part 1: anatomy of an insider threat attack · malicious insiders: the worst nightmare scenario •...

© 2016 Imperva, Inc. All rights reserved.

Part 1: Anatomy of an Insider Threat Attack

Shiri Margel Data Security Research Team Lead

Imperva

Carrie McDaniel Emerging Products Team Lead

Imperva


Shiri Margel

2

• Data Security Research Team Lead • Masters of Science in Computer Science and

Mathematics • 15+ Years Algorithmic Experience • 3+ Years Information Security Experience

• Session moderated by Carrie McDaniel • Emerging Products Team Lead


“70% of insider breaches took months or years to discover” “16.3% of data breaches attributed to insider and privilege misuse” Verizon DBIR April 2016

3

Insider Threat Hacker Intelligence Initiative March 2016

• Insider threat events were present in 100 percent of the studied environments

• Insider threat incidents were not identified by any existing in-place security infrastructure

• Identified insider threats spanned malicious, compromised and careless insiders

4

http://www.imperva.com/docs/Imperva_HII_Insider_Threat.pdf

The Research – Behavioral Analysis

• Collected live production data from several volunteer customers of Imperva

• Imperva SecureSphere audit logs - full database and file server audit trail

– Provides full visibility into which users accessed what data

• Machine learning algorithms identify “actors” and “good behavior” in order

to identify “meaningful anomalies”

5


Actors


Good Behavior


Behavioral Analysis

• Malicious • Careless • Compromised

8

Compromised Malicious Careless


Behavioral Analysis


9



Malicious Insiders: The Worst Nightmare Scenario

• Trusted insiders that intentionally steal data for their own purpose

• > 15% of the breaches are done by malicious insiders

• Motivation: Financial, Espionage or Grudge

• Examples: Edward Snowden, Chelsea Manning (born Bradley Manning)

10


Malicious Insider: Behavioral Analysis Finds the IP Hoarder

• A Technical Writing employee copied > 100,000 files

• Employee was authorized to access data

• Operation took 3 weeks

• Each copy contained a few thousand files

• Some copies - in the middle of the night and/or on the weekend

Malicious Insider: Behavioral Analysis finds the IP Hoarder

• The employee/department never copied this amount of files • The employee never worked on weekends/middle of the night


• The employee/department never copied this amount of files • The employee never worked on weekends/middle of the night

Employee was authorized

to access data



Organization’s Feedback:

• The employee was planning to leave the organization shortly after the incident

took place


Application Database Clients

Applicative Tables

DBA

Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges



• A DBA from IT retrieved and modified multiple records from PeopleSoft

application tables on a specific day

• Didn’t access these tables through the PeopleSoft interface

bypassed PeopleSoft logging and retrieval limitations

Application Database Clients

Applicative Tables

DBA


• Retrieved many records:

Compared to their usual activity…

Compared to other users…



• Modified several thousands of records in one table

• Used highly privileged DB account

• The tables contained sensitive financial information

Should a DBA from IT have direct access to

financial information?



Organization Feedback:

• A DBA from IT should never be exposed to financial information

• Certainly not modify this information outside of application processes



Behavioral Analysis


20



Negligent Insiders: The Road to Hell is Paved with Good Intentions

• Do not have malicious intent

• Expose sensitive enterprise data due to careless behavior - cut corners or simplifying daily tasks

21

• Bypass the organization’s permissions and privileges

• Provide people with access that they are not entitled to

• Leave incorrect access trail to the data

• Sharing is not caring!

22

Negligent User Example 1: Behavioral Analysis Flags Account Sharing

Negligent User Example 1: Behavioral Analysis Flags Account Sharing

• A and B share privileges

• C and D use B’s account

• H uses the accounts of E, G

• J uses the accounts of G, I

• L uses the account of K

23 USER A B C D E F G H I J K L


Negligent User Example 2: File Exfiltration

• An employee copied 1500 files from the file share

• Each file copy operation – 14 seconds on average

• An average normal file copy – 1 second


Negligent User Example 2: File Exfiltration

• An employee copied 1500 files from the file share

• Each file copy operation – 14 seconds on average

• An average normal file copy – 1 second

• Slow copy rate may indicate a file exfiltration attempt – Connect through VPN

– Copy files to a device outside the organization

• Exfiltration of a large amount of files is concerning and uncommon


Our Recommendation

Further investigation required –

• Which files were copied?

• What other activities were done by the employee related to unstructured data

(File shares? Databases?)


Behavioral Analysis


27



Compromised Insiders: More Dangerous Than You Think

Compromised users: “external threats” that act with the same level of freedom as the trusted insider • 30% of recipients click on phishing emails

• 12% went on to open attachments or click links

• Top 10 known vulnerabilities accounted for 85% of successful exploits

• 63% of data breaches involved weak, default or stolen passwords

28

Source - Verizon DBIR 2016


Compromised Users : How Failed Logins are Flagged as Anomalous

29

• Failed logins to a database are not uncommon

• In this example, a user tried to access a database they never accessed

before, using several different DB accounts



30




• 4 failed login attempts in an hour

– One attempt used credentials of the user on another database

– The other 3 attempts in less than 10 minutes



31




• 4 failed login attempts in an hour

– One attempt used credentials of the user on another database

– The other 3 attempts in less than 10 minutes

• The user succeeded on their 5th attempt

– Insufficient privileges Couldn’t perform any operations


• Baseline period

– The user always

successfully logs into DB1

using “red” account

– never logs into DB2

• On the day of the incident

– The user tried and failed to

log into DB2 11 times using

4 different account

– Succeeded using 5th account 32



33


Learn More – Read the HII Report

34

Imperva.com/DefenseCenter

https://www.imperva.com/docs/Imperva_HII_Insider_Threat.pdf

http://www.imperva.com/docs/Imperva_HII_Insider_Threat.pdf


Q & A


5 Minute Break

part 1: anatomy of an insider threat attack · malicious insiders: the worst nightmare scenario •...

Documents