Andrew Case ( @attrc ), Director of Research at Volexity, an infosec advisory firm headquartered in Washington, DC.
This talk was given on 02 March 2016 at the RSA Conference in San Francisco. The talk was surprisingly well-attended; the most packed session I’ve been to. I guess insider threat is weighing heavy on people's minds these days?
I'm providing a brief reaction/summary, and then my notes. The notes are my sort-of free-form notes, so if they are only semi-comprehensible.
Andrew's case examples were very interesting, and the strategies he gives are sensible, if not revolutionary. Limiting and monitoring the use of removable media and of cloud file sync/storage services is a strong recommendation which I make to many of my clients. Identifying where your key intellectual property is located and concentrating monitoring on those locations is another excellent recommendation. Separation of duties is a common requirement, but a difficult one for many organizations to implement. Tighter controls on users at termination and inventory of issued equipment down to the level of noting serial numbers of hard drives and other components of laptops is also a stretch for most organizations.
PWC on insider-driven incidents:
- 70% of incidents
- 60% of incidents at manufacturing orgs
Verizon DBIR: 20.6% of incidents characterized as insider incidents
Approaches to insider threat
Typical approach is passive defense against insider threat:
-No special/extra logging or security measures
-No automated alerting or remote logs
- This is easy and provides the data needed for forensics after the fact
- However, anti-forensic techniques can defeat these measures, and they make no progress toward eliminating/preventing the threat
Next level is Detection:
- enhanced logging (e.g. file access, removable media usage)
- Generate alerts on defined events
- This can inhibit malicious insiders and find activity before it causes greatest potential harm
- Sometimes doesn’t allow for response until irreparable harm is done
- Requires significant active effort from security team
Next level is Prevention:
- Prevent use of removable media
- Block personal email and file sync/storage services
- Block end-user software installation
- Stops many activities before they start, and is cheapest approach once implemented
- May be a problem in company culture, and can inhibit productivity, especially for particular departments/users/roles
Andrew suggested that the ideal strategy may be somewhere between the Detection and Prevention models.
Real World Case Examples of Insider-related Incidents
Financial institution employee leaves and takes many employees and 1/3 of employees with him.
- also took many key documents with him
Investigation showed that the victim’s network was very open and access was not very limited.
User had access to file servers and applications/databases for which he had no legitimate need.
Data was removed via USB, personal email, and printing.
- Secure Network Architecture
- Monitor file share access
- Concentrate monitoring around key sensitive file data
- Limit USB drive/removable media access
- Limit use of personal email accounts and cloud file storage/sync
- Address printing and scanning as an exfiltration method (hard problem)
Case #2: Abuse of Power
Plant manager at manufacturing company using “down time” on company’s machines to run a side business.
Some material were purchased personally, others were ordered using the company’s accounts.
Only detected when a machine malfunctioned.
Potential signs that were missed:
- Perpetrator logged in to control systems during off hours
- Manufacturing jobs were scheduled with no associated customer work order
- Perpetrator deleted files and logs to cover his tracks
Problem was, the plant manager was the primary operator/administrator of the systems whose logs could have indicated his malfeasance.
- Monitor user logins
- Monitor system usage
- Alert on anomalous indicators of the above!
- Don’t allow one person to control all aspects of key business processes. There must be someone else in the loop and someone else auditing the process.
Case #3: Offline Exfiltration
Victim organization had very tight data exile controls
User removed hard drive from his PC, brought it home, and used forensic tools to remove data
Hard drive was unencrypted
- Utilize full disk encryption (FDE) for everything
- Check out offline decryption capabilities of your FDE solution
Case #4: Anti-Forensics
Two key employees leave the victim company simultaneously.
Soon after, important clients began terminating contracts.
Company found their clients were moving to a brand new company founded by… the two departed employees.
Both employees had done factory reset on their company-provided Android phones.
One employee ran CCleaner before turning in his laptop.
Other employee replaced the hard drive on his laptop with a brand-new drive of same make and model.
- track application downloads and installs (prevent use of anti-forensics software)
- application whitelisting (prevent use of anti-forensics software)
- better termination procedures:
- assess and preserve employee equipment post-termination
- don’t immediately re-use systems after someone leaves
- check components against inventory
- check historical use of removable media
(Andrew made the point that these types of stricter checks might be done only in certain cases, e.g., key employees, those with access to highly sensitive data, and those leaving under bad circumstances.
Other Overall Recommendation:
- Consider bringing in an outside party for a “capture the flag” exercise, similar to an insider pen-test, to see if they can gain access to and exfiltrate specific data without detection.