What to Know About Insider Threat and How to Mitigate it

What to Know About Insider
Threat and How to Mitigate it
or why…
Hope…is NOT a Strategy!
Michael C. Theis, CISSP, SSA (retired)
Chief Counterintelligence Expert
Technical Lead of Insider Threat Research
and Senior Member of the Technical Staff
CERT Insider Threat Center
© 2014 Carnegie Mellon University
Notices
© 2014 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their
own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or
used in any other manner without requesting formal permission from the Software Engineering Institute at
permission@sei.cmu.edu.
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003
with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded
research and development center. The U.S. government's rights to use, modify, reproduce, release,
perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial
Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified
contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce
the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S.
government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND
ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF
FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL,
MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
2
What is the CERT Insider Threat Center?
Center of insider threat expertise
Began working in this area in 2001 with the U.S. Secret
Service
Our mission: The CERT Insider Threat Center
conducts empirical research and analysis to
develop & transition socio-technical solutions to
combat insider cyber threats.
3
CERT’s Unique Approach to the Problem
Research Models
External Organization
Effort to Coopt Insider
Environmental
Factors
O
Willingness to
Commit Espionage
S
Insider's
Perceived Risk
of Being
insider
Caught
perceiving risk
S
reducing violations
due to organization
sanctions
B3
S
O
Insider
Conformance to
Rules
indicating personal
predisposition
Indicators of
Personal
Predisposition
S
O
S
S
Rule
Violations
S
S
S
Detecting Concerning
Access
<Level of Auditing Authorization
Behavior and Technical
and Monitoring
Actions
Level
(technical and
non-technical)>
Personal
Needs
S
violating
rules
increasin
g persona
l need
<unauthorized
accessing>
S
<Insider
Stress>
S
S
Financial
Greed
S
decreasing
financial
greed
increasing
stress
S
S
O
EAP
Termination
Threshold
Financial
Predisposition
S
O
O
Termination
Time
S
Addiction to
Financial
Gain
S
B1b harmful actions to
fulfill needs
Initial
Satisfaction
insider contribution
to developing
information or
product
espionage
S
S
S
espionage control by
enforcing access
controls
(R1)
Unauthorized
Unauthorized
Insider Accesses
Insider Accesses
Known to
O
unauthorized
Unknown to discovering
Organization
accessing
Organization unauthorized
accesses
S
<Willingness to
Commit
Espionage>
organization R3
response to
S
unauthorized
access
External Organization
Paying for Espionage
Level of Auditing
and Monitoring
Receiving Money
(technical and
for Espionage
non-technical)
S
increasing auditing
and monitoring
Cultural
Reluctance to
Terminate
B5
S
S
Insider
Termination
B1a
harmful actions to
fulfill needs
Security
Awareness
Training
O
Stressful
Events
S
increasing
financial need
decreasing
financial need
S
S
O
S
Financial
Needs
Enforcing
Authorization Level
Using Access
Controls
S
Organization's
Trust of Insider
S
Cultural
Reluctance to
Report
Reporting of
Suspicious
Activity
S
Insider
Stress
S
R2
O trust trap
O
O
increasing
financial greed
discovering
espionage
Espionage
Unknown to
Organization
S
O
organization
perceiving
risk
sanctions for rule
violations produce
escalation
Personal
Predisposition
S
Espionage
Known to
Organization
espionage control by
restricting authorization
level
O
Organization's
Perceived Risk of
Insider Espionage
R5
S
decreasing
personal
need
S
organization
denial of insider
requests
insider time and
resources invested
in group
S
External Organization
Leaking Espionage
B2
S
S
S
Authorized
Insider
Accesses
authorized
accessing by
insider
Sanctions
sanctioning for
rule violations
O
S
S
Security Procedure
Existence
S
unobserved O
emboldening
of insider
S
<Financial <Financial
Needs> Greed>
S
Security Procedure
Enforcement
S
<organization
perceiving
risk>
Ratio of Sanctions
to Violations
R4
Indicators of
Financial Need
or Unexplained
Affluence
indicating
financial need
or unexplained
affluence
S
S
Feedback loops B2 and
B5 based on expert
opinion
S
S
S
insider sense of
loyalty to
organization
insider desire to
contribute to
organization
S
B4
concealing rule
violations due to
organization
sanctions
Concealing
Indicators and
Violations
O
Deriving Candidate Controls and Indicators
insider
contribution to
organizational
group
insider planning to
go to competing
organization
precipitating event
(e.g., proposal by
competitor)
insider
dissatisfaction with
job/organization
(R2)
insider sense of
ownership of the
information/product
information
stolen
insider sense of entitlement
to products of the group
S
insider desire to
steal org
information
insider predisposition
to feeling entitled
(B1)
insider concern
over being caught
opportunity to
detect theft
org discovery
of theft
(R3)
S
<Espionage Known
to Organization>
insider perpetrated
deceptions related to the
info theft
R1a
harmful actions
amplifying needs
S
level of technical
and behavioral
monitoring
S
org discovery of
deceptions
Fulfilling
Personal Need
Our lab transforms that into this…
Splunk Query Name: Last 30 Days - Possible Theft of IP
Terms: 'host=HECTOR [search host="zeus.corp.merit.lab" Message="A user account was
disabled. *" | eval Account_Name=mvindex(Account_Name, -1) | fields Account_Name | strcat
Account_Name "@corp.merit.lab" sender_address | fields - Account_Name] total_bytes > 50000
AND recipient_address!="*corp.merit.lab" startdaysago=30 | fields client_ip,
sender_address, recipient_address, message_subject, total_bytes'
4
Goal for an Insider Threat Program
5
The Insider Threat
There is not one “type” of insider threat
• Threat is to an organization’s critical assets
— People
— Information
— Technology
— Facilities
• Based on the motive(s) of the insider
• Impact is to Confidentiality, Availability, Integrity
There is not one solution for addressing the insider threat
• Technology alone may not be the most effective way to prevent
and/or detect an incident perpetrated by a trusted insider
6
What is a Malicious Insider Threat?
Current or former employee, contractor, or other
business partner who

