Upload
andrew-case
View
466
Download
1
Embed Size (px)
Citation preview
SESSION ID:
#RSAC
Andrew Case
Proac.ve Measures to Mi.gate Insider Threat
HUM-‐W03
Director of Research Volexity @a@rc
#RSAC
Insider Threats – Sta.s.cs
2
! PWC 2015: ! Roughly 70% of incidents at financial insMtuMons involved current
and former employees
! 60% at industrial manufacturing organizaMons
! Verizon DBIR 2015: 20.6% of breaches are characterized as “insider misuse”
#RSAC
Insider Threat Defenses – Passive/Default
3
! Examples ! ProducMon systems without extra logging or security measures ! No automated alerts or remote logs generated
! Pros ! Simplest to implement ! Provides the evidence needed for post-‐mortem forensics
! Cons ! Only useful aYer damage is caused ! Can be fully disrupted by anM-‐forensics ! OYen very expensive and non-‐repeatable
#RSAC
Insider Threat Defenses -‐ Detec.on
4
! Examples ! Log file accesses, soYware installaMon, and USB device usage ! Generate alerts on access to file storage services (e.g., Dropbox)
! Pros ! If implemented correctly, finds acMvity before it causes harm ! Less inhibiMng than full prevenMon
! Cons ! If implemented incorrectly, finds acMvity aYer irreparable harm ! Requires acMve effort by the security team
#RSAC
Insider Threat Defenses -‐ Preven.on
5
! Examples ! Prevent all removable media from being used ! Block access to personal email and file storage services ! Block end-‐users from installing soYware
! Pros ! Stops a technique before it can be used ! Cheapest once implemented
! Cons ! OYen clashes with a company’s office culture ! Can inhibit department-‐specific producMvity
#RSAC
Applica.on to Real World Cases
6
! We will now look at several real-‐world insider-‐threat cases that I invesMgated
! Combined, the insiders took over 100 million dollars of IP/customers from their previous employers (my clients)
! As I describe these cases, think about how your company would currently fare against such malicious acMvity and what, if any, mechanism(s) you have in place to detect the acMvity before irreparable harm is done
#RSAC
The Bank Heist -‐ Background
7
! Employee of a financial insMtuMon sees greener pastures at a compeMtor
! Contacts compeMtor about bringing him and his team to the compeMtor ! Along with their very wealthy clients
! Proceeds to take nearly every document related to the clients, his team’s records, and client management forms
#RSAC
The Bank Heist – Forensic Analysis
8
! File servers and internal web apps were scraped for sensiMve informaMon
! Moved data out of organizaMon control through USB, personal email, and prinMng
! Files were locally deleted aYer being exfiltrated
! The forensic Mmeline showed over 100 files taken and the precise Mmes that the acMons occurred
#RSAC
Proac.ve Measures – File Search
9
! Secure Network Architecture
! Monitoring File Share Accesses
#RSAC
Proac.ve Measures – File Exfiltra.on
10
! USB
! PrinMng/Scanning
! Personal Email
! Cloud Storage*
* This case is several years old and cloud services were not very popular then but are used extensively in modern, similar scenarios
#RSAC
Abuse of Power -‐ Background
11
! Plant manager at a manufacturing company was using “down Mme” of the company’s machines to run a side business
! He purchased some materials on his own, some were ordered through the company’s accounts
! Was only caught through a machine malfuncMon
#RSAC
Abuse of Power – Forensic Analysis
12
! The rogue manager had logged into control systems during non-‐client billable hours
! The manager scheduled manufacturing jobs outside of any legiMmate work order
! The manager deleted associated files in a failed a@empt to cover his tracks
#RSAC
Proac.ve Measures – Accounts & Systems
13
! Technical measures ! Monitor user logins
! Monitor system usage
! Business measures ! No criMcal business processes should be controlled by one person
#RSAC
Offline Exfiltra.on -‐ Background
14
! VicMm organizaMon had very Mght data exfiltraMon controls
! Laptops uMlized full disk encrypMon (FDE) ! ... but desktops did not!
! Path to exfiltraMon: 1. Copy sensiMve files to desktop during business hours
2. Remove hard drive before leaving and take home
3. Offline mount hard drive and copy files
#RSAC
Offline Exfiltra.on – Forensic Analysis
15
! If done properly, this leaves no traces for (reasonable) forensics to find
! The employee in this instance could create, modify, and delete files from the disk at will
! Was only caught aYer making other “mistakes” and confessing to the disk removal
#RSAC
Proac.ve Measures -‐ Full Disk Encryp.on
16
! UMlize FDE for everything!
! Be wary of offline decrypt capabiliMes ! The user knows his/her own password…
#RSAC
An.-‐Forensics -‐ Background
17
! Two key employees leave the vicMm company simultaneously
! Soon aYer, important clients end contracts
! Previous employees’ equipment invesMgated for signs of improper client interacMons
#RSAC
An.-‐Forensics – Forensics Analysis
18
! Employees uMlized heavy anM-‐forensics
! Both factory reset their company provided Android phones
! Employee 1 ran CCleaner before returning his computer
! Employee 2 replaced the hard drive with one bought from Amazon
#RSAC
An.-‐Forensics – Proac.ve Measures
19
! Tracking applicaMon downloads and installs
! ApplicaMon whitelisMng
#RSAC
Proac.ve Measures – Employee Termina.on
20
! Companies work against themselves by not properly assessing and preserving employee equipment (laptops, desktops, phones, tablets) post terminaMon
! These policies, or lack thereof, can inhibit forensic invesMgaMon, legal proceeding, and recovery and understanding of stolen data
#RSAC
Bad Policy Examples
21
! Re-‐install/re-‐purpose systems immediately upon employee terminaMon
! No check of all system components against IT inventory
! No check of historical removable media usage
#RSAC
Get Proac.ve Against Insider Threat
22
! Within a month you should be able to idenMfy: ! Deficiencies that could allow for exfiltraMon
! Deficiencies in key employee oversight
! Policy deficiencies related to employee terminaMon
! Within three months be able to: ! Remediate criMcal deficiencies
! Have a working plan to remediate all deficiencies
#RSAC
Wrapping Up & Q/A
23
! If you aren’t being proacMve then you are just waiMng to become a vicMm
! While insider threats are the most prevalent, they are also the most preventable through proacMve policy and technical controls
! Contact info: ! [email protected] (3DE6E0C8)
! @a@rc