Embed Size (px)
Citation preview
2017 Data Breach Digest Update
The Insider Threat: Protecting the Keys to the Kingdom
As we illustrated in the 2017 Data Breach Digest (DBD), data breaches are complex affairs. The corresponding breach response activities are proportionately complex. Furthermore, these activities are not just an IT security problem, they’re also a burden shouldered by other stakeholders, such as legal counsel, HR, and corporate communications.Human beings play a significant role in cybersecurity incidents. Humans fulfill the roles of incident response stakeholders, cybersecurity defenders, targeted victims, and threat actors. This human element is particularly significant for those incidents involving “insider threat” actors.
VERIS1 defines threat actors as entities that cause or contribute to an incident, whether it’s malicious or non-malicious, intentional or accidental, direct or indirect. Threat action varieties most attributable to human factors include Social (human assets are compromised), Misuse (insiders are threat actors), and Error (people making mistakes). According to our incident and breach corpus, over the previous three years (2014-2016), over half (60%) of all data breaches involved one or more of these three human elements. If we look at just the previous year (2016), this percentage increases to 69%.
1VERIS = Vocabulary for Enterprise Risk and Incident Sharing: http://veriscommunity.net/2 See DBIR, p. 48.
WhoThe top three industries affected by this incident pattern are Public, Healthcare, and Finance.2
WhyWhat’s more common is the average end-user absconding with data in the hope of converting it to cash somewhere down the line (60%).
Sometimes employees let their curiosity get the better of them and they engaged in some unsanctioned snooping (17%).
This pattern also features espionage motives (15%) involving data stolen to either start up a competing company or take to a new employer. In those cases, sensitive internal data and/or trade secrets were stolen (24%).
HowThreat actors within this pattern were kicking back inside your perimeter, plundering your databases (57%), rifling through your printed documents (16%) and accessing other employees’ email (9%).
2Verizon 2017 Data Breach Digest Update
While most, if not all, of the DBD scenarios involve some form of the Human Element, four scenarios over the previous two DBD editions focus primarily on the insider threat:
The Absolute Zero
Disgruntled Employee
[2017 DBD] An employee became disgruntled during an organizational restructuring. At about the same time, a programmer reported an application unexpectedly failing. The employee admitted using their admin credentials to access multiple email servers to collect confidential files for use in their new job. The investigation confirmed the documents were indeed stolen, and also found “mass delete” commands associated with the employee’s activity.
The Hot Tamale
USB Infection
[2017 DBD] A contracting company announced unilateral pay cuts for all employees. An outsider offered ‘bonus pay’ to a janitor in need of cash. The task was simple: carry a USB flash drive into work, and when no one was looking, plug it into various systems. The investigation determined several systems were accessed by an external threat actor via malware that was present on the USB flash drive in an attempt to gain access to privileged information. Needless to say, the janitor was terminated.
The Rotten Apple
Insider Threat
[2016 DBD] An organization was in the process of a buyout. It was discovered that a middle manager was aware of details exceeding his level of authorization and was bragging about what he knew. An investigation determined the middle manager was accessing the CEO’s email account and reading his email. He obtained the account credentials through old fashioned social engineering of a co-worker who was a system administrator.
The Imperfect Stranger
Rogue Connection
[2016 DBD] Customers were complaining about being unable to access their accounts via the organization’s website. An investigation into the issue initially found that the organization’s IP address space was being blocked due to previously reported malicious C2 server activity. The Bring Your Own Device (BYOD) network segment was found to be infected by malware introduced via a remote employee’s laptop. Network misconfiguration coupled with the malware infection led to the IP address blocking.
Indicators of a potential insider threat
• Attempts to access or actual access to IT systems without a valid need to know
• Requesting access to information outside of normal job duties including sensitive or classified information
• Unusual or erratic behavior
• Disgruntled attitude
• Working odd or late hours
• Apparent, unexplained affluence or excessive indebtedness
• Efforts to conceal foreign contracts, travel, foreign interests or suspicious foreign activity
• Unreported offers of financial assistance, gifts or favors by a foreign national or stranger
• Exploitable behavior such as:
• Criminal activity
• Sexual misconduct
• Excessive gambling
• Alcohol or drug abuse
• Problems at work
Insider threat scenarios
We will use the lessons learned from these scenarios, combined with our investigative experience covering hundreds of other cases, to formulate our recommended insider threat countermeasures on the pages that follow.
3 The Insider Threat: Protecting the Keys to the Kingdom
When we look at targeted industries within Insider and Privilege Misuse over 2016, we see Healthcare and Social Assistance, Public Administration, and Financial and Insurance as the top three victim industries.The top six victim industries within Insider and Privilege Misuse for 2016 and for the previous three years (2014-2016) are shown below.
Historically, our corpus tells us that breach discovery lags behind the initial compromise, sometimes by days, weeks, or even longer. For the Insider and Privilege Misuse incident pattern, breach discovery is more likely to take months and years rather than days or weeks to detect (see Figure 2).
This breach discovery lag is likely directly attributable to the difficulty in detecting the insider threat, especially those with privileged accounts that are conducting their nefarious activities stealthily.
So, what else does our data have to say about the insider threat? Well, plenty. Let’s have a look and see...
3 North American Industry Classification System (NAICS): https://www.naics.com/naics-drilldown-table/
4 It should be noted that the ‘n’ value here and in the rest of this document represents the number of breaches. A singular breach can feature multiple varieties of threat actions or other enumerations. This is why the numbers associated with Misuse variety exceed the ‘n’ value or number of breaches. This is normal and expected and will occur in figures in subsequent pages as well.