has or had authorized access to an organization’s network,
system or data and

intentionally exceeded or misused that access in a manner that

negatively affected the confidentiality, integrity, or availability of
the organization’s information or information systems.
7
What is an Unintentional Insider Threat?
Current or former employee, contractor, or other
business partner who

who has or had authorized access to an organization’s network,
system, or data and who, through

their action/inaction without malicious intent

cause harm or substantially increase the probability of future
serious harm to the confidentiality, integrity, or availability of the
organization’s information or information systems.
8
Critical Infrastructure Sectors
US Cases by Sectors (Top 6) and Type of Crime
350
300
250
200
150
Theft IP
100
Sabotage
Fraud
50
0
9
The Current State of
Insider Threats in
Organizations
10
2014 US State of Cybercrime Survey -1
CSO Magazine, USSS, CERT &
PWC
Percentage of Participants
Who Experienced an Insider
Incident
557 respondents
100
29% of organizations
had 500 – 5000
employees
90
80
70
60
43% of organizations
had less than
500 employees
50
40
30
20
55%
41%
39%
2004
2005
49%
51%
53%
53%
43%
37%
10
0
2006
2007
2008
2010
2011
2012
2013
Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon
University and Price Waterhouse Cooper, April 2014
11
2014 US State of Cybercrime Survey -2
What percent of the Electronic Crime events are known or suspected to
have been caused by :
Unknown
31%
Unknown
Outsiders
37%
24 %
Insiders
Insiders
32%
26 %
Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon
University and Price Waterhouse Cooper, April 2014
12
2014 US State of Cybercrime Survey -3
For organizations that could assess the damage from an incident:
• Insider Incidents were more damaging – 46%
• Outsider incidents were more damaging – 54%
24 %
Insiders
51%
Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon
University and Price Waterhouse Cooper, April 2014
13
2014 US State of Cybercrime Survey -4
46 % of respondents
Damage caused by insider attacks more damaging than
outsider attacks
Insiders made up the highest percentage of the following incidents:
Private or sensitive information unintentionally exposed
(82%)
Confidential records compromised or stolen
(76%)
Customer records compromised or stolen
(71%)
Employee records compromised or stolen
(63%)
Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon
University and Price Waterhouse Cooper, April 2014
14
2014 US State of Cybercrime Survey -5
How Insider Intrusions
Are Handled
3%
12%
10%
75%
Internally (without legal action or law
enforcement)
Internally (with legal action)
Externally (notifying law enforcement)
Externally (filing a civil action)
Reason(s) CyberCrimes were not
referred for legal action
2013
2012
2011
Damage level insufficient to warrant
prosecution
34%
36%
40%
Lack of evidence/not enough
information to prosecute
36%
36%
34%
Could not identify the individual/
individuals responsible for committing
the eCrime
37%
32%
37%
Concerns about negative publicity
12%
9%
14%
Concerns about liability
8%
7%
9%
Concerns that competitors would use
incident to their advantage
7%
6%
7%
Prior negative response from law
enforcement
8%
5%
6%
Unaware that we could report these
crimes
6%
5%
4%
L.E. suggested incident was national
security related
3%
4%
4%
Other
8%
12%
11%
Don't know
21%
28%
20%
Source: 2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon
University and Price Waterhouse Cooper, April 2014
15
Insider Threat Activities
16
Types of Insider Activities -1
Insider IT Sabotage
•
An insider’s use of IT to direct specific harm at an organization or an
individual
—
—
—
Deletion of information
Bringing down systems
Web site defacement to embarrass organization
Insider Theft of Intellectual Property
•
An insider’s use of IT to steal intellectual property from the organization
—
—
—
—
Proprietary engineering designs, scientific formulas, etc.
