularly review access to admin groups
Group users by job function
Regularly x-ref group membership to job functions
Privilege review whenever employees change roles
Restrict Access
Deny access to sensitive data by default
Provision access to data by group / role
Individual access by exception only
Monitoring
MonitoringEmail
Develop reporting for outbound email usage by user
Network / Web
Develop reporting for outbound data usage by user
Compare outbound reports against baseline
Look for spikes in usage; review
More on monitoring
What about packets bouncing off the firewall?
1 IP to an external IP on many ports or to many IPs may be sign of probing
Some attacks exfiltrate over DNS
https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
Tuning for monitoring
IDS/IPS - DO NOT enable all the things!
Details will be lost in the noise
Test in small batches, only enable useful / actionable alerts
Enable reputational and behavioral blocking on local client firewalls / AV - i.e. Symantec Sonar
Logging
Send all logs to SIEM
Log all authentication attempts
Both successful and failed
NSA “Spotting the Adversary with Windows Event Log Monitoring”
Logging
Log access to sensitive data directories
Log firewall activity
Process logging
Consider file integrity management and change request system
AntivirusMay be ineffective against emerging threats but useful after the fact
AV alerts from system boot or scheduled scans should be investigated - something bad is already on the system
Investigations can x-ref proxy logs to identify infection vector, subsequent calls to botnet / threat actor
Hardening systemsSame methods used to prevent against external threats
Remove “low hanging fruit” for insiders
Disable unnecessary services
Remove unneeded software
Patch quickly, patch often
Share auditing
Routinely scan for file shares
Unprivileged user without special group permissions
Identify shares allowing anonymous or “Authenticated Users”
Sample each accessible share for unprotected sensitive data
Education / Resources
SANS: Securing the Human
site:sans.org intext:”insider threat”
https://www.cert.org/insider-threat/research/controls-and-indicators.cfm
Wrap upPrevention is key
Restrict privileges
Restrict network egress
Block removable media
Monitor for abnormal behavior
Logging is essential
Review shares for unprotected sensitive data
Educate, educate, educate
Contact
@hardwaterhacker
http://hardwatersec.blogspot.com
https://github.com/hardwaterhacker/
Resourceshttps://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
nmap share scanning
https://nmap.org/nsedoc/scripts/smb-enum-shares.html
http://pwndizzle.blogspot.com/2013/02/parsing-nmap-smb-enum-shares-output.html
Resources
nmap -sS --v -oA myshares --script smb-enum-shares --script-args smbuser=smbuser,smbpass=password -p445 <range>
nmap -sU -sS -v -oA myShares --script smb-enum-shares.nse --script-args smbuser=smbuser,smbpass=password -p U:137,T:139 <range>
Questions?