350 likes | 471 Vues
The Trusted Insider Threat Lessons Learned from WikiLeaks. Agenda. Agenda Defining the Insider Threat Historical Insider Examples The Realness and Advantages of the Insider Threat Insider Threat Detection Technologies WikiLeaks Use Case Closing and Questions.
E N D
Agenda • Agenda • Defining the Insider Threat • Historical Insider Examples • The Realness and Advantages of the Insider Threat • Insider Threat Detection Technologies • WikiLeaks Use Case • Closing and Questions Presenter Terry Stuart Sr. Systems Engineer, NitroSecurity
Who or What is a Trusted Insider • Current or Former Employees or Contractors who: • Intentionally Exceeds or Misuses his or her Authorization Level for Network, System, and/or Data Access in a Manner that Affects the Security of an Organizations’ Data, Systems, and/or Daily Business Processes • The Most Common Trusted Insider Scenario • An Insider that Utilizes Information Technology to Steal and/or Modify Information and/or Data for the following Purposes: • Financial Gain • Corporate and/or Business Advantage • Sabotage • Defiance • Cause Harm
Trusted Insider Threat Targets? • Trusted Insider Threats are Applicable to All Organizations • Government at All Levels (Local, State, National) • Not Just the Department of Defense or Law Enforcement (FBI, CIA) • NASA, HHS, USDA, Congress, House of Reps, Courts, Etc • Government Contractors • Not Just Large Contractors Like Boeing and Raytheon • Banking and Finance • Information Technology Companies • Critical Infrastructures • Agriculture • Energy and Power • Water • Public Health • Transportation • Research and Development • Government, Public and Private Sectors • Any Organization Can Fall Victim to an Insider Threat
Well Known Historical Espionage Examples • Ames Espionage case (Aldrich H. Ames) • One of the Worst Security Breaches in American Intelligence History • Ames was a Mediocre to Poor Performing CIA Employee with Access to Top Secret Information • Received more than $2 Million Dollars for Selling Information to the Soviet Union • Disclosed over 100 Covert Operations • Betrayed over 30 Double Agents and at least 10 Agents were Executed as a Result • Crippled the CIA’s Ability to Monitor Soviet Activities from 1985 to 1994 • Robert P. Hansen – FBI Agent • Former FBI Agent that Spied for the Soviet Intelligence Services for 22 Years (1979-2001) • Received over $1.4 Million Dollars in Cash and Jewels • Was Very Cautious as Even the Soviet’s Didn’t Know his Identity • Disclosed Thousands of Classified Secrets and Double Agents working for the US • Stated that FBI Security was Pathetic and Ineffective • Searched and Accessed Thousands of Classified Information Files from his Computer using his Default Access Rights
Insider Fraud Historical Examples • 369 IRS Employees in the Southeast Region Investigated for Misusing the IRS Integrated Data Retrieval System (IDRS) • In 1993 About 56,000 of the IRS's 115,000 Employees had Access to the IDRS • IDRS Provided Access to Taxpayer Data, such as Name, Address, Social Security Number, Dependents, Adjusted Gross Income, Taxable income and Tax Liability • Investigations and Charges were Filed for Using Government Computers to: • Create Fraudulent Tax Refunds • Browsing through Tax Records of Friends, Relatives, Neighbors and Celebrities • One Employee had Altered Approximately 200 Accounts to Receive Kickbacks from Bogus Refund Checks • SocieteGenerale Trading Loss Incident in 2008 • Jerome Kerviel was a Mid-Level Stock Trader who Used Stolen Passwords and Routing Paperwork to Conceal Fraudulent Trades • Reportedly Cost the Bank more then $7.2 Billion Dollars • Kerviel Did Not Profit from Directly from Fraudulent Trades • Trades were Used to Increase Banks Profits and His Performance Rating • Kerviel’s Previous Years Bonus was Approximately $500,000 • Kerviel was Found Guilty in 2010 and Ordered to Pay $6.7 Billion in Restitution
Insider Sabotage Historical Examples • UBS PaineWebber (2002) • Roger Duronio a Systems Administrator at UBS PaineWebber Planted a Logic Bomb before Resigning that Deleted All Files on Over 2,000 Servers • Backups Failed and Files Could Not be Recovered • Duronio was Angry at Receiving a $32,000 Bonus Instead of his Normal $50,000 • Duronio Purchased “Put Options” Contracts the Day he Resigned Expecting UBS PaineWebber Stocks to Fall in Price • Put Option is a Type of Security that Increases in Value when a Stock Price Drops • DuPont Trade Secrets (2005) • Gary Min was a Research Chemist at DuPont who Admitted to Stealing Proprietary and Technical Information valued at $400 Million Dollars • Downloaded 16,700 full-text PDF documents from DuPont's Electronic Data Library • Downloaded approximately 22,000 abstracts from DuPont’s Database • Most of the Downloaded Material had Nothing to do with Min’s Research • An Internal Audit by the DuPont Uncovered his Unusually High EDL Usage and the Large Volume of Abstracts Downloaded • About 15 Times Higher than the next-highest User of the EDL System
