1 / 29

Trusted Insider Threat Lessons Learned from WikiLeaks Terry Stuart Security Engineer

Trusted Insider Threat Lessons Learned from WikiLeaks Terry Stuart Security Engineer. Defining the Insider Threat Historical Insider Examples The Realness and Advantages of the Insider Threat Insider Threat Detection Technologies WikiLeaks Use Case More WikiLeaks Use Case Examples. a genda.

avedis
Download Presentation

Trusted Insider Threat Lessons Learned from WikiLeaks Terry Stuart Security Engineer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Trusted Insider ThreatLessons Learned from WikiLeaksTerry StuartSecurity Engineer

  2. Defining the Insider Threat Historical Insider Examples The Realness and Advantages of the Insider Threat Insider Threat Detection Technologies WikiLeaks Use Case More WikiLeaks Use Case Examples agenda

  3. who is the trusted insider? Current / former employees who intentionally exceed / misuse their authorization level in a manner that affects the security of an organizations data, systems, and/or daily business processes

  4. why do they do this? • Financial Gain • Sabotage • Revenge • Because they can • Corporate / Business Advantage

  5. trusted insider targets • Any Organization Can Fall Victim to an Insider Threat • Government at All Levels (Local, State, National) • Government Contractors – Not just the Boeing’s and Raytheon’s • Banking and Finance • Information Technology Companies • Critical Infrastructures - Energy and Power - Water - Transportation • Research and Development - Government, Public and Private Sectors

  6. insider fraud examples • 369 IRS Employees in the SE Region – Misused IRS IDRS • Create fraudulent tax refunds • Browsed tax records of friends, relatives, neighbors and celebrities • One employee had altered 200+ accounts - Received kickbacks from bogus refunds • Societe Generale Trading Loss Incident (2008) • Jerome Kerviel - Mid-Level Stock Trader - Used Stolen passwords and routing paperwork to conceal fraudulent trades • Cost the bank more then $7.2 billion dollars (est) • Did not profit from directly - Trades were Used to Increase Banks Profits thus His Performance Rating – Previous Bonus was $500,000

  7. insider sabotage examples • UBS PaineWebber (2002) • Roger Duronio – SysAdmin - Planted a logic bomb before resigning that deleted all files on 2,000+ servers - Backups failed - Files could not be recovered • Duronio was angry at receiving a $32,000 bonus instead of his normal $50,000 • Duronio purchased “put options” contracts the day he resigned expecting UBS PaineWebber stock price to fall • DuPont Trade Secrets (2005) • Gary Min - Research Chemist - Admitted to stealing proprietary and technical information valued at $400 million dollars • Downloaded 16,700 full-text PDF documents & 22,000 abstracts • An internal audit uncovered his unusually high EDL usage – 15x higher than the next highest user of the EDL system

  8. insider threats real? • Insider Threats Can Cause Substantial Damage to Organizations • Attacks from External Threats may be Greater In Volume but Insider Threats can be MORE Devastating • Insiders are More Likely to be Successful and Go Undetected • Attacks from Insiders Range from Very Sophisticated to Low Tech

  9. insider threat advantage • Insider By-Passes Traditional Security Boundaries and Protection Mechanisms • Insiders Tend to be Very Aware of Policies, Procedures, and Technology Utilized within their Organization – And the Flaws • Insiders Know Where the Valuable Data Resides and Normally Know How to Access this Data – No Learning Curve

  10. are insider threats preventable? • Insider Threats can be Stopped / Combated - But its a complex problem • Insider Threats can only be Prevented using a Multi-Layered Defense Strategy consisting of: • An Understanding and Acceptance of the Insider Threat • Well Developed and Defined Policies and Procedure • Utilize Technology to Monitor and Enforce Policies and Procedures • Technical Controls – Verify Technology is Working and Affective • Look Beyond the Technology and into Organizations Overall Business Processes and Relationships between these Processes and the Technologies Utilized

