What to Know About Insider Threat and How to Mitigate it or why… Hope…is NOT a Strategy! Michael C. Theis, CISSP, SSA (retired) Chief Counterintelligence Expert Technical Lead of Insider Threat Research and Senior Member of the Technical Staff CERT Insider Threat Center © 2014 Carnegie Mellon University Notices © 2014 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University. 2 What is the CERT Insider Threat Center? Center of insider threat expertise Began working in this area in 2001 with the U.S. Secret Service Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats. 3 CERT’s Unique Approach to the Problem Research Models External Organization Effort to Coopt Insider Environmental Factors O Willingness to Commit Espionage S Insider's Perceived Risk of Being insider Caught perceiving risk S reducing violations due to organization sanctions B3 S O Insider Conformance to Rules indicating personal predisposition Indicators of Personal Predisposition S O S S Rule Violations S S S Detecting Concerning Access <Level of Auditing Authorization Behavior and Technical and Monitoring Actions Level (technical and non-technical)> Personal Needs S violating rules increasin g persona l need <unauthorized accessing> S <Insider Stress> S S Financial Greed S decreasing financial greed increasing stress S S O EAP Termination Threshold Financial Predisposition S O O Termination Time S Addiction to Financial Gain S B1b harmful actions to fulfill needs Initial Satisfaction insider contribution to developing information or product espionage S S S espionage control by enforcing access controls (R1) Unauthorized Unauthorized Insider Accesses Insider Accesses Known to O unauthorized Unknown to discovering Organization accessing Organization unauthorized accesses S <Willingness to Commit Espionage> organization R3 response to S unauthorized access External Organization Paying for Espionage Level of Auditing and Monitoring Receiving Money (technical and for Espionage non-technical) S increasing auditing and monitoring Cultural Reluctance to Terminate B5 S S Insider Termination B1a harmful actions to fulfill needs Security Awareness Training O Stressful Events S increasing financial need decreasing financial need S S O S Financial Needs Enforcing Authorization Level Using Access Controls S Organization's Trust of Insider S Cultural Reluctance to Report Reporting of Suspicious Activity S Insider Stress S R2 O trust trap O O increasing financial greed discovering espionage Espionage Unknown to Organization S O organization perceiving risk sanctions for rule violations produce escalation Personal Predisposition S Espionage Known to Organization espionage control by restricting authorization level O Organization's Perceived Risk of Insider Espionage R5 S decreasing personal need S organization denial of insider requests insider time and resources invested in group S External Organization Leaking Espionage B2 S S S Authorized Insider Accesses authorized accessing by insider Sanctions sanctioning for rule violations O S S Security Procedure Existence S unobserved O emboldening of insider S <Financial <Financial Needs> Greed> S Security Procedure Enforcement S <organization perceiving risk> Ratio of Sanctions to Violations R4 Indicators of Financial Need or Unexplained Affluence indicating financial need or unexplained affluence S S Feedback loops B2 and B5 based on expert opinion S S S insider sense of loyalty to organization insider desire to contribute to organization S B4 concealing rule violations due to organization sanctions Concealing Indicators and Violations O Deriving Candidate Controls and Indicators insider contribution to organizational group insider planning to go to competing organization precipitating event (e.g., proposal by competitor) insider dissatisfaction with job/organization (R2) insider sense of ownership of the information/product information stolen insider sense of entitlement to products of the group S insider desire to steal org information insider predisposition to feeling entitled (B1) insider concern over being caught opportunity to detect theft org discovery of theft (R3) S <Espionage Known to Organization> insider perpetrated deceptions related to the info theft R1a harmful actions amplifying needs S level of technical and behavioral monitoring S org discovery of deceptions Fulfilling Personal Need Our lab transforms that into this… Splunk Query Name: Last 30 Days - Possible Theft of IP Terms: 'host=HECTOR [search host="zeus.corp.merit.lab" Message="A user account was disabled. *" | eval Account_Name=mvindex(Account_Name, -1) | fields Account_Name | strcat Account_Name "@corp.merit.lab" sender_address | fields - Account_Name] total_bytes > 50000 AND recipient_address!="*corp.merit.lab" startdaysago=30 | fields client_ip, sender_address, recipient_address, message_subject, total_bytes' 4 Goal for an Insider Threat Program 5 The Insider Threat There is not one “type” of insider threat • Threat is to an organization’s critical assets — People — Information — Technology — Facilities • Based on the motive(s) of the insider • Impact is to Confidentiality, Availability, Integrity There is not one solution for addressing the insider threat • Technology alone may not be the most effective way to prevent and/or detect an incident perpetrated by a trusted insider 6 What is a Malicious Insider Threat? Current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. 