Are Insider Threats Real? • Insider Threats are Very Real and Can Cause Substantial Damage to Our Organizations • Previous Examples Demonstrate Damage from Insiders included: • Financial Impacts • Reputation Impacts • Operational Impacts • Attacks from External Threats may be Greater In Volume but Insider Threats can be Just as Devastating and in Many Cases are More Likely to be Successful and Go Undetected • Our External Detection and Prevention Mechanisms and Devices have Grown Fairly Effective at Combating External Attacks • Insider Threats Apply to ALL Organizations no matter the Size and/or Business Sector • Attacks from Insiders Range in Varity from Very Technically Sophisticated to Extremely Low Tech
The Insider Threat Advantages • Insider Threats By-Pass our Traditional Security Boundaries and Protection Mechanisms • Mechanisms such as Firewalls, Intrusion Detection Systems, and Access Control Systems are Designed and Normally Implemented Primarily to Defend Against External Threats • Insiders Tend to be Very Aware of the Policies, Procedures, and Technology Utilized within their Organization • Also Aware of where the Vulnerabilities Reside such as: • Loosely Enforced Policies and Procedures • Exploitable Technical Flaws in Our Networks or Systems • Insiders Know Where the Valuable Data Resides and Normally Know How to Access this Data • An External Threat may be Successful at Circumventing our Access Controls and Security Boundaries, but May Still be Caught Making Mistakes while Searching for Valuable Data • External Threats tend to Gain Intelligence about Our Organization over Time VS The Insider Starting Out with this Intelligence
Are Insider Threats Preventable • Insider Threats can be Stopped and/or Combated, but do this is a complex problem • Insider Threats can only be Prevented through a Multi-Layered Defense Strategy consisting of: • An Understanding and Acceptance of the Insider Threat • How do you Perform Risk Management without First Understanding the Threat? • Well Developed and Defined Policies and Procedure • How Can you Utilize Technology to Monitor and Enforce Policies and Procedures? • Technical Controls • How do Verify our Technology is Working and Affective? • We Must Pay Close Attention to Many Different Aspects within our Organization to include our Business Policies and Procedures, Our Organizational Culture, and Our Technical Environment • We Must Look Beyond just the Technology and into Our Organization’s Overall Business Processes and Relationships between these Processes and the Technologies Utilized
What is SIEM? • Security Information and Event Management (SIEM) is sometimes defined as a Set of Technologies for: • Log Data Collection • Aggregation • Normalization • Retention • Analysis and Workflow. • Two Major Factors Driving A Majority of SIEM Implementations • Security Operational Efficiency • Compliance and/or Log Management Requirements • SIEM is the Evolution and Integration of Two Distinct Technologies • Security Event Management (SEM) • Primarily focused on Collecting and Aggregating Security Events • Security Information Management (SIM) • Primarily focused on the Enrichment, Normalization, and Correlation of Security Events
SIEM is Still Evolving… From • SIEM Context Awareness (Standard with Most SIEMs) • Context Awareness is the enrichment of event data (log data) with add-on systems such as Identity Management, Vulnerability Assessment, Configuration Management, and any other data sources that can add context to an event. • Examples of “context” are: • DNS, WINS, NIS Services to Map IPs to Names • Geo-Location to Map IPs to Geographical Locations • Active Directory or LDAP Services to Map User Names to User Identities • Vulnerability Assessment Information to Map Events with Known Vulnerabilities
SIEM is Still Evolving…To • SIEM Content Awareness (Next Generation SIEM) • Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of “Content” Awareness is the understanding of: • Email contents, including the attachments • Social, IM and P2P Network Communications • Document Contents • Application Relationships with Database Queries and Responses • Database Monitoring • Data Leakage – Sensitive Information within chat, email, printed, etc
Broad Content and Context Correlation OS events Application Contents Events from Security Devices Malware Viruses Trojans Database Transactions Advanced Threats Exploits Authentication & IAM VA Scan Data User Identity Device & Application Log Files InsiderThreats Location
Content-Aware Forensics & Breach Discovery A user performs a query against a SQL server resulting in a recordset exceeding a threshold of 1000 rows or from a privileged table. This represents a data access policy violation.