  11. Insider Threat Detection Technology

  12. whatis a SIEM? • Security Information Event Management “The industry-specific term in computer security referring to the collection of data (typically log files; e.g. event logs) into a central repository for trend analysis.SIEM products generally comprise software agents running on the computers that are to be monitored, communicating with a centralized server acting as a "security console", sending it information about security-related events, which displays reports, charts, and graphs of that information, often in real time. The software agents can incorporate local filters, to reduce and manipulate the data that they send to the server. The security console is monitored by a human being, who reviews the consolidated information, and takes action in response to any alerts issued. The data that are sent to the server, to be correlated and analyzed, are normalized by the software agents into a common form, usually XML. Those data are then aggregated, in order to reduce their overall size.” Set of technologies to: • Real-Time Log Analysis • Real-time Incident Response / Alerting • Event Correlation • Normalized Events • Graphical Dashboards • Event Aggregation • Large Data Stores

  13. SIEM is evolving from context aware… • Context Awareness is the enrichment of event data (log data) with add-on systems such as Identity Management, Vulnerability Assessment, Configuration Management, and any other data sources that can add context to an event. • Examples of “context” are: • DNS, WINS, NIS Services to Map IPs to Names • Geo-Location to Map IPs to Geographical Locations • Active Directory or LDAP Services to Map User Names to User Identities • Vulnerability Assessment Information to Map Events with Known Vulnerabilities

  14. …to content aware • Content Awareness is Understanding the Payload at the Application Layer. What is actually being Communicated, Transferred, and Shared over the Network. • Examples of “Content” Awareness is the understanding of: • Email contents, including the attachments • Social, IM and P2P Network Communications • Document Contents • Application Relationships with Database Queries and Responses • Database Monitoring • Data Leakage – Sensitive Information within chat, email, printed, etc

  15. simple content-awareexample A user performs a query against a SQL server resulting in a recordset exceeding a threshold of 1000 rows or from a privileged table. This represents a data access policy violation. The offending user prints the resulting SQL query results to a PDF document which is then attached to an email using a Google web account and sent to an unauthorized external address without the corporate email disclaimer. The suspect user proceeds to have an IM chat to a IM userID NOT registered on the whitelist of authorized IM user names to discuss the sensitive data obtained and sent via email. • Forensic evidence obtained from this activity • SQL session history including details from all transactions performed during the suspicious user activity • MIME-decoded email record complete with From/To Address, Subject, Message and document Attachment • IM session data anda transcript of the IM conversation dialog • Identity of offending internal, topology-specific switch/port location, current (and all prior) IP address usage.

  16. Wikileaks Use Case

  17. wikileaksbackground • PFC Bradley Manning Accused of Leaking Classified Documents from the Secret Internet Protocol Router Network (SIPRNet) • June 2010, Adrian Lamo reported to U.S. Army Authorities that Specialist Bradley Manning had Leaked Classified Information to Him • Lamo Shared Chat Logs with Federal Agents, WikiLeaks, and the Media • Lamo Also Claims Manning Confessed to Leaking the Video Footage of the July 12, 2007 Baghdad Airstrike Incident in Iraq • NOTE: Lamo’s Credibility and Motivations are Being Questioned. • The Largestknown government classified data leakage event - Over 260,000 classified and sensitive documents leaked • Manning Reportedly Stated: • He Utilized a CDRW Disk labeled as Lady Gaga to Exfiltrate the Data from His Computer and the SIPRNet • Utilized Encryption, Tor, and Privately Coordinated Servers with WikiLeaks Main Spokesman Julian Assange to Upload Data after it was Exfiltrated

  18. wikileaksoverview • Classic example of Authorized Insider Abusing Trusts and Privileges • Hurdles Related to Detection: • Massive Amounts of Data will be Generated from File Access Monitoring • A Typical File Server will Generate Millions of Events a Day • Scaling to meet Federal Government Requirements would require the Processing of Billions of Events per Day • User is Trusted and Requires File Access Privileges to Sensitive Data • An Intelligence Analyst must have Quick and Un-hindered Access to Sensitive Data to Effectively Perform his or her Job • Monitored Environment is Dynamic and Changes Rapidly • To Fully Meet Federal Government Monitoring Requirements and Goals Environment Changes must be taken into Consideration in Real-Time • Static Variables and Usage Patterns are Useless in a Dynamic Environment • Policy Compliance Monitoring Must be Capable of Identifying Complicated Violations.

