Insider Threat Kill Chain: Human Indicators of Compromise

hello there hi so yeah my name is Ken Weston and I today I can be talking about the insider threat kill chain detected in human indicators of compromise so real quick just a little bit about me you know one thing when I was researching an insider threat is that I learned i am the insider threat in a lot of ways actually when you profile someone who could be an insider all the fingers pointed to me so it was kind of interesting I actually developed a website called USB hacks com too focused on USB based exploits back in the day of a good old Microsoft autorun and some other interesting things at the time around the weaknesses around USB

had a lot of tools that were available and talked about and discussed that actually turned into a product called gadgettrak which was def recovery software starting with USB devices I couldn't quit their moved into laptops and mobile phones basically gather information to track down where the devices take photos of the person and ended up putting a lot of people in jail learn quite a bit about that not just about recovering stolen devices but also some of the research around that goes around it using open source data you know having to go out and build some tools to go scan for additional information through that I also developed a product called camera trace it's basically a distributed exif

scanner search engine goes out in indexes websites you do a search for serial numbers and then it'll show you 80 photos we're taking with that particular camera so I'm currently a tripwire security analyst product marketing I focus on log intelligence and forensics and so my information here so your organization's greatest asset is also its greatest risk and I think that's really where the insider threat issue is really problematic it's the very people that are within the organization so little experience here I was working for a company and we'd hired an administrator to help out with some hard need some servers come to find out there was a disagreement with management about his his billing he was

overcharging us and they caught it they confronted him with it and thing is he the the management and HR they didn't tell anyone else NIT and I was in charge of the website at the time and at three in the morning one day I started getting these alerts at the website was down my login to the server and I come to find out you know just doing summon out quick analysis and looking their log files and some of the file changes that he actually purposely logged into the server shut the server down modified a bunch of the HTTP or config files for Apache and made it so that even if you reboot the server wouldn't come back up I was able to fix

it pretty quickly but it was really interesting as once I was able to get the information actually started seeing some of the emails that were exchanged with him it mapped the to the timeline perfectly and if management could have told us that there was as issue that there was a potential risk then we could have mitigated this by other you know read removing his access or at least reducing his privileges so you guys may have heard about the another case network admin who was on a he's actually on a aircraft carrier he got busted for hacking and he was a whole list of website our servers that he had gotten into and it's really interesting is that

you know on a nuclear submarine you'd think that they would have you know pretty good protocols and security policies in place to mitigate things like this but apparently they didn't you know he was able to download all these different tools I mean even something as simple as nmap should fire off alerts within your organization if you start seeing some anomalous traffic and scans you know that should be an alert as well and this guy was able to do this for years before he actually got caught and he wasn't even caught on the boat itself it was actually when he tried to hack into another Navy server that they were able to catch him so it's not just you

know a military but also in financial services this is an administrator he was actually hired by Fannie Mae he got fired because he made a configuration errant change in error that caused damage to some systems the HR department decided to let him go back to his desk and finish the rest of the day after they fired him he had admin access to the company's 4,000 servers he wrote a logic bomb to disable logins and white blogs on a specific date and time luckily after you left another engineered found that code before it could actually execute the guy was sentenced to 41 months in prison what's really scary though is that after he was working there before he actually

went to jail he'd worked for bank of america amtrak and GE all the senior system administrator with highly privileged access so when i look at the insider threat i like to look at you know their intentions if you look at a sort of risk analysis they always measure threat as a product of capability and intent insert they have an insider threat division and they actually looked at real cases and they found that motivation is you know thirty-seven percent of its fraud and that's usually someone trying to you know get financial gain right they're not there to cause damage the systems they just want more money and those types of insiders are going to be entrenched for a long period of time and