Content-Aware Forensics & Breach Discovery A user performs a query against a SQL server resulting in a recordset exceeding a threshold of 1000 rows or from a privileged table. This represents a data access policy violation. The offending user prints the resulting SQL query results to a PDF document which is then attached to an email using a Google web account and sent to an unauthorized external address without the corporate email disclaimer.
Content-Aware Forensics & Breach Discovery A user performs a query against a SQL server resulting in a recordset exceeding a threshold of 1000 rows or from a privileged table. This represents a data access policy violation. The offending user prints the resulting SQL query results to a PDF document which is then attached to an email using a Google web account and sent to an unauthorized external address without the corporate email disclaimer. The suspect user proceeds to have an IM chat to a IM userID NOT registered on the whitelist of authorized IM user names to discuss the sensitive data obtained and sent via email.
Content-Aware Forensics & Breach Discovery A user performs a query against a SQL server resulting in a recordset exceeding a threshold of 1000 rows or from a privileged table. This represents a data access policy violation. The offending user prints the resulting SQL query results to a PDF document which is then attached to an email using a Google web account and sent to an unauthorized external address without the corporate email disclaimer. The suspect user proceeds to have an IM chat to a IM userID NOT registered on the whitelist of authorized IM user names to discuss the sensitive data obtained and sent via email. • Forensic evidence obtained from this activity • SQL session history including details from all transactions performed during the suspicious user activity • MIME-decoded email record complete with From/To Address, Subject, Message and document Attachment • IM session data anda transcript of the IM conversation dialog • Identity of offending internal, topology-specific switch/port location, current (and all prior) IP address usage and current network session state.
Wikileaks Use Case Backgound Information • PFC Bradley Manning Accused of Leaking Classified Documents from the Secret Internet Protocol Router Network (SIPRNet) • June 2010, Adrian Lamo reported to U.S. Army Authorities that Specialist Bradley Manning had Leaked Classified Information to Him • Lamo Shared Chat Logs with Federal Agents, WikiLeaks, and the Media • Lamo Also Claims Manning Confessed to Leaking the Video Footage of the July 12, 2007 Baghdad Airstrike Incident in Iraq • NOTE: Lamo’s Credibility and Motivations are Being Questioned. • Possibly the Largest Government Classified Data Leakage Event with Over 260,000 Classified and Sensitive Documents Leaked • Manning Reportedly Stated: • He Utilized a CDRW Disk labeled as Lady Gaga to Exfiltrate the Data from His Computer and the SIPRNet • Utilized Encryption, Tor, and Privately Coordinated Servers with WikiLeaks Main Spokesman Julian Assange to Upload Data after it was Exfiltrated
WikiLeaks – Use Case Overview • Classic example of Authorized Insider Abusing Trusts and Privileges • Major Hurdles Related to this Use Case and Technology Solutions: • Massive Amounts of Data will be Generated from File Access Monitoring • A Typical File Server will Generate Millions of Events a Day • Scaling to meet Federal Government Requirements would require the Processing of Billions of Events per Day • User is Trusted and Requires File Access Privileges to Sensitive Data • An Intelligence Analyst must have Quick and Un-hindered Access to Sensitive Data to Effectively Perform his or her Job • Monitored Environment is Dynamic and Changes Rapidly • To Fully Meet Federal Government Monitoring Requirements and Goals Environment Changes must be taken into Consideration in Real-Time • Static Variables and Usage Patterns are Useless in a Dynamic Environment • Policy Compliance Monitoring Must be Capable of Identifying Complicated Violations.
