SlideShare uma empresa Scribd logo
1 de 59
Baixar para ler offline
Signs You Have An Insider Threat
Brian Butler, CSE
Changes in Attack Behavior
“It’s not about the 98% you catch, it’s
about the 2% you miss.”
– NSS Labs: Analyst Brief
• Financial gain
• Selling stolen data or directly competing with their former employer
• Convenience
• Using unapproved workarounds to speed things up or assist an end
user
Insider Threat Motivations
– 2015 Verizon Data Breach Investigations Report
Top Insider Threats by Role
End user
Cashier
Finance
Executive
11.2%
10.4%
37.6%
16.8%
– 2015 Verizon Data Breach Investigations Report
• Negligent Insiders – Insiders who accidentally expose data – such as an
employee who forgets their laptop on an airplane.
• Malicious Insiders – Insiders who intentionally steal data or destroy
systems.
• Compromised Insiders – Insiders whose access credentials and/or
computer have been compromised by an outside attacker.
Who is Attacking the Network?
• Bring Your Own Device (BYOD)
Smart phones, tablets, storage
• Open Networks
Guest, partner and contractor Access
• Social Engineering
Fishing, muleware
• Cloud Infrastructure
Are You Ready!!
Trends In Enterprise Networks
AWS Shared Responsibility Model
“While AWS manages security of the cloud, security in the cloud is the
responsibility of the customer. Customers retain control of what security
they choose to implement to protect their own content, platform,
applications, systems and networks, no differently than they would for
applications in an on-site datacenter.”
-Amazon Web Services
• Internal East-West Traffic
Monitoring traffic from host to host
Compromised recourses cost
• External Traffic
Traffic crossing the gateway
Infiltrated data
DDoS external and internal
Cloud Security
Social Engineering
Techniques
Shoulder
Surfing
Dumpster
Diving
Trojan
Horse
Surfing
Online
Social
Engineering
Phishing
Role
Playing
• Search for Public Facing Data
Contact info
Company infrastructure
• Employee Education and Policy
Alerting end users
Not allowing .ZIP etc.
Social Engineering Made Easy
What is Muleware?
Muleware solicits the participation of the user and offers incentives to play a
small role in the attack campaign.
“Up until this point, cybercriminals have attained their resources by exploiting
and compromising devices, but wouldn’t it be more efficient and much more
profitable to pay for these resources and turn thousands of would-be victims into
part of the attacker’s supply chain?”
– Lancope CTO, TK Keanini
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Stolen Credentials
“Two out of three breaches exploit
weak or stolen passwords”
– Verizon, 2014 Data Breach Investigations Report
Recent Data Breaches using Compromised
Credentials
Target
70,000,000
Adobe
36,000,000
Home Depot
56,000,000
Jimmy John’s
Subs
217 Locations
Breaches Have in Common
“Four replaced credit cards
within two years!”
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Suspicious Behavior
Communicating or attempting to with
internal host that is ‘not normal’.
Host or End-User Connecting to the ‘not normal’
outside hosts
Geographic Traffic Anomaly
Does the company conduct
business in China?
Geographic Traffic Anomaly
Historical Application Graph display
FTP traffic to china in the past.
Pattern Traffic Anomaly
Abnormal traffic pattern produced by
host or network segment.
Graph reporting a 3 layer DDoS
attack as smoke screen hiding Data
Exfiltration.
Time of Day Anomaly
Network and/or host activity at
abnormal hours.
Graph reporting Servers Response
Time greatly increasing at 1:45 AM
and 4:00 AM.
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Unauthorized Access
Unauthorized Segments or Hosts Communications
or Attempts
Host or End-User
Unauthorized Access
Segmentation, compliance and
sensitive data visibility
Multiple Login
Ethel has logged in one hour apart
in to locations several hundred miles
apart.
Malicious Insiders
Research indicates that insider threats
typically conduct their attacks within 30
days of giving their resignation.
– CERT Insider Threat Center
Malicious Insiders
Suspect Employee Visibility
© 2014 Lancope, Inc. All rights reserved.
Scenario: The organization is at risk from a
targeted attack!
The adversary is already in using stolen
credentials so what are we defending
against:
• Sabotage
• Espionage
• Data Loss
• Fraud
Security events have triggered indicating
there is internal recon activity, a
compromised server, and data exfiltration
ALERT: Targeted Attack 1. Internal user performing recon
2. Finds server, performs port scan to find
method to steal data, disables endpoint
protection and begins collecting data
3. Encrypts data and exfiltrates out to
Dropbox
10.201.3.149
10.201.0.0/24
10.201.1.0/24
10.201.2.0/24
10.201.3.149
.
.
10.201.0.72
10.201.3.149
.
.
60.10.254.10
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Unusual Data Movement
Unauthorized Segments or Hosts
Host or End-User
Unusual Protocol Behavior
Typical DNS protocol behavior
Unusual Protocol Behavior
Not typical protocol behavior
Application / Payload Mismatch
Port 53 used to move P2P data.
Data Hoarding
• One to a few host reaching out
and pulling data from multiple
hosts in the enterprise
• Many more host touched than in a
normal day’s work flow
Data Exfiltration
• One to a few host sending data to
hosts outside of the enterprise
• Typically seen after Data Hoarding
is completed
© 2014 Lancope, Inc. All rights reserved.
Scenario: An internal user is stealing data!
The user could be a:
• Disgruntled employee
• Person about to leave the company
• Person with privileged credentials
• Person stealing and selling trade secrets
Security events have triggered indicating a
user is connecting to a terminal server,
collecting data from a sensitive database,
and tunneling the traffic out of the network
using P2P through UDP port 53 (DNS port).
ALERT: Insider Threat 1. Internal user connects to Terminal Server
2. Terminal server used to collect sensitive
data from within the same subnet inside
the datacenter.
3. Terminal server used to encrypt data and
tunnel through DNS port to an upload
server
10.201.3.18 10.201.0.23
.
.
10.201.0.23
.
.
10.201.0.55
10.201.0.23
.
.
74.213.99.97
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
Policy Violations
Enterprise Network Host End-User
Policy Violations
While this isn’t always indicative of
an insider threat, violations of
company network policies could
represent an employee attempting
to subvert perimeter defenses.
– Brian Butler, CSE
Audit Firewall Rules
... is listed in a
major DNS Black
List use ip/dnsbl.
Contractor Violations
Contractor Violations
Contractor Violations
Contractor Violations
http://www.lancope.com
Thank You
Questions & Answers