7 What is an Unintentional Insider Threat? Current or former employee, contractor, or other business partner who who has or had authorized access to an organization’s network, system, or data and who, through their action/inaction without malicious intent cause harm or substantially increase the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems. 8 Critical Infrastructure Sectors US Cases by Sectors (Top 6) and Type of Crime 350 300 250 200 150 Theft IP 100 Sabotage Fraud 50 0 9 The Current State of Insider Threats in Organizations 10 2014 US State of Cybercrime Survey -1 CSO Magazine, USSS, CERT & PWC Percentage of Participants Who Experienced an Insider Incident 557 respondents 100 29% of organizations had 500 – 5000 employees 90 80 70 60 43% of organizations had less than 500 employees 50 40 30 20 55% 41% 39% 2004 2005 49% 51% 53% 53% 43% 37% 10 0 2006 2007 2008 2010 2011 2012 2013 Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, April 2014 11 2014 US State of Cybercrime Survey -2 What percent of the Electronic Crime events are known or suspected to have been caused by : Unknown 31% Unknown Outsiders 37% 24 % Insiders Insiders 32% 26 % Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, April 2014 12 2014 US State of Cybercrime Survey -3 For organizations that could assess the damage from an incident: • Insider Incidents were more damaging – 46% • Outsider incidents were more damaging – 54% 24 % Insiders 51% Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, April 2014 13 2014 US State of Cybercrime Survey -4 46 % of respondents Damage caused by insider attacks more damaging than outsider attacks Insiders made up the highest percentage of the following incidents: Private or sensitive information unintentionally exposed (82%) Confidential records compromised or stolen (76%) Customer records compromised or stolen (71%) Employee records compromised or stolen (63%) Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, April 2014 14 2014 US State of Cybercrime Survey -5 How Insider Intrusions Are Handled 3% 12% 10% 75% Internally (without legal action or law enforcement) Internally (with legal action) Externally (notifying law enforcement) Externally (filing a civil action) Reason(s) CyberCrimes were not referred for legal action 2013 2012 2011 Damage level insufficient to warrant prosecution 34% 36% 40% Lack of evidence/not enough information to prosecute 36% 36% 34% Could not identify the individual/ individuals responsible for committing the eCrime 37% 32% 37% Concerns about negative publicity 12% 9% 14% Concerns about liability 8% 7% 9% Concerns that competitors would use incident to their advantage 7% 6% 7% Prior negative response from law enforcement 8% 5% 6% Unaware that we could report these crimes 6% 5% 4% L.E. suggested incident was national security related 3% 4% 4% Other 8% 12% 11% Don't know 21% 28% 20% Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, April 2014 15 Insider Threat Activities 16 Types of Insider Activities -1 Insider IT Sabotage • An insider’s use of IT to direct specific harm at an organization or an individual — — — Deletion of information Bringing down systems Web site defacement to embarrass organization Insider Theft of Intellectual Property • An insider’s use of IT to steal intellectual property from the organization — — — — Proprietary engineering designs, scientific formulas, etc. Proprietary source code Confidential customer information Industrial Espionage and Trade Secrets 17 Types of Insider Activities -2 Insider Fraud • An insider’s use of IT for the unauthorized modification, addition, or deletion of an organization's data (not programs or systems) for personal gain, or theft of information which leads to fraud — — — • Theft and sale of confidential information — — • Payroll Reimbursement Unauthorized acquisitions SSN, PII, etc. Credit card numbers Modification of critical data for a fee — — — driver’s license records criminal records qualification for welfare, etc. Unintentional Insider Threat (UIT) • An insider whose actions or lack of action without malicious intent causes harm or the possibility of harm 18 Types of Insider Activities -3 UIT - Four Categories: DISC accidental disclosure (e.g., via the internet) sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail UIT-HACK malicious code (UIT-HACKing, malware/spyware) an outsider’s electronic entry acquired through social engineering (e.g., phishing email attack, planted or unauthorized USB drive) and carried out via software, such as malware and spyware PHYS improper/accidental disposal of physical records lost, discarded, or stolen non-electronic records, such as paper documents PORT portable equipment no longer in possession lost, discarded, or stolen data storage device, such as a laptop, PDA, smart phone, portable memory device, CD, hard drive, or data tape 19 Types of Insider Activities -4 Insider National Security Espionage • The act of communicating, delivering or transmitting information pertaining to the national defense of the United States to any foreign government or faction, with intent or reason to believe that is to be used to the injury of the United States or to the advantage of a foreign nation — — — Volunteers Recruited in Place Dispatched Insider Miscellaneous • Unauthorized