usually their fraud is going to be something that happens over a course of months or years now and then you had IT sabotage and that's usually going to be a short time or someone who's planning on leaving maybe someone that got passed over for a promotion and then you have you know intellectual property theft that can be someone who is on the inside you know sometimes developers right they feel like they co-owned source code so before they leave an organization they may help themselves to a code repository same thing with sales they may log into their Salesforce account or other systems and download a great deal of information and then of course you have espionage which can be corporate or it

can also be you know state-sponsored but it's really interesting those if you start looking at this you know depending on what their their intent is they're going to have different indicators you need to deal with them differently so the insider threat kill chain I mean we're all familiar with kill chains but that doesn't really work well for an insider threat because we're dealing with someone who's not necessarily a hacker trying to get in from outside what we're dealing with is someone who has authorized authorized credentials to do unauthorized things so we have to take this from a different approach and see so at the FBI actually did a presentation he talked about what he called the insider threat kill chain i

like this model a lot better it starts with basically the recruitment tipping points so this can be where someone on the outside has paid someone or maybe given them a job offer you know or they've met accepted a job offer it would be helpful for them to have some additional information from a competitor or it's the tipping points where they get frustrated they're pissed off they got passed over for that promotion they're complaining to everyone around them about how they don't get paid enough they hate their manager right so then the next phase is the search and recon phase where you know they're actually looking for what information can they grab if there are privileged

inside or a tech-savvy insider this might also be a point where they're trying to run vulnerability scans inside the network which is quite common means running something as simple as nmap just to get a map of the network then they'll actually start doing the acquisition and collection of information then of course we'll have the exfiltration or the actual action where they actually try to cause damage it's sort of through these different phases there's a you know different things we can do to defend ourselves so usually when it comes to the prevention side that it's not real technical there's not a whole lot that you can do the same thing as if you're dealing with an adversary he was doing

recon on your company right you can't really detect that until they actually touch the network in some fashion so this is usually something where you're going to have HR policies you're going to you know make sure that there's clear lines of communication with HR and IT if there is going to be a rift there's going to be layoffs if there is a group of employees that they think is at risk behavioral problems all this type of information should be shared and you would be surprised how few HR and IT departments actually communicate with each other and it's really interesting as if just just even casual conversations are we clear I mean sorry monthly meetings it can actually do

quite a bit to at least understand how things work and how they can go in and actually flag some of these high-risk employees then of course we'll have technical indicators which I'll get to it a little bit as well so all along the way usually there's an indicator when they try to access servers or that they don't have access to trying to escalate their privileges there's going to be information that will appear in logs so some things we can look at four on the prevention side for human indicators to compromise so these are things that like your H our department going to watch for someone who is consistently first in and last out of the office that's usually

showing the signs of wanting to be in control they don't want other people to view their work you know 12 months of unused vacation life change it give me a marital status change if they give notice there's a layoff pass over for promotion or just player interaction so not all not all these are going to say that yeah this person isn't inside their threat but these are things that can show increase risk and also on the vacation side it's not necessarily that that person like you know that it could be that they don't want to take vacation because they don't want someone else to review their work but it can also be that someone else is using their

credentials on the inside so know some things that like HR and legal can do is you know and consider threats from insiders and partners and risk assessments you know I think we have a tendency to think about penetration testing is you know the malicious hacker from outside again what if we start actually considering the insider in our risk assessments and how we model our our networks then it can actually make a huge impact to reduce risk make sure you do background checks serted another study and they found a lot of folks that we're actually doing insider type crimes actually had records and simply running background checks on some of those folks they're going to have privileged access

might be a good idea depending on where you work you want it clearly documented enforce policies and controls you know that's important at least especially if you have monitoring place you'd be amazed at the impact that it can have on your organization if people think they're being watched even if you're not you want to have a periodic security awareness training for all your employees monitor and respond to suspicious or disruptive behavior again more on the HR side anticipated manage- workplace issues so you know if there is financial issues in the company or there's going to be rift again that's something that you keep in consideration track and secure your physical environment you know you can have the

