Why Insider Threat is aC-Level Priority

by Dr. Eric Cole

© 2016 Secure Anchor Consulting. All rights reserved.

Are You Focused on the Correct Area?

External vs Internal

● Deliberate/Malicious Insider● Accidental Insider

● Source of the damage — External● Cause of the damage

— Internal

Paradigm Shift

53% of organizations have experienced an insider incident33% of organizations have no formal response plan

54% of IT professionals believe an insider threat is harder to detect today

Nature of Insider Threats

● Two main forms of insider threat:— Deliberate/malicious insider— Accidental insider

● Why do insiders become targets?— As external targets become more difficult, attackers find insiders are an easier avenue to compromise

If You Have Employees/Contractors, You

Have an Insider Threat Problem

Bottom Line

Insider Threat Current State

Insider threats are on IT’s radar

Spending on insider threats will increase

The financial impact is significant

Organizations fail to focus on solutions

Insider threat often the cause of damage

Prevention is more a state of mind than a reality

Assessing Vulnerability to Insiders

● What information would an adversary target?● What systems contain the information that attackers would

target?● Who has access to critical information?● What would be the easiest way to compromise an insider?● What measures or solutions can IT use to prevent/detect these

attacks?● Does our current budget appropriately address insider threats?● What would a security roadmap that includes insider threats

look like for our organization?

Insider Attack Chain – Bad Attacker

Tipping Point - Going From Good to BadCommunicating via LinkedIn / Gmail message to competitor. Playing video games with lack of regard.

1

Searching for DataPassword harvesting or unauthorized access to co-workers computers.

2

Capture and Hide the DataEncrypt and rename file extensions - password protected ZIP file.

3

Data ExfiltrationSend ZIP file over Wetransfer - off hours transfers.

4

Insider Attack Chain – Negligent User

Detect NegligentBehavior

1

Inform Users of Security Policy

2

Enforce Behavior Change

3

Solutions for Insider Threat

How well is your organization doing with insider threats?

● Policy● Procedures● Awareness● Training● Technology● Administrative● Executive Support

We calculating your “insider threat GPA”, you can see what the biggest exposure you have to insider threats is likely to be.

Write your organization’s report card and focus on the lowest scoring areas.

Preventing Insider Threat

● Deliberate Insider – Difficult— More focus on authorization and access

● Accidental Insider - Possible— Differentiate between required functionality and optional functionality— Typical avenues of attack

● Exe attachments● Macros embedded in Office documents● Active scripting● HTML embedded content

Detecting Insider Threat

Activity patterns focused on data:— Amount of data accessed— Failed access attempts— Data copied or sent to external sources

There are differences in activity between a normal user and an insider threat.

Detecting Accidental Insider

● Accidental insider is being targeted by external entity

● Almost all external attackers setup C2● Focus on outbound traffic

— Number of connections— Length of the connections— Amount of data— Percent that is encrypted— Destination IP address

Focus on Command & Control Channel

Building an Insider Threat Program

● Determine access● Profile user behavior● Control administrator access ● Raise awareness● Monitor activity

Conventional wisdom does not work when it comes to security. Giving someone unneeded access just makes it easier for the adversary and increases the amount of damage that can be caused by a successful attack.

Make Sure You Are Solving the Correct Problem

● Always force a user to log in as a normal user. All operating systems can be configured to allow only normal user accounts to login and never allow someone with admin privileges to log directly into the system.

● Configure any application that needs to run with administrator privileges to either “Run as Administrator” or sudo to the appropriate access that is needed.

● Log and carefully review all privileged access.● If an employee needs a system where they have to log in directly

as administrator, give them a separate system for any access he or she may need to the Internet.

Summary

● Perform damage assessment of threats● Map past and current investment against threats● Determine exposure to insider threats● Create attack models to identify exposures● Identify root-cause vulnerabilities● Block and remove the vector of the attack● Control flow of inbound delivery methods● Filter on executable, mail and web links● Monitor and look for anomalies in outbound traffic

Insider Threat Checklist

Thank You for Your Time!

DR. Eric ColeTwitter: drericcoleecole@secureanchor.comeric@sans.orgwww.securityhaven.com