The Insider Threat

Report
The Insider Threat
Nick Barron, DISA IT Advisor
[email protected]
+44 7720 508085
DISA IT Seminar : July 2014
1
About me
• Day job
• Security controller, sysadmin, software
developer
• Medium size List-X contractor
• DISA IT advisor
• After hours
• 44CON security conference
• SC Magazine
• Way too many computers at home
DISA IT Seminar : July 2014
2
Overview
•
•
•
•
•
•
What is the insider threat?
Attackers; types, motivation and examples
Detection
Prevention
Summary
Questions
DISA IT Seminar : July 2014
3
An apology
DISA IT Seminar : July 2014
4
What is the insider threat?
• Definition from CERT:
A malicious insider threat is a current or former employee,
contractor, or business partner who has or had authorized
access to an organization’s network, system, or data and
intentionally exceeded or misused that access in a manner
that negatively affected the confidentiality, integrity, or
availability of the organization’s information or information
systems.
Cappelli, Dawn M.; Moore, Andrew P.; Trzeciak, Randall F. (2012-01-20).
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes
• Definition from CPNI:
A person who exploits, or has the intention to exploit, their
legitimate access to an organisation’s assets for
unauthorised purposes
CPNI Insider Data Collection Study, April 2013
DISA IT Seminar : July 2014
5
Obligatory (possibly fictional)
scary numbers
• CPNI Insider Data Collection Study, April 2013
• 88% permanent staff, 7% contractor, 5% temp
• 82% male
• 76% “self initiated”
• 47% financial gain motivation, 20% ideology
• Combating the Insider Threat at the FBI: Real World
Lessons Learned, Patrick Ready, BlackHat 2013
• Not the most common threat (~19%)
• But the most costly ($412K per incident, average
victim loss ~$15M per year)
DISA IT Seminar : July 2014
6
Obligatory (possibly fictional)
scary numbers
• Sanity check!
• Statistics can be misleading
• Only detected intrusions get into the figures
Image: http://xkcd.com/552/. Used with permission
DISA IT Seminar : July 2014
7
Key points about insiders
• Already authorised
• Already know the “crown jewels”
• Already know some/most security barriers
(and can test them)
• Not just your staff
DISA IT Seminar : July 2014
8
Features of the insider threat
• The bad side
• Insiders negate perimeter defences
• Good target knowledge
• Interior defences often weaker than perimeter
• The not so bad side
• IF detected, better chance of successful
resolution
• Operate entirely within your zone of authority
DISA IT Seminar : July 2014
9
Types of attack
• Information disclosure
• Theft of IP
• Competitor/FIS
• Personal gain
• Financial gain
• Direct (theft of material, fraudulent orders etc)
• Indirect (insider information, bids etc)
• Sabotage
• Physical, reputational or IT.
DISA IT Seminar : July 2014
10
Types of attacker
• Self-initiated insider
• Disgruntled employees
• Potential for financial gain or motivated by
ideology, desire for recognition or revenge
• Exploited/recruited
• Identified by attacker
• Cultivated
• Deliberate
• Gained employment with intent to abuse access
• Typically FIS or activist
DISA IT Seminar : July 2014
11
Motivation
•
•
•
•
•
•
Money
Ideology
Recognition
Personal loyalty
Dissatisfaction
Revenge
DISA IT Seminar : July 2014
12
Motivation and action
• Different motivations result in different
attacks
• Ideology and desire for recognition most likely to
lead to unauthorised disclosure
• Financial gain most likely to lead to process
abuse or unauthorised access to assets
• Revenge most likely to result in sabotage
DISA IT Seminar : July 2014
13
Misconceptions
• “I’m not worried, all our staff are security
cleared…”
• Clearance is an important risk management
tool, but does not remove the threat
clear·ance [kleer-uhns]
noun
Pre-requisite qualification for a
career in insider threat espionage
DISA IT Seminar : July 2014
14
Whistlestop tour of famous DV cleared
insider threats
Blunt, Maclean, Burgess, Philby
Katharine Gun
David Shayler/Delores Kane/
Son of God
Annie Machon
DISA IT Seminar : July 2014
Images: Wikipedia, used with permission
15
Whistlestop tour of famous DV cleared
insider threats
John Anthony Walker
Aldrich Ames
Bradley Manning
Robert Hanssen
Images: Wikipedia and US Government, used with permission
DISA IT Seminar : July 2014
16
Whistlestop tour of famous DV cleared
insider threats
DISA IT Seminar : July 2014
17
Snowden sidebar
• How did he do it?
