why insider threat is a c-level priority
TRANSCRIPT
Why Insider Threat is aC-Level Priority
by Dr. Eric Cole
© 2016 Secure Anchor Consulting. All rights reserved.
External vs Internal
● Deliberate/Malicious Insider● Accidental Insider
● Source of the damage — External● Cause of the damage
— Internal
Paradigm Shift
53% of organizations have experienced an insider incident33% of organizations have no formal response plan
54% of IT professionals believe an insider threat is harder to detect today
Nature of Insider Threats
● Two main forms of insider threat:— Deliberate/malicious insider— Accidental insider
● Why do insiders become targets?— As external targets become more difficult, attackers find insiders are an easier avenue to compromise
Insider Threat Current State
Insider threats are on IT’s radar
Spending on insider threats will increase
The financial impact is significant
Organizations fail to focus on solutions
Insider threat often the cause of damage
Prevention is more a state of mind than a reality
Assessing Vulnerability to Insiders
● What information would an adversary target?● What systems contain the information that attackers would
target?● Who has access to critical information?● What would be the easiest way to compromise an insider?● What measures or solutions can IT use to prevent/detect these
attacks?● Does our current budget appropriately address insider threats?● What would a security roadmap that includes insider threats
look like for our organization?
Insider Attack Chain – Bad Attacker
Tipping Point - Going From Good to BadCommunicating via LinkedIn / Gmail message to competitor. Playing video games with lack of regard.
1
Searching for DataPassword harvesting or unauthorized access to co-workers computers.
2
Capture and Hide the DataEncrypt and rename file extensions - password protected ZIP file.
3
Data ExfiltrationSend ZIP file over Wetransfer - off hours transfers.
4
Insider Attack Chain – Negligent User
Detect NegligentBehavior
1
Inform Users of Security Policy
2
Enforce Behavior Change
3
How well is your organization doing with insider threats?
● Policy● Procedures● Awareness● Training● Technology● Administrative● Executive Support
We calculating your “insider threat GPA”, you can see what the biggest exposure you have to insider threats is likely to be.
Write your organization’s report card and focus on the lowest scoring areas.
Preventing Insider Threat
● Deliberate Insider – Difficult— More focus on authorization and access
● Accidental Insider - Possible— Differentiate between required functionality and optional functionality— Typical avenues of attack
● Exe attachments● Macros embedded in Office documents● Active scripting● HTML embedded content
Detecting Insider Threat
Activity patterns focused on data:— Amount of data accessed— Failed access attempts— Data copied or sent to external sources
There are differences in activity between a normal user and an insider threat.
Detecting Accidental Insider
● Accidental insider is being targeted by external entity
● Almost all external attackers setup C2● Focus on outbound traffic
— Number of connections— Length of the connections— Amount of data— Percent that is encrypted— Destination IP address
Focus on Command & Control Channel
Building an Insider Threat Program
● Determine access● Profile user behavior● Control administrator access ● Raise awareness● Monitor activity
Conventional wisdom does not work when it comes to security. Giving someone unneeded access just makes it easier for the adversary and increases the amount of damage that can be caused by a successful attack.
Make Sure You Are Solving the Correct Problem
● Always force a user to log in as a normal user. All operating systems can be configured to allow only normal user accounts to login and never allow someone with admin privileges to log directly into the system.
● Configure any application that needs to run with administrator privileges to either “Run as Administrator” or sudo to the appropriate access that is needed.
● Log and carefully review all privileged access.● If an employee needs a system where they have to log in directly
as administrator, give them a separate system for any access he or she may need to the Internet.
Summary
● Perform damage assessment of threats● Map past and current investment against threats● Determine exposure to insider threats● Create attack models to identify exposures● Identify root-cause vulnerabilities● Block and remove the vector of the attack● Control flow of inbound delivery methods● Filter on executable, mail and web links● Monitor and look for anomalies in outbound traffic
Insider Threat Checklist