ISSA Mini-seminarNov 11, 2017

Threat Inside vs. Insider Threat Threat Inside: abnormal or suspicious activity on a compromised system or

through compromised user credentials. This activity can be the result of malware, phishing, social engineering, or any other version of unauthorized access.

Insider threat: an employee or contractor who intentionally misuses authorized access to a secure network to carry out malicious activity. This activity can include sabotage, theft, espionage, fraud, mishandling of data or physical devices, as well as the use of information to gain a competitive advantage.

Insider Threat Statistics 62% of business users report they have access to company data that they

probably shouldn’t see, according to the Ponemon Institute.

Also according to Ponemon Institute, 43% of businesses need a month or longer to detect employee’s accessing unauthorized files.

A study by Mimecast revealed, 45% of IT executives say malicious insider attacks is one of the risks that they are most unprepared for.

One study by Gartner says, 62% involved employees looking to establish a second stream of income off of their employers’ sensitive data, 29% stole information on the way out the door to help future endeavors and 9% were saboteurs.

More Insider Threat Statistics 55% of cyber attacks were carried out by insiders in 2016, according to

IBM.

A 2014 Global Economic Crime Survey, found that 7% of US businesses lost $1 million or more due to cyber crime incidents in 2013.

According to Verizon 2015 Data Breach Investigations Report, 55% of insider breaches result from someone taking or being granted privileges above their pay grade.

According to IBM, 31.5% of 2014 cyber security incidents were acted by malicious insiders.

User and Entity Behavior AnalyticsThere is a new SIEM cloud product that uses machine learning and artificial intelligence to “learn” the behavior of enterprise users and systems. UEBA assigns a risk-rating to each user based on access, job, geographic location, work hours, etc. The entity behavior analytics are related to the heavy use times, normal services, processes and work load. The objective is to identify high-risk users and high-value target systems.

The user with the highest risk-rating at Bremer Bank is a remote contractor with inconsistent work habits/hours, and administrative access to all critical assets, including security relevant folders, files and tools.

Who is the biggest threat to my network according to UEBA?

Defense Inside threat: firewalls, multi-factor authentication, USER TRAINING,

least privilege, access control, password policy, USER TRAINING, anti-phishing, anti-malware, appropriate use, patching, and USER TRAINING

Insider threat: user behavior analytics, USER TRAINING, USER TRAINING, USER TRAINING, USER TRAINING, USER TRAINING

Who is the malicious insider? Executive

Engineer

Administrative assistant

Janitorial staff

Helpdesk

Security staff

Consultant

Intern

Disgruntled employee

Departing personnel

Contractor

Rogue administrators

Activist

Corporate Spy

Anybody

How can you tell? Unexplained affluence

Foreign contacts, foreign travel

Odd hours

Recording, storing, copying sensitive/classified information

Questionable behavior and loyalty

Large downloads, data exfiltration

Recruiting

Inappropriate water cooler conversations

Excuse

Justify

Not my place

It’s probably nothing …

Just a bad day

Trust

He’s such a nice guy

Nobody like that works HERE!

What if I’m wrong about her?

Oh, but …

Make it safe for people to voice their concerns. No recrimination; no judgment; no punitive action.

Reality WinnerNSA Contractor, Leak dates: May 9 – June 3, 2017

WINNER was employed as a government contractor with Pluribus International Corporation working for the NSA from 13 Feb – 3 June 2017.

01 June 2017: The FBI was notified by the NSA that it had been contacted by the news outlet about an upcoming story based on what it believed to be a classified document authored by the NSA. The Intercept provided the NSA with a copy of the document. Subsequent analysis by the agency confirmed that the document was the intelligence reporting, classified at the Top Secret level.

Reality WinnerNSA Contractor, Leak dates: May 9 – June 3, 2017

03 June 2017: WINNER was arrested at her home in Augusta, Georgia by FBI agents. She talked with FBI agents as they executed the search warrant. WINNER admitted identifying and printing the intelligence report knowing that it was classified. She admitted removing the report from her office space, retaining it, and mailing it to the news outlet, which she knew was not authorized to receive or possess the documents.

05 June 2017: The Intercept published a top secret NSA report that alleged that Russian military intelligence launched a 2016 cyber attack on a voting software company.

