part 1: anatomy of an insider threat attack · malicious insiders: the worst nightmare scenario •...
TRANSCRIPT
© 2016 Imperva, Inc. All rights reserved.
Part 1: Anatomy of an Insider Threat Attack
Shiri Margel Data Security Research Team Lead
Imperva
Carrie McDaniel Emerging Products Team Lead
Imperva
© 2016 Imperva, Inc. All rights reserved.
Shiri Margel
2
• Data Security Research Team Lead • Masters of Science in Computer Science and
Mathematics • 15+ Years Algorithmic Experience • 3+ Years Information Security Experience
• Session moderated by Carrie McDaniel • Emerging Products Team Lead
© 2016 Imperva, Inc. All rights reserved.
“70% of insider breaches took months or years to discover” “16.3% of data breaches attributed to insider and privilege misuse” Verizon DBIR April 2016
3
Insider Threat Hacker Intelligence Initiative March 2016
• Insider threat events were present in 100 percent of the studied environments
• Insider threat incidents were not identified by any existing in-place security infrastructure
• Identified insider threats spanned malicious, compromised and careless insiders
4
The Research – Behavioral Analysis
• Collected live production data from several volunteer customers of Imperva
• Imperva SecureSphere audit logs - full database and file server audit trail
– Provides full visibility into which users accessed what data
• Machine learning algorithms identify “actors” and “good behavior” in order
to identify “meaningful anomalies”
5
© 2016 Imperva, Inc. All rights reserved.
Actors
© 2016 Imperva, Inc. All rights reserved.
Good Behavior
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
8
Compromised Malicious Careless
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
9
Compromised Malicious Careless
© 2016 Imperva, Inc. All rights reserved.
Malicious Insiders: The Worst Nightmare Scenario
• Trusted insiders that intentionally steal data for their own purpose
• > 15% of the breaches are done by malicious insiders
• Motivation: Financial, Espionage or Grudge
• Examples: Edward Snowden, Chelsea Manning (born Bradley Manning)
10
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis Finds the IP Hoarder
• A Technical Writing employee copied > 100,000 files
• Employee was authorized to access data
• Operation took 3 weeks
• Each copy contained a few thousand files
• Some copies - in the middle of the night and/or on the weekend
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• The employee/department never copied this amount of files • The employee never worked on weekends/middle of the night
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• The employee/department never copied this amount of files • The employee never worked on weekends/middle of the night
Employee was authorized
to access data
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis finds the IP Hoarder
Organization’s Feedback:
• The employee was planning to leave the organization shortly after the incident
took place
© 2016 Imperva, Inc. All rights reserved.
Application Database Clients
Applicative Tables
DBA
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
• A DBA from IT retrieved and modified multiple records from PeopleSoft
application tables on a specific day
• Didn’t access these tables through the PeopleSoft interface
bypassed PeopleSoft logging and retrieval limitations
Application Database Clients
Applicative Tables
DBA
© 2016 Imperva, Inc. All rights reserved.
• Retrieved many records:
Compared to their usual activity…
Compared to other users…
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
© 2016 Imperva, Inc. All rights reserved.
• Modified several thousands of records in one table
• Used highly privileged DB account
• The tables contained sensitive financial information
Should a DBA from IT have direct access to
financial information?
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
© 2016 Imperva, Inc. All rights reserved.
Organization Feedback:
• A DBA from IT should never be exposed to financial information
• Certainly not modify this information outside of application processes
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
20
Compromised Malicious Careless
© 2016 Imperva, Inc. All rights reserved.
Negligent Insiders: The Road to Hell is Paved with Good Intentions
• Do not have malicious intent
• Expose sensitive enterprise data due to careless behavior - cut corners or simplifying daily tasks
21
• Bypass the organization’s permissions and privileges
• Provide people with access that they are not entitled to
• Leave incorrect access trail to the data
• Sharing is not caring!
22
Negligent User Example 1: Behavioral Analysis Flags Account Sharing
Negligent User Example 1: Behavioral Analysis Flags Account Sharing
• A and B share privileges
• C and D use B’s account
• H uses the accounts of E, G
• J uses the accounts of G, I
• L uses the account of K
23 USER A B C D E F G H I J K L
© 2016 Imperva, Inc. All rights reserved.
Negligent User Example 2: File Exfiltration
• An employee copied 1500 files from the file share
• Each file copy operation – 14 seconds on average
• An average normal file copy – 1 second
© 2016 Imperva, Inc. All rights reserved.
Negligent User Example 2: File Exfiltration
• An employee copied 1500 files from the file share
• Each file copy operation – 14 seconds on average
• An average normal file copy – 1 second
• Slow copy rate may indicate a file exfiltration attempt – Connect through VPN
– Copy files to a device outside the organization
• Exfiltration of a large amount of files is concerning and uncommon
© 2016 Imperva, Inc. All rights reserved.
Our Recommendation
Further investigation required –
• Which files were copied?
• What other activities were done by the employee related to unstructured data
(File shares? Databases?)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis
• Malicious • Careless • Compromised
27
Compromised Malicious Careless
© 2016 Imperva, Inc. All rights reserved.
Compromised Insiders: More Dangerous Than You Think
Compromised users: “external threats” that act with the same level of freedom as the trusted insider • 30% of recipients click on phishing emails
• 12% went on to open attachments or click links
• Top 10 known vulnerabilities accounted for 85% of successful exploits
• 63% of data breaches involved weak, default or stolen passwords
28
Source - Verizon DBIR 2016
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How Failed Logins are Flagged as Anomalous
29
• Failed logins to a database are not uncommon
• In this example, a user tried to access a database they never accessed
before, using several different DB accounts
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How Failed Logins are Flagged as Anomalous
30
• Failed logins to a database are not uncommon
• In this example, a user tried to access a database they never accessed
before, using several different DB accounts
• 4 failed login attempts in an hour
– One attempt used credentials of the user on another database
– The other 3 attempts in less than 10 minutes
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How Failed Logins are Flagged as Anomalous
31
• Failed logins to a database are not uncommon
• In this example, a user tried to access a database they never accessed
before, using several different DB accounts
• 4 failed login attempts in an hour
– One attempt used credentials of the user on another database
– The other 3 attempts in less than 10 minutes
• The user succeeded on their 5th attempt
– Insufficient privileges Couldn’t perform any operations
Compromised Users : How Failed Logins are Flagged as Anomalous
• Baseline period
– The user always
successfully logs into DB1
using “red” account
– never logs into DB2
• On the day of the incident
– The user tried and failed to
log into DB2 11 times using
4 different account
– Succeeded using 5th account 32
© 2016 Imperva, Inc. All rights reserved.
• Malicious • Careless • Compromised
33
Compromised Malicious Careless
Learn More – Read the HII Report
34
Imperva.com/DefenseCenter
© 2016 Imperva, Inc. All rights reserved.
Q & A
© 2016 Imperva, Inc. All rights reserved.
5 Minute Break