Mais conteúdo relacionado

Mais procurados

Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessEric Schiowitz
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeDavid Mai, MBA
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsObserveIT
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Dealing with the insider threat.
Dealing with the insider threat.Dealing with the insider threat.
Dealing with the insider threat.Matt Lemon
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCybera Inc.
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT
 
Insider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionInsider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionObserveIT
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 

Mais procurados (20)

Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
Insider threat
Insider threatInsider threat
Insider threat
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of Attack
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Insider Threat
Insider ThreatInsider Threat
Insider Threat
 
Ht t17
Ht t17Ht t17
Ht t17
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threat
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
Dealing with the insider threat.
Dealing with the insider threat.Dealing with the insider threat.
Dealing with the insider threat.
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
 
Insider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionInsider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and Protection
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 

Destaque

Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentationIISPEastMids
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Snowden slides
Snowden slidesSnowden slides
Snowden slidesDavid West
 

Destaque (6)

Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insiders
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
 
Multimedia Privacy
Multimedia PrivacyMultimedia Privacy
Multimedia Privacy
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_Tyco
 
Snowden slides
Snowden slidesSnowden slides
Snowden slides
 

Semelhante a 5 Signs you have an Insider Threat

Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)stelligence
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfShivamSharma909
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and YouMary Kelly Rich
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 
attack vectors by chimwemwe.pptx
attack vectors  by chimwemwe.pptxattack vectors  by chimwemwe.pptx
attack vectors by chimwemwe.pptxJenetSilence
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for  your library | PLAN Tech Day ConferenceImplementing security for  your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Network Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarNetwork Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarDr. Shivashankar
 

Semelhante a 5 Signs you have an Insider Threat (20)

Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
attack vectors by chimwemwe.pptx
attack vectors  by chimwemwe.pptxattack vectors  by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for  your library | PLAN Tech Day ConferenceImplementing security for  your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
 
Cyberterrorism
CyberterrorismCyberterrorism
Cyberterrorism
 
Web security
Web securityWeb security
Web security
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 
Network Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarNetwork Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. Shivashankar
 

Mais de Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird   webinar 09.24.14Looking for the weird   webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 

Mais de Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Looking for the weird webinar 09.24.14
Looking for the weird   webinar 09.24.14Looking for the weird   webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 

