While the current threat landscape is full of sophisticated and well-resourced adversaries, one of the most dangerous is the insider because they already have access to the sensitive data on your network.
According to a report from Forrester Research, nearly half of technology decision makers who experienced a data breach in the year studied reported that an internal incident was the source of their compromise.
Since firewalls and perimeter defenses are largely incapable of addressing insider threats, organizations must turn to internal network monitoring and analytics to identify threats based on their behavior.
Join us for a free webinar on the Five Signs You Have an Insider Threat to learn what to look for to protect your organization from this challenging attack type. The webinar will cover topics including:
- Insider threat prevalence
- Major signs of insider threat activity
- How to detect these signs
- How to identify an insider threat before they impact your organization
2. Changes in Attack Behavior
“It’s not about the 98% you catch, it’s
about the 2% you miss.”
– NSS Labs: Analyst Brief
3. • Financial gain
• Selling stolen data or directly competing with their former employer
• Convenience
• Using unapproved workarounds to speed things up or assist an end
user
Insider Threat Motivations
– 2015 Verizon Data Breach Investigations Report
4. Top Insider Threats by Role
End user
Cashier
Finance
Executive
11.2%
10.4%
37.6%
16.8%
– 2015 Verizon Data Breach Investigations Report
5. • Negligent Insiders – Insiders who accidentally expose data – such as an
employee who forgets their laptop on an airplane.
• Malicious Insiders – Insiders who intentionally steal data or destroy
systems.
• Compromised Insiders – Insiders whose access credentials and/or
computer have been compromised by an outside attacker.
Who is Attacking the Network?
6. • Bring Your Own Device (BYOD)
Smart phones, tablets, storage
• Open Networks
Guest, partner and contractor Access
• Social Engineering
Fishing, muleware
• Cloud Infrastructure
Are You Ready!!
Trends In Enterprise Networks
7. AWS Shared Responsibility Model
“While AWS manages security of the cloud, security in the cloud is the
responsibility of the customer. Customers retain control of what security
they choose to implement to protect their own content, platform,
applications, systems and networks, no differently than they would for
applications in an on-site datacenter.”
-Amazon Web Services
8. • Internal East-West Traffic
Monitoring traffic from host to host
Compromised recourses cost
• External Traffic
Traffic crossing the gateway
Infiltrated data
DDoS external and internal
Cloud Security
10. • Search for Public Facing Data
Contact info
Company infrastructure
• Employee Education and Policy
Alerting end users
Not allowing .ZIP etc.
Social Engineering Made Easy
11. What is Muleware?
Muleware solicits the participation of the user and offers incentives to play a
small role in the attack campaign.
“Up until this point, cybercriminals have attained their resources by exploiting
and compromising devices, but wouldn’t it be more efficient and much more
profitable to pay for these resources and turn thousands of would-be victims into
part of the attacker’s supply chain?”
– Lancope CTO, TK Keanini
12. 5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
13. Stolen Credentials
“Two out of three breaches exploit
weak or stolen passwords”
– Verizon, 2014 Data Breach Investigations Report
14. Recent Data Breaches using Compromised
Credentials
Target
70,000,000
Adobe
36,000,000
Home Depot
56,000,000
Jimmy John’s
Subs
217 Locations
15. Breaches Have in Common
“Four replaced credit cards
within two years!”
16. 5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
17. Suspicious Behavior
Communicating or attempting to with
internal host that is ‘not normal’.
Host or End-User Connecting to the ‘not normal’
outside hosts
20. Pattern Traffic Anomaly
Abnormal traffic pattern produced by
host or network segment.
Graph reporting a 3 layer DDoS
attack as smoke screen hiding Data
Exfiltration.
21. Time of Day Anomaly
Network and/or host activity at
abnormal hours.
Graph reporting Servers Response
Time greatly increasing at 1:45 AM
and 4:00 AM.
22. 5 Signs of Insider Threat Activity
Policy
Violations
Stolen
Credentials
Suspicious
Behavior
Unauthorized
Access
Unusual Data
Movement
26. Malicious Insiders
Research indicates that insider threats
typically conduct their attacks within 30
days of giving their resignation.
– CERT Insider Threat Center
39. Data Hoarding
• One to a few host reaching out
and pulling data from multiple
hosts in the enterprise
• Many more host touched than in a
normal day’s work flow
40. Data Exfiltration
• One to a few host sending data to
hosts outside of the enterprise
• Typically seen after Data Hoarding
is completed
52. Policy Violations
While this isn’t always indicative of
an insider threat, violations of
company network policies could
represent an employee attempting
to subvert perimeter defenses.
– Brian Butler, CSE