disclosure (information insider believed should be in the public domain) • Providing address of a person to an acquaintance who physically harmed the individual • Accessing records of high-profile individuals 20 Summary of Insider Threats Theft of Intellectual Property Current (within 30 Former Current days of resignation) Technical (e.g. Technical (e.g. sys Non-technical (e.g. data scientists, admins, programmers, entry, customer service) programmers, or DBAs) or their managers engineers) or sales Fairly equally split Male between male and Male female Network, systems, or PII or Customer IP (trade secrets) – data Information or customer Info IT Sabotage Fraud Access used Unauthorized Authorized Authorized When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work Current or former employee? Type of position Gender Target 21 Mitigation Strategies 22 Best Practices for Insider Threat Mitigation Consider threats from insiders and business partners in enterprise-wide risk assessments. Institutionalize system change controls. Clearly document and consistently enforce policies and controls. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions. Incorporate insider threat awareness into periodic security training for all employees. Monitor and control remote access from all end points, including mobile devices. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. Develop a comprehensive employee termination procedure. Anticipate and manage negative issues in the work environment. Implement secure backup and recovery processes. Know your assets. Develop a formalized insider threat program. Implement strict password and account management policies and practices. Establish a baseline of normal network device behavior. Enforce separation of duties and least privilege. Be especially vigilant regarding social media. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. Close the doors to unauthorized data exfiltration. Institute stringent access controls and monitoring policies on privileged users. Source: Common Sense Guide to Mitigating Insider Threat; http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34017 23 Mitigation Strategies for Unintentional Insider Threats MITIGATION / COUNTERMEASURE Threat Vector UIT-HACK DISC PHYS PORT Training to heighten awareness and reduce human error (BP 3) x x x x Usability of software and tools to reduce human error x x Management practices to reduce likelihood of human error (BP 5) x x x x Email safeguards (anti-phishing, anti-malware) (BP 18) x x Firewalls x x Antivirus/anti-malware protection (BP 19) x x x Data encryption on storage devices (BP 13, 19) x x Password protection on storage devices (BP 7,19) x x Wireless and Bluetooth safeguards (disable, protect) (BP 13) x Remote memory wipe for lost equipment (BP 13, 19) x 24 CERT’s Insider Threat Controls (Public) • Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time • Using a SIEM signature to detect potential precursors to IT Sabotage • Using Centralized Logging to Detect Data Exfiltration Near Insider Termination • Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources • Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders • Detecting and Preventing Data Exfiltration via Encrypted Web Sessions using Traffic Inspection 25 The Three Pillars of a Robust Strategy Accurately Trust Right-size Permissions Effective Monitoring 26 CERT Insider Threat Center Resources 27 CERT Insider Threat Resources Insider Threat Center website (www.cert.org/insider-threat/) Common Sense Guide to Mitigating Insider Threats, 4th Ed. (www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm) The Insider Threat and Employee Privacy: An Overview of Recent Case Law, Computer Law and Security Review, Volume 29, Issue 4, August 2013 by Carly L. Huth New technical controls from CERT Insider Threat Lab The CERT® Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak 28 CERT Insider Threat Catalogue 29 Insider Threat Assessment Capabilities Information Technology Software Engineering Data Owners Human Resources Physical Security Legal / Contracts Business Partners Access Control Technical Policies and Agreements Access Control Recruitment Facility Security Agreements to Protect Sensitive Information Screening / Hiring of Applicants Modification of Data or Disruption of Services or Systems Modification of Data or Systems Modification of Data, Systems, or Logs Policies and Practices Physical Asset Security Restrictions on Outside Employment Management of Business Partners Unauthorized Access, Download, or Transfer of Assets Asset Management Unauthorized Access, Download, or Transfer of Assets Training and Education, Evaluation Employee Behaviors in the Workplace Asset Management Detection and Identification Incident Response Policy and Practice Monitoring and Enforcement Programs Incident Response Incident Response Termination Enforcement and Termination Contractor / Business Partner Agreements Termination 50 5 13 30 7 12 9 30 Point of Contact Michael C. Theis CISSP, Special Agent in Charge (retired) Technical Lead of Insider Threat Research and Senior Member of the Technical Staff CERT Insider Threat Center Software Engineering Institute (an FFRDC) Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-3890 +1 703-489-5538 – Phone mctheis@cert.org – Email http://www.cert.org/insider_threat/ 31
© Copyright 2024