  19. wikileaks use case –a technology solution • Unmatched Speed • Has the ability to do the following: • Support up to 200,000 Events per Second on a Single Appliance • Scale is Unlimited by Simply Adding a New Appliance   • Operational Focused Drill Downs and Queries • Produces Actionable Information in Minutes and Not Hours or Days from a Dataset consisting of Billions of Events • User Tracking and Reporting Across Multiple Systems, Platforms, and Applications in a Single Pain of Glass

  20. wikileaks use case –a technology solution • Dynamic Base Lining Capabilities • ESM Dynamically Calculates Baseline Changes in Real Time allowing for Anomaly and/or Suspicious Activity to be Detected and Reported such as: • Increases over Baseline in the Total Number of Files Accessed by a Single User over a Time Period such as in Seconds, Minutes, Hours, Days or Even years • Increases over Baseline for Access to Specific File Categories and/or File Classifications by a Single User • Increases over Baseline in the Volume of Data Accessed by Any Single User • Access to any File that has not been Accessed by Another User in a Set Timeframe or Time Period

  21. wikileaks use case –a technology solution • Baselines are calculated on Context Related Data for Risk Management to Provide a Clear Picture of an Events Severity and/or Potential Impact within an Environment: • Increase in the Total Calculated Severity over the Baseline by a Single User • Increase in the Average Severity over the Baseline by a Single User • Increase in Average or Total Severity over the Baseline for a File Category or File Classification.

  22. wikileaks use case –a technology solution • Unlimited Correlation Capabilities • Automated Identification of What Events or Chain of Events Require Immediate Attention • Generates a Higher Severity Alert for Suspicious Patterns or User Action Chains such as: • Any Single User that Generates more than one Baseline Anomaly over a Set Period of Time • Any File or File Category that has Generated Multiple Events from a Set Distribution of Users • Any Baseline Anomaly Event Followed by Access to a Removable Media Storage Device or Removable Media Writing Application Execution

  23. wikileaks use case re-cap • Classic example of an Authorized Insider Abusing Trusts and Privileges • Major Hurdles Related to this Use Case: • Massive Amounts of Data will be Generated from File Access Monitoring • User is Trusted and Requires File Access Privileges to Sensitive Data • Monitored Environment is Dynamic and Changes Rapidly • Object Access Monitoring Must be Capable of Identifying Complicated Policy and Compliance Violations using Dynamic Baselines and Anomaly Detection • NitroSecurity Addresses All of these Hurdles with: • Unmatched Speed and Scalability • User Tracking and Reporting Capabilities • Dynamic Base lining Capabilities • Dynamic Event Severity Calculation Capabilities • Unlimited Correlation Capabilities

  24. Wikileaks Use Case Additional Views and Examples

  25. file monitoring analysis console Operational ConsoleTotal Environmental Awareness Data Sources Types Domain Risk Event Risk Server Risk Users Attempts Users Risk Files The Details

  26. risk and severity overview Total Risk Distribution Average Risk Distribution Risk OverviewWith Details The Details

  27. user file accessw/distribution Who Where What Users Access MonitoringWho, Where, What, and When When

  28. domain severity indicators DomainsAverage SeverityPer Domain ServersAverage Severity Per Server Files and Shares Accessed Baselining Enabled Users Average Severity Per User Time Frame Total Severity Per Period

  29. nitroviewESMThank You

More Related