insider threat experiences
TRANSCRIPT
Robert Hanssen
$1 million
$40 millionDocuments worth
Bankruptcy
$100 million estimated damages
competitive advantageLoss of
$500 millionLoss of formula worth
lost in sales revenue
lost
in R&D
Impacts
Definition
• Current or former employee, or contractor
• Targets specific information1. Theft or modification of information for financial gain
(fraud)2. IT Sabotage3. Theft of information for Business Advantage4. National Security Espionage
IP - What’s at Risk?
Trade Secrets39%
Organisational Infor-mation
23%
Source Code16%
Proprietary Software
9%
Customer Infor-mation
8%
Business Plans5%
Motivation
Behaviours
Non-Technical Indicators
• Without need or authorisation, takes proprietary material or other materials home
• Interest in matter outside the scope of their duties• Unnecessarily copies material• Remotely accesses the computer network at odd times• Disregards company computer policies
How Information is Stolen
Email25%
Removable Media25%
Network Access
23%
Laptops16%
Printed Docs7%
File Xfer5%
Technical Indicators
• Attempts to circumvent auditing and logging functions• Copying, deleting, moving and printing sensitive files• Network interface or system hardware manipulation• Removable media or transferring using unauthorised channels• Attempts to anonymize network activities and web browsing• Complex, sophisticated search queries against internal databases• Downloading data to external removable drives• E-Mail, file, and system log deletion• Frequent and seemingly excessive use of encryption• High volume printing
Case Study
Company Profile
• Globally recognised Automotive brand• Number of departments
• R&D• Testing• Client/Consultancy Services
• Engineers• Deployed ZoneFox for 4 weeks to test and verify certain
policies and controls were in place
The Behaviour
• User had installed backup software • In violation of policy
• Subterfuge• Incremental backup (check for updates)• Files collated into easily handled ZIP• Would run out-of-hours• ‘Fire and forget’
The Data
• 182,000 Files:• Results of confidential product testing• CAD designs for prototypes and new products• Bills of Materials for new designs• Printed Circuit board designs• Contracts and agreements with research and
manufacturing partners
Exfiltration
• User disconnected end-point as they had a ‘hunch’ they were being monitored
• Plugged-in removable media• ~2,000 files copied
• Source code for new products
The Debrief
• When we presented the report to the CISO• Individual had handed-in their resignation to go to a
competitor• Issues
• Had the employee been backing up other information before the HR event?
• What if the employee had lied about joining a competitor?
Disrupting the Insider Threat Kill Chain
Recruitment / Tipping Point
Search and Reconnaissance Exploitation Acquisition Exfiltration
Lessons
The Insider Threat is not related to ‘Hackers’
• Know your assets
• Enforce separation of duties and least privilege
• Clearly Document and consistently enforce policies and controls
• Implement strict password and account management policies and practices
• Incorporate insider threat awareness into periodic security training
• Define explicit security agreements for any cloud services
• Institutionalise system change controls
The insider threat is not just a technical or cyber security issue
• Beginning with the hiring process, monitor and respond-to suspicious or disruptive behaviour
• Anticipate and manage negative issues in the work environment
• Develop a comprehensive employee termination procedure
• Be especially vigilant regarding social media
A good insider threat program should focus on deterrence, not detection
• Develop and implement a formalised insider threat program• Participation & Ownership
• Ensure that all managers, and employees, understand why it’s there, feel that they can contribute and participate in it.
Detection of insider threats should involve behavioural based techniques
• Establish a baseline of normal network device behaviour
• Monitor and control remote access from all end points, including mobile devices
• Use a log correlation engine and SIEM to log, monitor, and audit employee actions
• Strong integration between IT and HR
The science of insider threat detection is in its infancy
In Summary
1. Insider threats do not come from hackers2. The insider threat is not just a technical or cyber security issue3. A good insider threat program should focus on deterrence, not
detection4. Detection of insider threats has to use behavioural based
techniques5. The science of insider threat detection and deterrence is in its
infancy
Sources• FBI Insider Threat Lessons• CERT: Spotlight On: Insider Theft of Intellectual Property
inside the United States Involving Foreign Governments or Organisations
• CERT Insider theft of intellectual property for business advantage: a preliminary model
• CERT common sense guide to mitigating insider threats; 4th edition
• PWC Data Breach Report• Verizon 2013 Data Breach Report• ZoneFox Customers