Reality WinnerNSA Contractor, Leak dates: May 9 – June 3, 2017

05 June 2017: Charges were announced. She faces up to 10 years in prison.

Possible Motive: Social Media postings suggest that she was very upset that Donald Trump won the presidential election and that she wanted to leak information that would damage his presidency.

Winner tweeted frequent complaints about the Trump administration as well as re-tweeting a joke about government leaks and about Snowden.

Anthony LevandowskiTrade Secrets Theft: Summer 2015- May 2017

Summer 2015: LEVANDOWSKI told a Google co-worker he was interested in creating a self-driving car start-up. He said an Uber executive had expressed interest in “buying the team responsible for Waymo’s LiDAR.” (LiDar = Light Detection and Ranging)

11 Dec 2015: LEVANDOWSKI downloaded more than 14,000 files (9.7GB including 2 GB of lidar-related data).

12-13 Jan 2016: LEVANDOWSKI talks with Uber about purchasing his new company

Anthony LevandowskiTrade Secrets Theft: Summer 2015- May 2017

27 Jan 2016: LEVANDOWSKI resigned from Google

01 Feb 2016: LEVANDOWSKI formed Otto Trucking

Aug 2016: Uber purchased Otto Trucking for $700 million

July – Aug 2016: Two more engineers leave Google and allegedly stole documents to benefit Otto

Anthony LevandowskiTrade Secrets Theft: Summer 2015- May 2017

Possible Motive: Greed, business interest

Feb 2017: Google’s Waymo sued Uber for trade secret theft and patent infringement

15 May 2017: Judge ruled Uber must return the 14,000 stolen documents

30 May 2017:Uber fired LEVANDOWSKI

Gregory JusticeBoeing contractor, Spying for Russia Nov 2015 – July 2016

Gregory Justice was employed by Boeing between March 2000 – 2016 on Wideband Global Satellite Communications (WGS) system; Global Positioning System (GPS), Geostationary Operational Environmental Satellites (GOES), Tracking and Data Relay Satellite (TDRS), and Milstar Communication Satellite (MILSTAR).

17 Feb 2016: "Since the 1980s, the United States Air Force has been building and launching surveillance satellites called WGS. And, um, these are the same things on your phone for the maps…They're also for, they're also worldwide surveillance…So what I'm offering is basically everything on our servers, on our computers. The plans, the test procedures, that's what I have access to." -Gregory JUSTICE to an undercover FBI employee

Gregory JusticeBoeing contractor, Spying for Russia Nov 2015 – July 2016

13 Feb 2016: JUSTICE called the UCE again saying he had contacted a certain "Captain" in September 2015 and had "told him … my wife is disabled and is very ill. So if I'm not at work, most of my time is taking care of her.”

19 Feb 2016: JUSTICE downloaded multiple files from Boeing's computer system and gave them to the UCE on a thumb drive. The UCE gave JUSTICE $500.00, and a receipt for the cash. The USB contained 35 files including documents containing proprietary and/or export control warnings. JUSTICE sent all $500.00 to C.M. (a woman posing as a European model in California) via FedEx.

Apr-May 2016: JUSTICE met the UCE multiple times to exchange drives for cash

Gregory JusticeBoeing contractor, Spying for Russia Nov 2015 – July 2016

Motivation: Greed. JUSTICE seemed fascinated with becoming a spy. Between 2013 and 2015, JUSTICE purchased approximately $4,344.00 in online courses (i.e., “Spy Escape and Evasion,” “Legally Concealed,” etc)

In a conversing with himself (22 Feb 2016), JUSTICE stated: "I could go to prison for this (spying for Russia). I could go to prison for non-payment of taxes, even though I'm sovereign, they still want me to pay taxes."

Gregory JusticeBoeing contractor, Spying for Russia Nov 2015 – July 2016

Finances: JUSTICE's wife had medical issues and he was either scammed ("catfished") or blackmailed by a woman in central California.

15 March 2016: JUSTICE told his wife she should cancel all of her upcoming medical appointments because they would not be able repair their car to go to her medical appointments, including the "pain center." It appeared that JUSTICE resented his wife.

JUSTICE sent thousands of dollars to "Chay.M.” She lived in an apartment in Long Beach, California with her son and boyfriend. From Dec 2015 – May 2016, JUSTICE sent $21,420 in cash and $5,916 in gifts.