• High level legitimate access
• Gained additional credentials
(social engineering)
• Installed own crypto keys and certificates
• Impact does not correlate with volume
• Currently published Snowden documents are
only ~2,000 pages (http://cryptome.org/2013/11/snowden-tally.htm)
• That would be about 8MB…
• Not much chance of detecting that…
DISA IT Seminar : July 2014
18
Detection
• Insider threats are not always so obvious!
Image from https://www.123rf.com/profile_dragon_fang. Used under licence
DISA IT Seminar : July 2014
19
Internal attack process
• Initiation
• Identify target material
• Massive head start on external attackers
• More careful identification reduces chance of
discovery
• Collect and collate
• Depends on volume
• Remove from company control
• CDs, DVDs, paper, email, web transfer
DISA IT Seminar : July 2014
20
Detection
• Technical measures
•
•
•
•
•
Unusual copying activity (electronic and paper)
Large and/or unusual data movements
Multiple device control failures
Unusual IT activity (probing etc)
Suspicious network activity
• Forensics
• Know normal patterns
• Forensic awareness
(do everything Campbell told you to!)
DISA IT Seminar : July 2014
21
Not just “cyber”
• Not just about technology/techies
• Technology helps insiders, but threat comes
from people
• Not just IT techies
• Not just system admins
• IT sabotage usually sysadmins (CERT, 90%)
• Espionage only 1.5% sysadmins (FBI)
DISA IT Seminar : July 2014
22
Detection
• Behaviour
•
•
•
•
Poor work attitude
Stress
Frequent security violations
Poor handling of PM assets
• It’s all about the aftercare…
DISA IT Seminar : July 2014
23
Detection
• How do they get away with it?
•
•
•
•
•
Poor management oversight
Audit logs are “write only”
Need-to-know creep
Poor security culture
“Normalisation of deviance”
DISA IT Seminar : July 2014
24
Prevention
• Existing security measures (may) still work
against insider threats
DISA IT Seminar : July 2014
25
Prevention
• The usual suspects…
• Include insiders in risk assessment process
• Make sure access rights are appropriate
(including indirect access)
• Clearly document and consistently enforce
polices (esp. IP rights)
• Ongoing security awareness/education
• Monitor for and consistently respond to abuse
• Clear grievance procedure
DISA IT Seminar : July 2014
26
Prevention
• The usual suspects (IT version)
•
•
•
•
•
•
•
Good password and account management
Strict termination process
Separation of duties where feasible
Least privilege
Consider insiders in contractors, suppliers etc
Pay particular attention to privileged users
Appropriate logging and monitoring
DISA IT Seminar : July 2014
27
Prevention
• Education, education, education…
• Ensure users are aware of insider risks
• Reporting process for suspicious behaviour
• Proper asset valuation/compartmentation
• Ensure that most valuable data is secured
• Don’t be lazy with access rights
(e.g. don’t be the NSA!)
• Include insider risk in security testing scope
• Penetration tests etc should include insider risks
DISA IT Seminar : July 2014
28
Prevention
• Have a response plan
• What do you do when you suspect senior staff
are up to no good?
• Ensure clear levels of authority are defined
• Include software lifecycle risks
• Independent code review
• Be suspicious of “job protection” developers
• Termination procedures
• Ensure ALL accounts disabled
• Third parties e.g. subcontractors/suppliers
DISA IT Seminar : July 2014
29
Prevention
• Learn from past events
• How would Snowden have got on in your
environment?
• Tabletop insider attack penetration test
• Recognise “red flag” behaviour signs
• Ensure HR work with security
DISA IT Seminar : July 2014
30
But it’s not easy…
• Knowing what is normal file transfer
behaviour is difficult
• A good insider will know the rules and avoid
breaking as many as possible
• Balancing “see something, say something”
versus “office Stasi” is difficult.
• Insider threat could involve no IT abuse at
all…
DISA IT Seminar : July 2014
31
Further info
• CERT https://www.cert.org/insider-threat/
• CPNI, search for “Insider Threat”
• BlackHat
• Slides http://tinyurl.com/BlackhatInsiderSlides
• Video
www.youtube.com/watch?v=38M8ta13K0Q
• 44CON https://44con.com
DISA IT Seminar : July 2014
32
Summary
• The insider threat is primarily a people thing,
not a cyber thing.
• There are no silver bullet solutions, beware
of vendors who will sell you one!
• Proper application of traditional personnel
security measures is key
• IT monitoring and forensics will help with
detection and response
DISA IT Seminar : July 2014
33
Questions?
DISA IT Seminar : July 2014
34

similar documents