Webinar-The cybersecurity threat by Verizon Enterprise
-
Upload
verizon-enterprise-solutions -
Category
Technology
-
view
100 -
download
0
Transcript of Webinar-The cybersecurity threat by Verizon Enterprise
The cybersecurity threatThe Insider Threat: Protecting the keys to the kingdom
Rebecca Meller
Security Product Marketing
December, 2017
This document and any attached materials are the sole property of Verizon and are not to be used by you
other than to evaluate Verizon's service.
© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans
identifying Verizon's products and services are trademarks and service marks or registered trademarks
and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other
countries.
All other trademarks and service marks are the property of their respective owners.
2
Proprietary statement
Please advance to the next slide where you can watch the video. The total slide deck is available for your
reference after the video. Thank you.
3
The Insider Threat:
Protecting the keys
to the kingdom
2017 Data Breach Digest Update
5
Agenda
1. Data breach reporting
2. Insider misuse
3. Targeted victims
4. Assets and data
5. Threat actors
6. Breach discovery
7. Detection and validation
8. Response and investigation
9. Prevention and mitigation
10. Takeaways
Verizon Threat Research Advisory Center | Investigative Response Team
First-hand experience
• VTRAC = Verizon Threat Research Advisory Center.
• Investigations for hundreds of global commercial
enterprises and government agencies annually.
• Endpoint forensics, malware reverse engineering,
network forensics, mobile device forensics.
• Annual Data Breach Investigations Report (DBIR) and its
companion—the Data Breach Digest.
Lead InvestigatorEndpoint Forensics
Examiner
Hacktivist attack Mobile assault
Network Forensics
Specialist
C2 takeover
CIP/CS Specialist PFI Investigator
ICS onslaught RAM scraping
Malware Reverse
Engineer
Sophisticated
malware
6
Data breach reporting
The Insider Threat:
Protecting the keys to the kingdom
8
Data Breach Investigations Report
42,068 incidents examined
1,935 analyzed breaches
84 countries represented
65 contributing organizations
13 years of forensic investigationsand security incident data
10th year of publication
9
Breach and incident patterns
Insider and privilege misuse is defined as any unapproved or malicious use of organizational resources;
mainly insider-only misuse.
Insider misuse
The Insider Threat:
Protecting the keys to the kingdom
11
Insider misuse
Figure 5: Top six misuse varieties within
Insider and privilege misuse breaches.
12
Insider misuse
Figure 6: Top five misuse vectors within
insider and privilege misuse breaches.
Targeted victims
The Insider Threat:
Protecting the keys to the kingdom
14
Industry analysis
15
Targeted victims
Figure 1: Top six targeted industries
within insider and privilege misuse
breaches.
Assets and data
The Insider Threat:
Protecting the keys to the kingdom
17
Assets and data
Figure 7: Top 10 affected assets within
insider and privilege misuse breaches.
18
Assets and data
Figure 8: Top ten data varieties within
insider and privilege misuse breaches.
19
Data Breach Digest
• Data breaches are complex affairs often involving human
factors, hardware devices, exploited configurations or
malicious software.
• Breach response activities—investigation, containment,
eradication, notification and recovery—are proportionately
complex.
• Response activities aren't just an IT security problem, they
are an enterprise problem involving technical and non-
technical IR stakeholders.
• Each stakeholder brings a slightly different perspective, or
point of view (PoV), to the breach response effort.
• Stakeholder PoVs cover critical decision pivot points, split-
second actions taken and crucial lessons learned.
20
The Insider Threat
USB infection
the Hot Tamale
Disgruntled employee
the Absolute Zero
Rogue connection
the Imperfect Stranger
Insider threat
the Rotten Apple
Threat actors
The Insider Threat:
Protecting the keys to the kingdom
Rogue connection
22
Rogue network devices range from wireless access points
and personal laptops to any unmanaged asset connected to
the corporate network.
the Imperfect Stranger
BYOD'oh!
• Finance industry customers complained they were unable
to access accounts via website.
• Error messages indicated website blocked over security
concerns.
• Servers operating normally and anti-virus scans coming
back clean.
• Intel indicated victim IP address space associated with
malicious C2 server activity.
Network Forensics Specialist
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
23
Rogue connection—the Imperfect Stranger
Response and investigation
• Corporate network searched for IoCs of malware and suspicious traffic;
nothing found.
• Bring Your Own Device (BYOD) and guest networks searched; traffic
found to C2 servers.
• Employee personal laptop identified as originator; infected with
malware.
• BYOD and guest networks had minimal controls and monitoring; no
egress filtering.
• Corporate network shared same NAT as BYOD and guest networks;
thus the blocking.
Attack-defend card
24
Rogue connection—the Imperfect Stranger
Lessons learned
• Separate corporate network egress traffic from public address space,
such as BYOD and guest networks.
