Eric Cole probably the last person on earth you’d expect to encourage making insider threat a C-level priority after devoting a decade of his career to external threat and endpoint security, as the for CTO of McAfee and Chief Scientist for Lockheed Martin. But sometimes the best advice comes from the least expected places.
3. External vs Internal
● Deliberate/Malicious Insider
● Accidental Insider
● Source of the damage
— External
● Cause of the damage
— Internal
4. Paradigm Shift
53% of organizations have
experienced an insider incident
33% of organizations have no
formal response plan
54% of IT professionals believe
an insider threat is harder to
detect today
5. Nature of Insider Threats
● Two main forms of insider threat:
— Deliberate/malicious insider
— Accidental insider
● Why do insiders become targets?
— As external targets become more difficult, attackers find
insiders are an easier avenue to compromise
6. If You Have Employees/Contractors,
You Have an Insider Threat Problem
Bottom Line
7. Insider Threat Current State
Insider threats are
on IT’s radar
Spending on insider
threats will increase
The financial impact
is significant
Organizations fail to
focus on solutions
Insider threat often
the cause of damage
Prevention is more a
state of mind than a
reality
8. Assessing Vulnerability to Insiders
● What information would an adversary target?
● What systems contain the information that attackers would target?
● Who has access to critical information?
● What would be the easiest way to compromise an insider?
● What measures or solutions can IT use to prevent/detect these
attacks?
● Does our current budget appropriately address insider threats?
● What would a security roadmap that includes insider threats look
like for our organization?
9. Insider Attack Chain – Bad Attacker
Tipping Point - Going From Good to Bad
Communicating via LinkedIn / Gmail message to
competitor. Playing video games with lack of regard.
1
Searching for Data
Password harvesting or unauthorized access to co-
workers computers.
2
Capture and Hide the Data
Encrypt and rename file extensions - password protected
ZIP file.
3
Data Exfiltration
Send ZIP file over Wetransfer - off hours transfers.
4
12. How well is your
organization doing with
insider threats?
● Policy
● Procedures
● Awareness
● Training
● Technology
● Administrative
● Executive Support
We calculating your “insider threat
GPA”, you can see what the biggest
exposure you have to insider threats
is likely to be.
Write your organization’s report card and focus on the
lowest scoring areas.
13. Preventing Insider Threat
● Deliberate Insider – Difficult
— More focus on authorization and access
● Accidental Insider - Possible
— Differentiate between required functionality and optional
functionality
— Typical avenues of attack
● Exe attachments
● Macros embedded in Office documents
● Active scripting
● HTML embedded content
14. Detecting Insider Threat
Activity patterns focused on data:
— Amount of data accessed
— Failed access attempts
— Data copied or sent to external sources
There are differences in activity between a normal user and an
insider threat.
15. Detecting Accidental Insider
● Accidental insider is being targeted by external
entity
● Almost all external attackers setup C2
● Focus on outbound traffic
— Number of connections
— Length of the connections
— Amount of data
— Percent that is encrypted
— Destination IP address
Focus on Command & Control Channel
16. Building an Insider Threat Program
● Determine access
● Profile user behavior
● Control administrator access
● Raise awareness
● Monitor activity
Conventional wisdom does not work when it comes to security. Giving
someone unneeded access just makes it easier for the adversary and
increases the amount of damage that can be caused by a successful attack.
17. Make Sure You Are Solving the Correct
Problem
● Always force a user to log in as a normal user. All operating systems can
be configured to allow only normal user accounts to login and never
allow someone with admin privileges to log directly into the system.
● Configure any application that needs to run with administrator privileges
to either “Run as Administrator” or sudo to the appropriate access that
is needed.
● Log and carefully review all privileged access.
● If an employee needs a system where they have to log in directly as
administrator, give them a separate system for any access he or she may
need to the Internet.
18. Summary
● Perform damage assessment of threats
● Map past and current investment against threats
● Determine exposure to insider threats
● Create attack models to identify exposures
● Identify root-cause vulnerabilities
● Block and remove the vector of the attack
● Control flow of inbound delivery methods
● Filter on executable, mail and web links
● Monitor and look for anomalies in outbound traffic
Insider Threat Checklist
19. Thank You for Your Time!
DR. Eric Cole
Twitter: drericcole
ecole@secureanchor.com
eric@sans.org
www.securityhaven.com