Proprietary source code
Confidential customer information
Industrial Espionage and Trade Secrets
17
Types of Insider Activities -2
Insider Fraud
•
An insider’s use of IT for the unauthorized modification, addition, or deletion
of an organization's data (not programs or systems) for personal gain, or
theft of information which leads to fraud
—
—
—
•
Theft and sale of confidential information
—
—
•
Payroll
Reimbursement
Unauthorized acquisitions
SSN, PII, etc.
Credit card numbers
Modification of critical data for a fee
—
—
—
driver’s license records
criminal records
qualification for welfare, etc.
Unintentional Insider Threat (UIT)
•
An insider whose actions or lack of action without malicious intent causes
harm or the possibility of harm
18
Types of Insider Activities -3
UIT - Four Categories:
DISC
accidental disclosure (e.g., via the internet)
sensitive information posted publicly on a website, mishandled, or sent to
the wrong party via email, fax, or mail
UIT-HACK
malicious code (UIT-HACKing, malware/spyware)
an outsider’s electronic entry acquired through social engineering (e.g.,
phishing email attack, planted or unauthorized USB drive) and carried out
via software, such as malware and spyware
PHYS
improper/accidental disposal of physical records
lost, discarded, or stolen non-electronic records, such as paper documents
PORT
portable equipment no longer in possession
lost, discarded, or stolen data storage device, such as a laptop, PDA,
smart phone, portable memory device, CD, hard drive, or data tape
19
Types of Insider Activities -4
Insider National Security Espionage
•
The act of communicating, delivering or transmitting information pertaining
to the national defense of the United States to any foreign government or
faction, with intent or reason to believe that is to be used to the injury of the
United States or to the advantage of a foreign nation
—
—
—
Volunteers
Recruited in Place
Dispatched
Insider Miscellaneous
•
Unauthorized disclosure (information insider believed should be in the public
domain)
• Providing address of a person to an acquaintance who physically harmed
the individual
• Accessing records of high-profile individuals
20
Summary of Insider Threats
Theft of Intellectual
Property
Current (within 30
Former
Current
days of resignation)
Technical (e.g.
Technical (e.g. sys
Non-technical (e.g. data
scientists,
admins, programmers, entry, customer service)
programmers,
or DBAs)
or their managers
engineers) or
sales
Fairly equally split
Male
between male and
Male
female
Network, systems, or
PII or Customer
IP (trade secrets) –
data
Information
or customer Info
IT Sabotage
Fraud
Access used
Unauthorized
Authorized
Authorized
When
Outside normal working
hours
During normal working
hours
During normal
working hours
Where
Remote access
At work
At work
Current or former
employee?
Type of position
Gender
Target
21
Mitigation Strategies
22
Best Practices for Insider Threat Mitigation
Consider threats from insiders and business partners
in enterprise-wide risk assessments.
Institutionalize system change controls.
Clearly document and consistently enforce policies
and controls.
Use a log correlation engine or security information
and event management (SIEM) system to log,
monitor, and audit employee actions.
Incorporate insider threat awareness into periodic
security training for all employees.
Monitor and control remote access from all end
points, including mobile devices.
Beginning with the hiring process, monitor and
respond to suspicious or disruptive behavior.
Develop a comprehensive employee termination
procedure.
Anticipate and manage negative issues in the work
environment.
Implement secure backup and recovery processes.
Know your assets.
Develop a formalized insider threat program.
Implement strict password and account management
policies and practices.
Establish a baseline of normal network device
behavior.
Enforce separation of duties and least privilege.