• Enhance BYOD and guest network cybersecurity controls and
monitoring; block high-risk ports and protocols.
• Annually review acceptable use, BYOD, information security and
physical security policies; update as needed.
• Train and remind employees on cybersecurity policies and procedures;
know what to do if a BYOD is involved.
Threat actor types
25
26
Threat actor types
Figure 3: Top seven threat actor varieties
within insider and privilege misuse
breaches.
27
Threat actor types
Figure 4: Top five threat actor
motivations within insider and privilege
misuse breaches.
Breach discovery
The Insider Threat:
Protecting the keys to the kingdom
Breach discovery
29
30
Breach discovery
Figure 2: Breach discovery timeline
within insider and privilege misuse
breaches.
31
Indicators of potential inside threat
• Attempts to access systems or data without a valid
need-to-know.
• Requesting access to projects or areas outside of
normal job duties.
• Unexplained affluence.
• Excessive financial indebtedness.
• Working odd or late hours.
• Pattern of security violations.
• Disgruntled attitude.
• Unusual or erratic behavior.
Breach discovery
Potentially exploitable behavior
• Criminal activity
• Sexual misconduct
• Excessive gambling
• Alcohol or drug abuse
• Problems at work
Detection and validation
The Insider Threat:
Protecting the keys to the kingdom
USB infection
33
Threat actors with physical access can introduce toolkits,
built to run directly from the USB device itself, to bypass
access controls.
the Hot Tamale
The dirty cleaner
• A contracting company announced unilateral pay cuts; an
outsider offered bonus pay to a janitor in need of cash.
• The task was simple: at night, plug a USB flash drive into
company systems.
• Several systems were suspected of being accessed by an
external entity via malware.
Internal Investigator
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
34
USB infection—the Hot Tamale
Response and investigation
• Domain log searches for IoCs identified several accessed by admin
account.
• System log analysis revealed suspicious CLI-related exploitation
attempts just after USB device introduced to systems.
• Investigation found malware tied to this activity, to include USB device.
• Timeline analysis led investigators to janitorial staff; needless to say,
janitor was terminated.
Attack-defend card
35
USB infection—the Hot Tamale
Lessons learned
• Establish a host-based USB device access/anti-virus policy.
• Disable USB device auto-run functionality.
• Limit local admin account usage.
36
Inventory and monitor
sensitive data
• Track assets and sensitive data.
• Monitor systems for data loss; scan for
improperly stored sensitive data.
• Use IDS and FIM solutions; white-list
applications.
Report suspicious insider activity
• Train and sensitize employees.
• Reinforce with emails, banners, and
posters.
• Content should include recognizing signs
of suspicious behavior.
Log and monitor user
account activity
• Use a SIEM or UBA solution; monitor,
detect and log account activity.
• Implement access controls; monitor
privileged accounts.
• Test logging and monitoring systems.
Detection and validation
Response and investigation
The Insider Threat:
Protecting the keys to the kingdom
Disgruntled employee
38
Layoffs, pay cuts or organizational shifts may leave some employees
rationalizing nefarious activities.
the Absolute Zero
A "pre-competitive" advantage
• A manager became disgruntled during an organizational
restructuring.
• Used admin access to take over other accounts and
download confidential files.
• The case seemed cut and dried—but the lawyers still
required digital evidence.
Human Resource
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
39
Disgruntled employee—the Absolute Zero
Response and investigation
• A programmer reported an app with unexpected failures.
• Suspicious log entries showed manager's account logged
into server prior to issues.
• Manager admitted accessing multiple email boxes to collect data
for use in new job.
• Investigation confirmed documents stolen; however, mass delete
commands also found.
• These commands were scheduled for critical times, such as during the
tax season.
40
Disgruntled employee—the Absolute Zero
Lessons learned
• Maintain a "need-to-know" regarding restructuring moves.
• Put in place an action plan to mitigate vindictive behavior by
those affected.
• As part of the transition, conduct a thorough asset inventory.
• Safeguard terminated employee systems after termination.
• Work closely with HR and legal throughout the investigation.
Attack-defend card
41
Collect and preserve
evidence
• Scope and triage incident quickly.
• Use trusted tools for data collection and
preservation.
• Leverage established evidence handling
procedures.
Activate the insider
threat playbook
• Notify key stakeholders, both internal and
external entities.
• Identify relevant evidence sources.
• Conduct witness and subject interviews.
Assemble the incident
response team
• Work closely with HR and legal counsel
communications.
• Involve LE at the right time and with legal
counsel advice.
• Engage digital forensics for investigative
support.
Response and investigation
42
Contain and eradicate the threat
• Take steps to contain and eradicate any
previous, ongoing or future threats.
