INSIDER THREAT KILL CHAIN


The Presentation inside:

Slide 0

INSIDER THREAT KILL CHAIN DETECTING HUMAN INDICATORS OF COMPROMISE


Slide 1

INSIDER THREAT KILL CHAIN DETECTING HUMAN INDICATORS OF COMPROMISE Ken Westin Product Marketing Manager [email protected]


Slide 2

Your organization’s greatest asset is also its greatest threat. People.


Slide 3

MY FIRST EXPERIENCE WITH TRIPWIRE ADMINISTRATOR BREAKING BAD


Slide 4

INSIDER THREAT INTENTIONS THREAT = CAPABILITY * INTENT Source: CERT Breakdown of Insider Crimes in the United States


Slide 5

IT Contractor fired for but allowed to finish working the day Had admin access to the company’s 4K servers Wrote logic bomb to disable logins and wipe logs on Jan 1, 2009 Another engineer found the code before it could execute Sentenced to 41 months in prison Before being caught had gone on to work for Bank of America, Amtrak and GE as Sr. Systems Administrator Rajendrasinh Babubhai Makwana ADMINS GONE WILD


Slide 6

INSIDER THREAT KILL CHAIN Insider Timeline


Slide 7

INSIDER THREAT KILL CHAIN Insider Timeline


Slide 8

INSIDER THREAT KILL CHAIN Insider Timeline


Slide 9

PREVENT: HUMAN INDICATORS OF COMPROMISE


Slide 10

PREVENT Consider threats from insiders and partners in risk assessments Background checks Clearly document and enforce policies and controls Periodic security awareness training for all employees Monitor and respond to suspicious or disruptive behavior Anticipate and manage negative workplace issues Track and secure physical environment Establish clear lines of communication and procedures between HR, Legal and IT AWARENESS & TRAINING


Slide 11

PREVENT: HUMAN TO MACHINE INDICATORS


Slide 12

PREVENT & DETECT Implement strict password and account policies Enforce separation of duties and least privilege Extra caution with system administrators and technical or privileged users Implement system change controls Deactivate computer access following termination Log, monitor, and audit employee network activities POLICY & TECHNOLOGY


Slide 13

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Slide 14

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Slide 15

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Slide 16

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Slide 17

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Slide 18

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Slide 19

INSIDER THREAT CORRELATION TRIPWIRE LOG CENTER EXAMPLE RULES


Slide 20

WHAT TO LOG? Firewall logs Unsuccessful login attempts Intrusion Detection Systems (IDS/IPS) logs Web proxies Antivirus alerts Change management BARE MINIMUM TO START


Slide 21

ALL LOGS CONSIDERED Determine log volume: Identify number of events per second before selecting log management tool Establish log management policies and procedure: Ensure this includes log retention policies (work with legal counsel for requirements), what is collected and who manages logging systems False positives: Security devices make a lot of noise, tune system to reduce false positives and focus on events that matter Establish a baseline: What is normal behavior? Set baselines to distinguish anomalies from true threats Accessing information: Multiple departments need to access data to determine what information will be collected and who has permission to view…not just SOC CHALLENGES WITH LOG INTELLIGENCE & SIEM


Slide 22

LOGGING REAL PROBLEMS Employee behavior shows potential risk to business Let’s monitor to see if he connects to to servers outside the network Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)


Slide 23

LOGGING REAL PROBLEMS Employee behavior shows potential risk to business Let’s monitor to see if he connects to to servers outside the network Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP) <event name=”Suspicious connection by risky employee”> <logTime>2014-04-07T12:17:32</logtime> <suser>maliciousinsider</suser> <src>10.0.0.1</src> <shost>insider_system</shost> <prot>TCP</prot> <dpt>{22,23,3389}</dpt> <start>17:00:00</start> <end>08:00:00</end> </event>


Slide 24

Tripwire Log Center Dashboard


Slide 25

Physical Security Meets Digital KEY FOB SYSTEMS GENERATE LOGS TOO


Slide 26

CUSTOMER STORY: POWER COMPANY Deployment Tripwire Log Center immediately discovered account of terminated system admin in use Account was logging into network at 4AM on a Wednesday Also discovered logging disabled on key firewall MALICIOUS INSIDERS UNVEILED


Slide 27

CUSTOMER STORY: DON’T TREAD ON ME Deployed PoC of Tripwire Log Center and Tripwire Enterprise at large tire retailer Discovered backdoor setup by terminated employee that was actively being accessed MALICIOUS INSIDERS UNVEILED


Slide 28

RESPOND Implement secure backup and recovery processes Quickly audit user’s network behavior Develop an insider incident response plan (inter-departmental)


Slide 29

I’m On A Boat! Network Admin Hacked Navy—While on an Aircraft Carrier http://www.wired.com/2014/05/navy-sysadmin-hacking/


Slide 30

INSIDER THREAT KILL CHAIN Insider Timeline


Slide 31

Questions? Ken Westin [email protected] Twitter: @kwestin


×

HTML:





Ссылка: