insider threat experiences

Insider Threat Experiences

Jamie Graves, CEOj.graves@zonefox.com

Robert Hanssen

$1 million

$40 millionDocuments worth

Bankruptcy

$100 million estimated damages

competitive advantageLoss of

$500 millionLoss of formula worth

lost in sales revenue

lost

in R&D

Impacts

Definition

• Current or former employee, or contractor

• Targets specific information1. Theft or modification of information for financial gain

(fraud)2. IT Sabotage3. Theft of information for Business Advantage4. National Security Espionage

IP - What’s at Risk?

Trade Secrets39%

Organisational Infor-mation

23%

Source Code16%

Proprietary Software

9%

Customer Infor-mation

8%

Business Plans5%

Motivation

Behaviours

Non-Technical Indicators

• Without need or authorisation, takes proprietary material or other materials home

• Interest in matter outside the scope of their duties• Unnecessarily copies material• Remotely accesses the computer network at odd times• Disregards company computer policies

How Information is Stolen

Email25%

Removable Media25%

Network Access

23%

Laptops16%

Printed Docs7%

File Xfer5%

Technical Indicators

• Attempts to circumvent auditing and logging functions• Copying, deleting, moving and printing sensitive files• Network interface or system hardware manipulation• Removable media or transferring using unauthorised channels• Attempts to anonymize network activities and web browsing• Complex, sophisticated search queries against internal databases• Downloading data to external removable drives• E-Mail, file, and system log deletion• Frequent and seemingly excessive use of encryption• High volume printing

Case Study

Company Profile

• Globally recognised Automotive brand• Number of departments

• R&D• Testing• Client/Consultancy Services

• Engineers• Deployed ZoneFox for 4 weeks to test and verify certain

policies and controls were in place

The Behaviour

• User had installed backup software • In violation of policy

• Subterfuge• Incremental backup (check for updates)• Files collated into easily handled ZIP• Would run out-of-hours• ‘Fire and forget’

The Data

• 182,000 Files:• Results of confidential product testing• CAD designs for prototypes and new products• Bills of Materials for new designs• Printed Circuit board designs• Contracts and agreements with research and

manufacturing partners

Exfiltration

• User disconnected end-point as they had a ‘hunch’ they were being monitored

• Plugged-in removable media• ~2,000 files copied

• Source code for new products

The Debrief

• When we presented the report to the CISO• Individual had handed-in their resignation to go to a

competitor• Issues

• Had the employee been backing up other information before the HR event?

• What if the employee had lied about joining a competitor?

Disrupting the Insider Threat Kill Chain

Recruitment / Tipping Point

Search and Reconnaissance Exploitation Acquisition Exfiltration

Lessons

The Insider Threat is not related to ‘Hackers’

• Know your assets

• Enforce separation of duties and least privilege

• Clearly Document and consistently enforce policies and controls

• Implement strict password and account management policies and practices

• Incorporate insider threat awareness into periodic security training

• Define explicit security agreements for any cloud services

• Institutionalise system change controls

The insider threat is not just a technical or cyber security issue

• Beginning with the hiring process, monitor and respond-to suspicious or disruptive behaviour

• Anticipate and manage negative issues in the work environment

• Develop a comprehensive employee termination procedure

• Be especially vigilant regarding social media

A good insider threat program should focus on deterrence, not detection

• Develop and implement a formalised insider threat program• Participation & Ownership

• Ensure that all managers, and employees, understand why it’s there, feel that they can contribute and participate in it.

Detection of insider threats should involve behavioural based techniques

• Establish a baseline of normal network device behaviour

• Monitor and control remote access from all end points, including mobile devices

• Use a log correlation engine and SIEM to log, monitor, and audit employee actions

• Strong integration between IT and HR

The science of insider threat detection is in its infancy

In Summary

1. Insider threats do not come from hackers2. The insider threat is not just a technical or cyber security issue3. A good insider threat program should focus on deterrence, not

detection4. Detection of insider threats has to use behavioural based

techniques5. The science of insider threat detection and deterrence is in its

infancy

Sources• FBI Insider Threat Lessons• CERT: Spotlight On: Insider Theft of Intellectual Property

inside the United States Involving Foreign Governments or Organisations 

• CERT Insider theft of intellectual property for business advantage: a preliminary model

• CERT common sense guide to mitigating insider threats; 4th edition

• PWC Data Breach Report• Verizon 2013 Data Breach Report• ZoneFox Customers

Thanks for listening,

Any Questions?

Jamie Graves, CEOj.graves@zonefox.com