• Block traffic, disable accounts.
• Rebuild systems, remove malware.
Conduct personnel interviews
• Interview witnesses to provide additional
insight.
• Interview suspected insiders to determine
nature of activity.
• Involve HR and legal counsel.
Response and investigation
Prevention andmitigation
The Insider Threat:
Protecting the keys to the kingdom
Insider threat
44
Special "privileged" abuse
• Company was in the midst of a buyout; details were close
hold.
• Middle manager bragged about details exceeding his
authorization level.
• Anonymous employee tip indicated middle manager was
accessing CEO's email.
• CEO system, middle manager system and email log exam
yielded negative results.Threat actors with some level of trust and privilege causing a data
breach through malicious intent.
the Rotten Apple
Lead Investigator
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
45
Insider Threat—the Rotten Apple
Response and investigation
• Further investigation revealed onsite SPAM filter logged CEO email;
only select sys admins had access.
• Interviews determined sys admin knew middle manager; sys admin
system exam found account accessed CEO email.
• Sys admin interview revealed middle manager obtained credentials via
personal relationship.
• HR confronted middle manager with digital forensic findings; middle
manager terminated.
Attack-defend card
46
Insider threat—the Rotten Apple
Lessons learned
• Brace for the negative impacts of org changes; maintain strict "need to
know."
• Use login banners, screen savers and desktop backgrounds to remind
employees of actions being monitored.
• Train and sensitize employees to recognize and report suspicious
activity.
• Create an insider threat playbook; regularly review, test and
update it.
47
Maintain physical security
• Limit access to physical facilities and
sensitive areas.
• Use security cameras, employee badges
and audit trails.
• Verify security devices have updated
firmware and software patches.
Start a personnel security
program
• Vet employees through background
checks and screening interviews.
• Enforce least privilege, duty separation
and duty rotation for sensitive jobs.
• Keep employee-related cybersecurity
policies up-to-date.
Deter insider threat activities
• Implement acceptable use, BYOD,
information security and physical security
policies.
• Use login banners, screen savers and
desktop banners for reminders.
• Consider publishing anonymized security
violation statistics.
Prevention and mitigation
48
Prepare for organization
changes
• Brace for org change impacts; maintain a
"need-to-know."
• Coordinate restructuring and
reassignments with HR and
management.
• Establish termination protocols
for notifications.
Harden the digital environment,
part I
• Restrict sensitive system access; use
MFA for remote traffic.
• Remove unneeded apps; patch
necessary apps.
• Use host-based anti-virus and firewalls.
Harden the digital environment,
part II
• Eliminate or restrict portable storage
devices.
• Encrypt network traffic, systems and
devices.
• Remove local admin rights; disable
unneeded accounts.
Prevention and mitigation
Takeaways
The Insider Threat:
Protecting the keys to the kingdom
50
Takeaways
Personnel security program
Insider threat
deterrence
Physical security
measures
Digital environment hardening
Organizational change
preparation
Suspicious activity
reporting
User activity
monitoring
Sensitive data
accountability
Insider playbook activation
Response team
assembly
Collection and
preservation
Containment and
eradication
Personnel interview
conducting
Detection and validation
Prevention and mitigation
Response and investigation
51
It takes a team
Chief Information Officer Chief Information Security Officer Legal Counsel Human Resources Corporate Communications
Financial pretexting Crypto malware Partner misuse Disgruntled employee Website defacement
Incident Commander Internal Investigator IT Security Manager SOC Analyst EDR Technician
IoT calamity USB infection Cloud storming DDoS attack Unknown unknowns
Data breach reporting
52
Use the lessons learned from analyzing nearly 2,000
confirmed data breaches.
Read the 2017 DBD
VerizonEnterprise.com/DataBreachDigest
Read the 2017 DBIR
VerizonEnterprise.com/DBIR2017
53
Cybersecurity awareness resources2017 Data Breach Investigations Report
The Verizon Data Breach Investigations Report (DBIR) is back. Now in its tenth year, it's an unparalleled source of information on
cybersecurity threats.
verizonenterprise.com/verizon-insights-lab/dbir/2017/
2017 Data Breach Digest: Perspective is Reality
Our 16 new cybercrime case studies provide insight into the biggest threats you face—plus tips on how to prevent them.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Insider Threat: Protecting the Keys to the Kingdom
Discover how to spot the signs of an Insider Threat using our cybercrime case studies and in doing so put measures in place to help
protect the keys to your kingdom.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Verizon Product Responsibility
Securing yourself against cyber attacks (covers five data breach scenarios).
verizon.com/about/responsibility/cybersecurity
Verizon Corporate Responsibility
Cybersecurity tips to help you stay safe online (covers the same five scenarios as above).
verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online
Thank you.
Cybersecurity threat