Último

Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 

Último (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 

5 Signs you have an Insider Threat

  • 1. Signs You Have An Insider Threat Brian Butler, CSE
  • 2. Changes in Attack Behavior “It’s not about the 98% you catch, it’s about the 2% you miss.” – NSS Labs: Analyst Brief
  • 3. • Financial gain • Selling stolen data or directly competing with their former employer • Convenience • Using unapproved workarounds to speed things up or assist an end user Insider Threat Motivations – 2015 Verizon Data Breach Investigations Report
  • 4. Top Insider Threats by Role End user Cashier Finance Executive 11.2% 10.4% 37.6% 16.8% – 2015 Verizon Data Breach Investigations Report
  • 5. • Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane. • Malicious Insiders – Insiders who intentionally steal data or destroy systems. • Compromised Insiders – Insiders whose access credentials and/or computer have been compromised by an outside attacker. Who is Attacking the Network?
  • 6. • Bring Your Own Device (BYOD) Smart phones, tablets, storage • Open Networks Guest, partner and contractor Access • Social Engineering Fishing, muleware • Cloud Infrastructure Are You Ready!! Trends In Enterprise Networks
  • 7. AWS Shared Responsibility Model “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.” -Amazon Web Services
  • 8. • Internal East-West Traffic Monitoring traffic from host to host Compromised recourses cost • External Traffic Traffic crossing the gateway Infiltrated data DDoS external and internal Cloud Security
  • 10. • Search for Public Facing Data Contact info Company infrastructure • Employee Education and Policy Alerting end users Not allowing .ZIP etc. Social Engineering Made Easy
  • 11. What is Muleware? Muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign. “Up until this point, cybercriminals have attained their resources by exploiting and compromising devices, but wouldn’t it be more efficient and much more profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain?” – Lancope CTO, TK Keanini
  • 12. 5 Signs of Insider Threat Activity Policy Violations Stolen Credentials Suspicious Behavior Unauthorized Access Unusual Data Movement
  • 13. Stolen Credentials “Two out of three breaches exploit weak or stolen passwords” – Verizon, 2014 Data Breach Investigations Report
  • 14. Recent Data Breaches using Compromised Credentials Target 70,000,000 Adobe 36,000,000 Home Depot 56,000,000 Jimmy John’s Subs 217 Locations
  • 15. Breaches Have in Common “Four replaced credit cards within two years!”
  • 16. 5 Signs of Insider Threat Activity Policy Violations Stolen Credentials Suspicious Behavior Unauthorized Access Unusual Data Movement
  • 17. Suspicious Behavior Communicating or attempting to with internal host that is ‘not normal’. Host or End-User Connecting to the ‘not normal’ outside hosts
  • 18. Geographic Traffic Anomaly Does the company conduct business in China?
  • 19. Geographic Traffic Anomaly Historical Application Graph display FTP traffic to china in the past.
  • 20. Pattern Traffic Anomaly Abnormal traffic pattern produced by host or network segment. Graph reporting a 3 layer DDoS attack as smoke screen hiding Data Exfiltration.
  • 21. Time of Day Anomaly Network and/or host activity at abnormal hours. Graph reporting Servers Response Time greatly increasing at 1:45 AM and 4:00 AM.
  • 22. 5 Signs of Insider Threat Activity Policy Violations Stolen Credentials Suspicious Behavior Unauthorized Access Unusual Data Movement
  • 23. Unauthorized Access Unauthorized Segments or Hosts Communications or Attempts Host or End-User
  • 24. Unauthorized Access Segmentation, compliance and sensitive data visibility
  • 25. Multiple Login Ethel has logged in one hour apart in to locations several hundred miles apart.
  • 26. Malicious Insiders Research indicates that insider threats typically conduct their attacks within 30 days of giving their resignation. – CERT Insider Threat Center
  • 28. © 2014 Lancope, Inc. All rights reserved. Scenario: The organization is at risk from a targeted attack! The adversary is already in using stolen credentials so what are we defending against: • Sabotage • Espionage • Data Loss • Fraud Security events have triggered indicating there is internal recon activity, a compromised server, and data exfiltration ALERT: Targeted Attack 1. Internal user performing recon 2. Finds server, performs port scan to find method to steal data, disables endpoint protection and begins collecting data 3. Encrypts data and exfiltrates out to Dropbox 10.201.3.149 10.201.0.0/24 10.201.1.0/24 10.201.2.0/24 10.201.3.149 . . 10.201.0.72 10.201.3.149 . . 60.10.254.10
  • 34. 5 Signs of Insider Threat Activity Policy Violations Stolen Credentials Suspicious Behavior Unauthorized Access Unusual Data Movement
  • 35. Unusual Data Movement Unauthorized Segments or Hosts Host or End-User
  • 36. Unusual Protocol Behavior Typical DNS protocol behavior
  • 37. Unusual Protocol Behavior Not typical protocol behavior
  • 38. Application / Payload Mismatch Port 53 used to move P2P data.
  • 39. Data Hoarding • One to a few host reaching out and pulling data from multiple hosts in the enterprise • Many more host touched than in a normal day’s work flow
  • 40. Data Exfiltration • One to a few host sending data to hosts outside of the enterprise • Typically seen after Data Hoarding is completed
  • 41. © 2014 Lancope, Inc. All rights reserved. Scenario: An internal user is stealing data! The user could be a: • Disgruntled employee • Person about to leave the company • Person with privileged credentials • Person stealing and selling trade secrets Security events have triggered indicating a user is connecting to a terminal server, collecting data from a sensitive database, and tunneling the traffic out of the network using P2P through UDP port 53 (DNS port). ALERT: Insider Threat 1. Internal user connects to Terminal Server 2. Terminal server used to collect sensitive data from within the same subnet inside the datacenter. 3. Terminal server used to encrypt data and tunnel through DNS port to an upload server 10.201.3.18 10.201.0.23 . . 10.201.0.23 . . 10.201.0.55 10.201.0.23 . . 74.213.99.97
  • 50. 5 Signs of Insider Threat Activity Policy Violations Stolen Credentials Suspicious Behavior Unauthorized Access Unusual Data Movement
  • 52. Policy Violations While this isn’t always indicative of an insider threat, violations of company network policies could represent an employee attempting to subvert perimeter defenses. – Brian Butler, CSE
  • 53. Audit Firewall Rules ... is listed in a major DNS Black List use ip/dnsbl.