WikiLeaks – Use Case • NitroSecurity SIEM Addresses these Major Hurdles with: • Unmatched Speed with the ability to do the following: • Support up to 600,000 Events per Second on a Single Appliance • Scale is Unlimited by Simply Adding a New Appliance • Operational Focused Drill Downs and Queries • Produces Actionable Information in Minutes and Not Hours or Days from a Dataset consisting of Billions of Events • User Tracking and Reporting Across Multiple Systems, Platforms, and Applications in a Single Pain of Glass
WikiLeaks – Use Case • NitroSecurity SIEM Addresses Major Hurdles Cont. • Dynamic Base Lining Capabilities • NitroSecurity Solution Dynamically Calculates Baseline Changes in Real Time allowing for Anomaly and/or Suspicious Activity to be Detected and Reported such as: • Increases over Baseline in the Total Number of Files Accessed by a Single User over a Time Period such as in Seconds, Minutes, Hours, Days or Even years • Increases over Baseline for Access to Specific File Categories and/or File Classifications by a Single User • Increases over Baseline in the Volume of Data Accessed by Any Single User • Access to any File that has not been Accessed by Another User in a Set Timeframe or Time Period
WikiLeaks – Use Case • NitroSecurity SIEM Addresses Major Hurdles Cont. • Baselines are calculated on Context Related Data for Risk Management to Provide a Clear Picture of an Events Severity and/or Potential Impact within an Environment: • Increase in the Total Calculated Severity over the Baseline by a Single User • Increase in the Average Severity over the Baseline by a Single User • Increase in Average or Total Severity over the Baseline for a File Category or File Classification.
WikiLeaks – Use Case • NitroSecurity SIEM Addresses Major Hurdles Cont. • Unlimited Correlation Capabilities • Automated Identification of What Events or Chain of Events Require Immediate Attention • Generates a Higher Severity Alert for Suspicious Patterns or User Action Chains such as: • Any Single User that Generates more than one Baseline Anomaly over a Set Period of Time • Any File or File Category that has Generated Multiple Events from a Set Distribution of Users • Any Baseline Anomaly Event Followed by Access to a Removable Media Storage Device or Removable Media Writing Application Execution
WikiLeaks – Use Case Summary • Classic example of an Authorized Insider Abusing Trusts and Privileges • Major Hurdles Related to this Use Case: • Massive Amounts of Data will be Generated from File Access Monitoring • User is Trusted and Requires File Access Privileges to Sensitive Data • Monitored Environment is Dynamic and Changes Rapidly • Object Access Monitoring Must be Capable of Identifying Complicated Policy and Compliance Violations using Dynamic Baselines and Anomaly Detection • NitroSecurity Addresses All of these Hurdles with: • Unmatched Speed and Scalability • User Tracking and Reporting Capabilities • Dynamic Base lining Capabilities • Dynamic Event Severity Calculation Capabilities • Unlimited Correlation Capabilities
File Monitoring Analysis Console Operational ConsoleTotal Environmental Awareness Data Sources Types Domain Risk Event Risk Server Risk Users Attempts Users Risk Files The Details
Risk and Severity Overview Total Risk Distribution Average Risk Distribution Risk OverviewWith Details The Details
User File Access Distribution Who Where What Users Access MonitoringWho, Where, What, and When When
Domain Severity Indicators Drill Down DomainsAverage SeverityPer Domain ServersAverage Severity Per Server Files and Shares Accessed BaseliningEnabled Users Average Severity Per User Time Frame Total Severity Per Period
Thank You!Questions?For more information:www.nitrosecurity.com1-888-LOG-SIEM