Gregory JusticeBoeing contractor, Spying for Russia Nov 2015 – July 2016

07 July 2016: Arrested by the FBI.

Charged with economic espionage and violating the Arms Export Control Act.

08 July 2016: Arrested and charged.

22 May 2017: Defense contractor JUSTICE (49) plead guilty to federal charges attempting to commit economic espionage and attempting to violate the Arms Export Control Act. JUSTICE attempted to sell sensitive satellite information to a person he believed to be an agent of the Russian intelligence service.

18 Sept 2017: JUSTICE was sentenced to five years in prison.

Edward SnowdenNSA, CIA, Booz Allen Hamilton, Leaked data in 2013

Edward SNOWDEN worked on classified projects for Dell, Booz Allen Hamilton, the CIA and NSA. SNOWDEN had only worked for Booz for four months when he leaked information to The Guardian. Reports indicate hiring screeners found discrepancies in his resume, but still employed him. SNOWDEN later claimed that he only worked for Booz Allen in order to obtain classified documents.

A review after SNOWDEN’s leak showed that in 2011 while renewing his security clearance, background checkers failed to verify SNOWDEN's account of a past security violation when he was employed with the CIA and didn't review a trip to India that he failed to report. His background screening also failed to interview individuals other than his mother and girlfriend.

Edward SnowdenThis is the biggest leak in the history of the NSA. Reports say that

SNOWDEN acquired the passwords and login information of 20 to 25 co-workers at the NSA by claiming that he needed the information to carry out his job as a computer systems administrator.

SNOWDEN reportedly stole an estimated 1.7 million highly classified documents. As of December 2013, there are reports that only one percent of the documents have been published, an estimated 50,000-200,000 documents, leaving an estimated 1.5 million documents still to be published.

Edward SnowdenSNOWDEN revealed information related to a highly classified surveillance

program used to track suspected terrorists. PRISM was created in 2008 and targeted foreign targets using social media and U.S.-based telecommunication equipment to communicate and coordinate their activities.

SNOWDEN interviewed with the Guardian in May 2013. In June 2013, the Guardian and the Washington Post disclose the existence of PRISM. Stories on classified operations as a result of the documents SNOWDEN leaked continued through 2015.

Edward Snowden1 Aug 2013: SNOWDEN received papers to enter Russia with a 1-year asylum.

Russia granted SNOWDEN a three year residence permit on 7 Aug 2014.

"I don't see myself as a hero, because what I'm doing is self-interested. I don't' want to live in a world where there's no privacy and therefore no room for intellectual exploration and creativity.“ SNOWDEN, 10 June 2013.

Trust Your Gut The stomach has its own nervous system, the enteric nervous system,

which arises from the same tissues as our central nervous system during fetal development. Both brains communicate via hormones, neurotransmitters, and electrical impulses.

Fight or Flight: your heart pounds, your pupils dilate, your hair stands on end, natural steroids and adrenaline flood your system to strengthen your muscles and give you an extra burst of speed. Even your platelets change shape so they are more sticky, leaving you less likely to bleed out if you are attacked. Naturally, our bodies have negative feedback that can tone down the fight or flight response once the danger is past.

ReferencesBlackHat 2013 – Combating the Insider Threat at the FBI: Real-world Lessons Learned,

https://www.youtube.com/watch?v=38M8ta13K0Q, Patrick Reidy on YouTube

Gut Brain Connection, Mental Illness and Disease, https://www.psychologytoday.com/blog/evolutionary-psychiatry/201404/the-gut-brain-connection-mental-illness-and-disease Emily Deans MD, Apr 6, 2014 for Psychology Today

Insider Threat, https://www.youtube.com/watch?v=2M5oR5K2GD0, SimbaProductionsNYC, Feb 7, 2013 for Homeland Security and Corporate Training on YouTube

ReferencesInsider Threat Statistics (Infographic), https://itsecuritycentral.teramind.co/2017/06/30/insider-

threat-statistics-infographic/ MeganThudium, June 30, 2017 for IT Security Central

Meet Your Second Brain: The Gut, https://www.mindful.org/meet-your-second-brain-the-gut/ Jennifer Wolkin, Aug 14,2015 for mindful

US Counterintelligence Program Arrests, http://www.cicentre.com/?page=case_ci (member site)

Questions I didn’t answer?

Stalk me at:

Debi.Caldwell@gmail.com

On LinkedIn as

Debi Caldwell, CISSP, ITILv3