best IT security in the world but if you don't lock your server room yeah that stuff well I'll talk about an actual case that happened to Los Alamos around that you know establish clear lines of communication and procedure between HR legal NIT kind of what we've been talking about so then there's a sort of actual technical indicators so these are things that we can actually track on the technology side if we're seeing that there's an increased number of logins you know variation of remote and local something might be up if they're logging in network at odd times again late at night that might be another indicator asserted a study to where they found the majority of the

attacks they saw were remote logins via VPN and then exfiltrating data out over ssh or rdp to remote server and then we'll talk a little bit how you can actually detect that in a you know basic sim see logging in frequently during vacation times again may not being indicated that this person is the attacker might be someone with one of their business partners remote logging using by different employee credentials so if you see that you know on one system that's usually you know it's owned by one particular person and then other credentials are used on that device that's that's a big red flag right there changes in websites that are visited work versus personal you know

someone who's hitting Facebook and LinkedIn and glass door a little bit more than usual that might be something you want to keep an eye on increased printer usage as well there's be amazed how many people don't actually log what gets printed that's actually a really good indicator that some information might be leaving your your environment you might look for any sort of export of large reports downloads from internal systems so should be monitoring if you know someone's going into Salesforce telling large reports large chunks of data these are things you're going to want to monitor trying to keep it on time here so yeah the policy technology you want to implement strict password and account policy is enforced

separation of duties and least privilege you know a lot of this stuff it's pretty common knowledge in IT security but you'd be surprised how many this sometimes gets overlooked so you know the thing is we have all this data that's available to us and you know it tells us a lot of information about what's going on inside the network but it's really difficult to make sense of it unless we actually look at it as a whole so you know monitoring and employee what what devices are accessing what information they have access to this is all critical for us to be able to establish if we actually do have an insider threat and you know the first thing you want to

do is be able to act on that information in real time so if an employee tries to access a server that they're not authorized to view that's something you want to trigger trigger an alert right away nine needs to be passed up to the sock or it needs to be email to an admin depending on the size of your organization so that stuff that you want to be able to do in real time and you can do that through your typical some open source sims there's some logging tools that are out there I think most people have some sort of a sim or some sort of log intelligence to on their environment that they can take advantage

of Splunk is another good one that can do some of this and from that you can do your alerts you can do Mobile notifications you can even activate scripts you can go in and actually deactivate someone's account for example then you want to be able to have the analytics and forensics and storage capability so that's really important to be able to go back and actually you detect something happened you want to go back and look at that person's behavior what else did they do what other files that they touch was this the only information they've stolen or is this something they've been doing for a long period of time and you're going to need to have that information not just to go

back and identify you know where you need to remediate but also for law enforcement and if there's an HR issue then you're going to get legal involved as well and you need to make sure you have that information and that it's valid so when people ask what to log first you know you always say firewalls you're unsuccessful login attempts IDs ideas should be deployed not just on the outside the perimeter but also inside actually I've got an example of where actually have you know nmap can be detected if someone's running an internal scan you know if you know Joe and accounting is joining nmap scans that might be a little questionable and you want to look at web proxies anti

virus alerts and then any sort of anything around change management any configuration changes you want to determine your log volume to start out with I'm going to skip over this because I want to get to some of the good stuff so there's correlation rules that you can set up so this is pretty much any sim will allow you to do this it's going to be in different formats but you know logon attempts from terminated employees or contractors Audrey mode logon patterns from employees you know any sort of anomalous behavior with that deals with logons and authentication from your employees or trusted business partners if employee disables antivirus that gets logged that's something you can watch

for employee visit to blocked websites frequently if he's a downloads a large file from the internet or CRM and you can usually detect that good so if employee installs and uses torrent company system or if they're installing any sort of scanning or hacking tools yeah so let's log a real problem here so if an employee behavior he shows potential risk to the business I want to monitor to see if he connects the servers outside the network so I'm going to do is I'm gonna set up rules and alert on connections took out going ports after hours on port 22 23 and 33 89 so this is was cert when they did their research they actually found that