Be especially vigilant regarding social media.
Define explicit security agreements for any cloud
services, especially access restrictions and
monitoring capabilities.
Close the doors to unauthorized data exfiltration.
Institute stringent access controls and monitoring
policies on privileged users.
Source: Common Sense Guide to Mitigating Insider Threat; http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34017
23
Mitigation Strategies for Unintentional Insider
Threats
MITIGATION / COUNTERMEASURE
Threat
Vector
UIT-HACK
DISC
PHYS
PORT
Training to heighten awareness and reduce
human error (BP 3)
x
x
x
x
Usability of software and tools to reduce human
error
x
x
Management practices to reduce likelihood of
human error (BP 5)
x
x
x
x
Email safeguards (anti-phishing, anti-malware)
(BP 18)
x
x
Firewalls
x
x
Antivirus/anti-malware protection (BP 19)
x
x
x
Data encryption on storage devices (BP 13, 19)
x
x
Password protection on storage devices
(BP 7,19)
x
x
Wireless and Bluetooth safeguards (disable,
protect) (BP 13)
x
Remote memory wipe for lost equipment
(BP 13, 19)
x
24
CERT’s Insider Threat Controls (Public)
• Insider Threat Control: Using Plagiarism Detection
Algorithms to Prevent Data Exfiltration in Near Real Time
• Using a SIEM signature to detect potential precursors to IT
Sabotage
• Using Centralized Logging to Detect Data Exfiltration Near
Insider Termination
• Understanding Data Loss Prevention (DLP) and Detection
by Correlating Events from Multiple Sources
• Using Universal Serial Bus (USB) Device Auditing to Detect
Possible Data Exfiltration by Malicious Insiders
• Detecting and Preventing Data Exfiltration via Encrypted
Web Sessions using Traffic Inspection
25
The Three Pillars of a Robust Strategy
Accurately Trust
Right-size Permissions
Effective Monitoring
26
CERT Insider Threat
Center Resources
27
CERT Insider Threat Resources
Insider Threat Center website (www.cert.org/insider-threat/)
Common Sense Guide to Mitigating Insider Threats, 4th Ed.
(www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm)
The Insider Threat and Employee Privacy: An Overview of
Recent Case Law, Computer Law and Security Review,
Volume 29, Issue 4, August 2013 by Carly L. Huth
New technical controls from CERT Insider Threat Lab
The CERT® Guide to Insider Threats: How to Prevent,
Detect, and Respond to Information Technology Crimes
(Theft, Sabotage, Fraud) (SEI Series in Software
Engineering) by Dawn M. Cappelli, Andrew P. Moore and
Randall F. Trzeciak
28
CERT Insider Threat Catalogue
29
Insider Threat Assessment Capabilities
Information
Technology
Software
Engineering
Data Owners
Human
Resources
Physical
Security
Legal /
Contracts
Business
Partners
Access Control
Technical Policies
and Agreements
Access Control
Recruitment
Facility Security
Agreements to
Protect Sensitive
Information
Screening /
Hiring of
Applicants
Modification of
Data or
Disruption of
Services or
Systems
Modification of
Data or Systems
Modification of
Data, Systems, or
Logs
Policies and
Practices
Physical Asset
Security
Restrictions on
Outside
Employment
Management of
Business Partners
Unauthorized
Access,
Download, or
Transfer of
Assets
Asset
Management
Unauthorized
Access,
Download, or
Transfer of
Assets
Training and
Education,
Evaluation
Employee
Behaviors in the
Workplace
Asset
Management
Detection and
Identification
Incident
Response
Policy and
Practice
Monitoring and
Enforcement
Programs
Incident
Response
Incident
Response
Termination
Enforcement and
Termination
Contractor /
Business Partner
Agreements
Termination
50
5
13
30
7
12
9
30
Point of Contact
Michael C. Theis
CISSP, Special Agent in Charge (retired)
Technical Lead of Insider Threat Research
and Senior Member of the Technical Staff
CERT Insider Threat Center
Software Engineering Institute (an FFRDC)
Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA 15213-3890
+1 703-489-5538 – Phone
mctheis@cert.org – Email
http://www.cert.org/insider_threat/
31