Detecting and Preventing the Insider Threat

Mike Saunders Hardwater Information Security

About Mike

18 Years in IT

9 Years in Security

CISSP, GPEN, GWAPT, GCIH

Speaker: DerbyCon, BSidesMSP, ND IT Symposium, NDSU CyberSecurity Conference

Defining the threat

Mistakes

Sensitive data exposed

Unintentional data destruction or contamination

Outages caused by misconfigurations

Malware outbreaks

Defining the threatBad actors

Theft of IP, sensitive data, $$$

Insider trading

Intentional data corruption, deletion

Denial of Service

Terry Childs - 2008

The Insider Threat

Verizion 2016 DBIR

≈ 18% of all breaches due to insider actions

riskbasedsecurity.com

32% of all exposed records in 2015 due to insider mistake. 191M in one event.

≈ 49% of all exposed records due to all insider actions

’15 Exposed Records by Threat Vector

riskbasedsecurity.com (2015 statistics)

Insider Threat Statistics

2015 Verizon DBIR

Prevention

Prevention - web

Block outbound web access by default

Require all users to go through web proxy

Block access to external email providers

Ensure local/regional ISP mail systems are also blocked

Prevention - web

Block access to known file sharing sites

Use proxy vendor classifications

Block access to all uncategorized websites

Prevent egress from servers

Prevention - networkDeny by default

Ensure all egress avenues are blocked, including SSH, telnet, SMB, CIFS, HTTP/HTTPS

Grant unrestricted egress by exception only

Tie to user ID, not IP

Disable split tunneling on VPN connections

Prevention - applications

Consider whitelisting technologies to prevent unknown executables from running

Significant management overhead initially

Worth it in the long run

Removable Media

Deny access to use removable media

USB AND CD/DVD-R

Permit by authorized exception only

Regularly review removable media authorizations

Encrypt all removable media

Prevention - physical

Restrict access to sensitive ares

Document storage

Datacenter & network closets

Physical security controls

Monitor for abnormal activity

Data Classification

Implement data classification scheme

Identify what data is sensitive

Separate storage of sensitive and non-sensitive data

A word about DLP

DLP is not a panacea

Useless without a data classification program

You MUST perform HTTPS inspection

What about encrypted zip in email?

A meme about DLP

Privilege ManagementRestrict access to local AND directory administrator groups

Separate accounts for admin and daily use

Regularly review access to admin groups

Group users by job function

Regularly x-ref group membership to job functions

Privilege review whenever employees change roles

Restrict Access

Deny access to sensitive data by default

Provision access to data by group / role

Individual access by exception only

Monitoring

MonitoringEmail

Develop reporting for outbound email usage by user

Network / Web

Develop reporting for outbound data usage by user

Compare outbound reports against baseline

Look for spikes in usage; review

More on monitoring

What about packets bouncing off the firewall?

1 IP to an external IP on many ports or to many IPs may be sign of probing

Some attacks exfiltrate over DNS

https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

Tuning for monitoring

IDS/IPS - DO NOT enable all the things!

Details will be lost in the noise

Test in small batches, only enable useful / actionable alerts

Enable reputational and behavioral blocking on local client firewalls / AV - i.e. Symantec Sonar

Logging

Send all logs to SIEM

Log all authentication attempts

Both successful and failed

NSA “Spotting the Adversary with Windows Event Log Monitoring”

Logging

Log access to sensitive data directories

Log firewall activity

Process logging

Consider file integrity management and change request system

AntivirusMay be ineffective against emerging threats but useful after the fact

AV alerts from system boot or scheduled scans should be investigated - something bad is already on the system

Investigations can x-ref proxy logs to identify infection vector, subsequent calls to botnet / threat actor

Hardening systemsSame methods used to prevent against external threats

Remove “low hanging fruit” for insiders

Disable unnecessary services

Remove unneeded software

Patch quickly, patch often

Share auditing

Routinely scan for file shares

Unprivileged user without special group permissions

Identify shares allowing anonymous or “Authenticated Users”

Sample each accessible share for unprotected sensitive data

Education / Resources

SANS: Securing the Human

site:sans.org intext:”insider threat”

https://www.cert.org/insider-threat/research/controls-and-indicators.cfm

Wrap upPrevention is key

Restrict privileges

Restrict network egress

Block removable media

Monitor for abnormal behavior

Logging is essential

Review shares for unprotected sensitive data

Educate, educate, educate

Contact

@hardwaterhacker

mike@hardwatersecurity.com

http://hardwatersec.blogspot.com

https://github.com/hardwaterhacker/

Resourceshttps://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

nmap share scanning

https://nmap.org/nsedoc/scripts/smb-enum-shares.html

http://pwndizzle.blogspot.com/2013/02/parsing-nmap-smb-enum-shares-output.html

Resources

nmap -sS --v -oA myshares --script smb-enum-shares --script-args smbuser=smbuser,smbpass=password -p445 <range>

nmap -sU -sS -v -oA myShares --script smb-enum-shares.nse --script-args smbuser=smbuser,smbpass=password -p U:137,T:139 <range>

Questions?