this was a common attack pattern so this is really easy to implement this is in cee it's an open source format that you can actually import into most Sims a trip our log center we support it or you can import this dark side as well some of them have their own proprietary formats for this but you know it's all going to be you know pretty similar you can even create dashboards so integrating your sim directly with active directory will help get a lot of this information for you so this is my watch list where I'm actually watching terminated employees and logons I can actually watch for any sort of large file shares that get created and in a

signal yeah i'm also watching time of day when the logon czar and all this information can be correlated and it sort of increases their risk score as well so i had one as a case study where we had a power company where they actually deployed our log intelligence tool and they discovered that there was an account of a terminated system admin in use he was logging into the network at four a.m. on a wednesday they also discovered that he'd gone in and disabled logging on a key firewall so we kind of want to know why why would you want to be doing that there was another one we had a major tire retailer they actually deployed both log intelligence

tool and file integrity monitoring and they discovered that there was a backdoor account that was created by a terminated employee so it wasn't just his account but he created several other accounts so this is where you want to go back track and see where did this person what other activities is this person done what other counts as he created and what have they done so here's a you know example of well like what can it get picked up by an IDs internally you know you see this can be someone on the inside maybe it's a hacker that got inside or can be an inside are actually running those scans so it's good to have an idea set up on

the inside I also highly recommend a honeypot it gets a little more technical a little more legal gray area but there's a lot of things that you can do there you want for response to an implement secure backup recovery processes quickly audit users network behavior if and develop an insider instant response plant and again this needs to be interdepartmental if it's-- working alone on trying to detect the insider there's going to be a lot of problems so click here so this was a USB hacks I started that a while back I'm actually used Trojan usb-based Trojans to recover stolen devices it was a lot of fun that technology was actually deployed to FLIR thermal-imaging cameras

they actually did it for theft recovery and for export controls but it's interesting is that there was a case in Los Alamos in 2006 an 18 year old was hired and given security clearance to work at Los Alamos labs and a vault archiving data there was a meth lab that got busted and they found three flash drives that were that she had brought she brought work home that's what it was for her boyfriend's the one they got busted for the meth lab so the data went from one lab to another what's interesting is how easy it was she was able just go in there she brought flash drives in plugged it in no one watched

her no one searched her and this was in a highly secure area and it was she had access to was information on the on nuclear tests that were done in the 70s so they had no they had a policy about no flash drives but it was never enforced so you can also log physical security so key fob systems that's another great tool a lot of people don't think about that but a lot of those devices generate logs so one flash drive that I actually helped to cover we actually tracked it down to a university in north texas one particular computer lab that lab also have required a student ID to be swiped so there was log

data there we also found that they had been robbed several times with some computers that were taken and there was logs of a lot of the closed caption cameras long time as well so we're able to correlate all this information all this log data and we have more than enough information for the police to be involved in and get that device back and easily identify who took it you know lazy logging if you want to you know log your USB flash drives you can actually there's a technique to watch outbound proxy logs or your IPS anytime on Windows systems when you connect a flash drive it actually sends information out to these two URLs so you can monitor that and

there's a link down here I'll put my slides up but they'll kind of explain how to go about doing that and about eighty percent of the time it's going to work but something you can do quick and dirty to detect flash drives that are being plugged into your environment some future threats you know I've been thinking a lot about other things that people can do be it zigbee radios or you know rogue mesh networks that get put into an area you're talking about highly technical savvy folks so I'm working my friend jared is helping with the hack RF project you know seeing how we can actually sniff out some of these rogue these rogue networks here's a jig be

radio that's in there that shouldn't be being able to least detect that and then taking a step further and actually get three devices and try to identify the location of the device so sorry I had to go really fast but I only had a few minutes left great I got five minutes so if you guys have questions