1 / 34

The Insider Threat

The Insider Threat. Nick Barron, DISA IT Advisor nick.barron@pennantplc.co.uk +44 7720 508085. About me. Day job Security controller, sysadmin , software developer Medium size List-X contractor DISA IT advisor After hours 44CON security conference SC Magazine

deana
Download Presentation

The Insider Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Insider Threat Nick Barron, DISA IT Advisornick.barron@pennantplc.co.uk+44 7720 508085

  2. About me • Day job • Security controller, sysadmin, software developer • Medium size List-X contractor • DISA IT advisor • After hours • 44CON security conference • SC Magazine • Way too many computers at home

  3. Overview • What is the insider threat? • Attackers; types, motivation and examples • Detection • Prevention • Summary • Questions

  4. An apology

  5. What is the insider threat? • Definition from CERT: A malicious insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Cappelli, Dawn M.; Moore, Andrew P.; Trzeciak, Randall F. (2012-01-20). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes • Definition from CPNI: A person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes CPNI Insider Data Collection Study, April 2013

  6. Obligatory (possibly fictional) scary numbers • CPNI Insider Data Collection Study, April 2013 • 88% permanent staff, 7% contractor, 5% temp • 82% male • 76% “self initiated” • 47% financial gain motivation, 20% ideology • Combating the Insider Threat at the FBI: Real World Lessons Learned, Patrick Ready, BlackHat 2013 • Not the most common threat (~19%) • But the most costly ($412K per incident, average victim loss ~$15M per year)

  7. Obligatory (possibly fictional) scary numbers • Sanity check! • Statistics can be misleading • Only detected intrusions get into the figures Image: http://xkcd.com/552/. Used with permission

  8. Key points about insiders • Already authorised • Already know the “crown jewels” • Already know some/most security barriers (and can test them) • Not just your staff

  9. Features of the insider threat • The bad side • Insiders negate perimeter defences • Good target knowledge • Interior defences often weaker than perimeter • The not so bad side • IF detected, better chance of successful resolution • Operate entirely within your zone of authority

  10. Types of attack • Information disclosure • Theft of IP • Competitor/FIS • Personal gain • Financial gain • Direct (theft of material, fraudulent orders etc) • Indirect (insider information, bids etc) • Sabotage • Physical, reputational or IT.

  11. Types of attacker • Self-initiated insider • Disgruntled employees • Potential for financial gain or motivated by ideology, desire for recognition or revenge • Exploited/recruited • Identified by attacker • Cultivated • Deliberate • Gained employment with intent to abuse access • Typically FIS or activist

  12. Motivation • Money • Ideology • Recognition • Personal loyalty • Dissatisfaction • Revenge

  13. Motivation and action • Different motivations result in different attacks • Ideology and desire for recognition most likely to lead to unauthorised disclosure • Financial gain most likely to lead to process abuse or unauthorised access to assets • Revenge most likely to result in sabotage

  14. Misconceptions • “I’m not worried, all our staff are security cleared…” • Clearance is an important risk management tool, but does not remove the threat • clear·ance [kleer-uhns]  • noun • Pre-requisite qualification for a career in insider threat espionage

  15. Whistlestop tour of famous DV cleared insider threats Blunt, Maclean, Burgess, Philby Katharine Gun David Shayler/Delores Kane/ Son of God Annie Machon Images: Wikipedia, used with permission

  16. Whistlestop tour of famous DV cleared insider threats John Anthony Walker Aldrich Ames Bradley Manning Images: Wikipedia and US Government, used with permission Robert Hanssen

  17. Whistlestop tour of famous DV cleared insider threats

  18. Snowden sidebar • How did he do it? • High level legitimate access • Gained additional credentials (social engineering) • Installed own crypto keys and certificates • Impact does not correlate with volume • Currently published Snowden documents are only ~2,000 pages (http://cryptome.org/2013/11/snowden-tally.htm) • That would be about 8MB… • Not much chance of detecting that…

  19. Detection • Insider threats are not always so obvious! Image from https://www.123rf.com/profile_dragon_fang. Used under licence

  20. Internal attack process • Initiation • Identify target material • Massive head start on external attackers • More careful identification reduces chance of discovery • Collect and collate • Depends on volume • Remove from company control • CDs, DVDs, paper, email, web transfer

  21. Detection • Technical measures • Unusual copying activity (electronic and paper) • Large and/or unusual data movements • Multiple device control failures • Unusual IT activity (probing etc) • Suspicious network activity • Forensics • Know normal patterns • Forensic awareness (do everything Campbell told you to!)

  22. Not just “cyber” • Not just about technology/techies • Technology helps insiders, but threat comes from people • Not just IT techies • Not just system admins • IT sabotage usually sysadmins (CERT, 90%) • Espionage only 1.5% sysadmins (FBI)

  23. Detection • Behaviour • Poor work attitude • Stress • Frequent security violations • Poor handling of PM assets • It’s all about the aftercare…

  24. Detection • How do they get away with it? • Poor management oversight • Audit logs are “write only” • Need-to-know creep • Poor security culture • “Normalisation of deviance”

  25. Prevention • Existing security measures (may) still work against insider threats

  26. Prevention • The usual suspects… • Include insiders in risk assessment process • Make sure access rights are appropriate (including indirect access) • Clearly document and consistently enforce polices (esp. IP rights) • Ongoing security awareness/education • Monitor for and consistently respond to abuse • Clear grievance procedure

  27. Prevention • The usual suspects (IT version) • Good password and account management • Strict termination process • Separation of duties where feasible • Least privilege • Consider insiders in contractors, suppliers etc • Pay particular attention to privileged users • Appropriate logging and monitoring

  28. Prevention • Education, education, education… • Ensure users are aware of insider risks • Reporting process for suspicious behaviour • Proper asset valuation/compartmentation • Ensure that most valuable data is secured • Don’t be lazy with access rights (e.g. don’t be the NSA!) • Include insider risk in security testing scope • Penetration tests etc should include insider risks

  29. Prevention • Have a response plan • What do you do when you suspect senior staff are up to no good? • Ensure clear levels of authority are defined • Include software lifecycle risks • Independent code review • Be suspicious of “job protection” developers • Termination procedures • Ensure ALL accounts disabled • Third parties e.g. subcontractors/suppliers

  30. Prevention • Learn from past events • How would Snowden have got on in your environment? • Tabletop insider attack penetration test • Recognise “red flag” behaviour signs • Ensure HR work with security

  31. But it’s not easy… • Knowing what is normal file transfer behaviour is difficult • A good insider will know the rules and avoid breaking as many as possible • Balancing “see something, say something” versus “office Stasi” is difficult. • Insider threat could involve no IT abuse at all…

  32. Further info • CERT https://www.cert.org/insider-threat/ • CPNI, search for “Insider Threat” • BlackHat • Slides http://tinyurl.com/BlackhatInsiderSlides • Video www.youtube.com/watch?v=38M8ta13K0Q • 44CON https://44con.com

  33. Summary • The insider threat is primarily a people thing, not a cyber thing. • There are no silver bullet solutions, beware of vendors who will sell you one! • Proper application of traditional personnel security measures is key • IT monitoring and forensics will help with detection and response

  34. Questions?

More Related