Breaches
0 5 10 15 20 25 30 35
Mins
Secs
Hours 2
Days 6
Weeks 6
Months 33
Years 30
Figure 2 – Breach discovery timeline within Insider and Privilege Misuse breaches
Targeted victims
Frequency
0 5 10 15 20 25 30 35 40
Professional,Scientific, and
Technical Services (54)
3.7%2.9%
Information (51)4.7%5.4%
Administrative,Support, Waste
Management and Remediation
Services (56)
5.8%3.3%
Financial and Insurance (52)
12.8%10.9%
PublicAdministration
(92)
22.7%16.8%
Healthcare and Social
Assistance (62)3
30.0%35.8%
1 Year (n=172)4
3 Years (n=667)
Figure 1 – Top six targeted industries within Insider and Privilege Misuse breaches
4Verizon 2017 Data Breach Digest Update
The DBIR defines Insider and Privilege Misuse as “all incidents tagged with the action category of Misuse—any unapproved or malicious use of organizational resources—falls within this pattern.” Internal threat actors, aka the Insider Threat, operate from a position of privilege and trust to steal or compromise data, corrupt or destroy data, disrupt business operations, or cause embarrassment to an organization. This encompasses company full-time employees, independent contractors, interns, and other staff. Their motivations typically include financial gain, espionage, grudges, ideology, fun, and convenience.
When we look at our data for threat actor types over the previous year (2016), we see End-Users and Other General Employees (71.4%) and Executives and Managers (15.2%) as the most prevalent internal threat actors. The top seven threat actor varieties within Insider and Privilege Misuse for 2016 and for the previous three years (2014-2016) are shown in Figure 3.
Question: so, what is the primary motivation for the insider threat? Answer: financial gain. In fact, our data tells us that over the previous year (2016), Financial (65.5%) far out paces Espionage (14.5%) and Fun (13.6%). The top five threat actor motivations within Insider and Privilege Misuse for 2016 and for the previous three years (2014-2016) are shown in Figure 4.
0 10 20 30 40 50 60 70 80
End-User andOther General
Employee 64.0%71.4%
Cashier5.8%
3.6%
Executive andManager 14.7%
15.2%
Finance6.3%
2.7%
Developer /System
Administrator 1.4%1.8%
Guard andMaintenance 1.4%
1.8%
HumanResources 1.2%
1.8%
Frequency
1 Year (n=112)3 Years (n=416)
Figure 3 – Top seven threat actor varieties within Insider and Privilege Misuse breaches
0 10 20 30 40 50 60 70 80
Convenience4.3%3.6%
Grudge5.2%
1.8%
Fun15.5%
13.6%
Espionage19.6%
14.5%
Financial 54.7%65.5%
Frequency
1 Year (n=110)3 Years (n=464)
Figure 4 – Top five threat actor motivations within Insider and Privilege Misuse breaches
Threat actors
5 The Insider Threat: Protecting the Keys to the Kingdom
Start a personnel security program
Make personnel security a priority from the start. Vet prospective employees through background checks and comprehensive screening interviews. Enforce the principles of least privilege, separation of duties, and job rotation for sensitive job assignments. Review, be familiar with, and, as necessary, update all cybersecurity policies associated with employee conduct, including acceptable use, BYOD, information security, and physical security policies.
Deter insider threat activities
Implement an effective set of security policies and standards. These should include acceptable use, BYOD, information security, and physical security. Conduct annual acceptable use, information security, and physical security training for all employees. Use login banners, screen savers, and desktop backgrounds to remind users that their actions are being monitored and all policy violations will be flagged. Consider publishing anonymized security violation statistics.
Royal Proclamation
Ensure physical security
Enhance physical security controls to limit access to facilities and sensitive areas. Use security cameras, ID verification, and audit trails to prevent and mitigate malicious user activity. Use security cameras on areas of in/egress such as perimeters and gates, entrances and exits. Set up alerts and monitor for suspicious physical access patterns and activities. Ensure physical security devices connected to the network have up-to-date firmware and software patches.
What is your cybersecurity level?What is your favorite string theory model?
!£&$#
Harden the digital environment, Part I
Segment and restrict access to sensitive systems. Using firewalls on the outer perimeter and internal segments. Consider using a Data Loss Protection (DLP) solution to detect unauthorized movement of sensitive data. Encrypt external access and Wi-Fi traffic. Use multi-factor authentication for remote and cross-segment access.
Remove unneeded apps. Apply patches as quickly as possible. Regularly remove unneeded data from servers and shares. Ensure each system has up-to-date anti-virus definitions and a host-based firewall.
Harden the digital environment, Part II
Eliminate or restrict the use of USB drives and other removable media – disable any auto-run features. Encrypt hard disk drives and portable systems such as laptops, smartphones and external storage devices. Back-up critical data and test these back-ups periodically.
Remove local admin rights and disable unnecessary accounts. Monitor admin and service accounts. Prohibit closely shared accounts. Use two-factor authentication for remote access.
Prepare for organization changes
Brace for the negative impacts of organization changes – including transfers, and promotions. Maintain strict ‘need to know’. Coordinate any details regarding restructuring and moving of specific jobs with HR and department managers.
Establish a termination protocol that includes the timing of notifications; disabling of devices, system and network access; and withdrawing physical access. Safeguard terminated employee systems and devices for a time after termination.
StaffChanges
Prevention and mitigation
6Verizon 2017 Data Breach Digest Update
Organizational and voluntary career changes can leave some employees in a position where they can rationalize nefarious activities, such as stealing data, destroying systems, disrupting business operations, or embarrassing their employer.Disgruntled employees, such as the one presented in the Absolute Zero scenario, are some of the most difficult threat actors against which to defend. Employees hiding their true feelings or acting secretly, such as described in the Hot Tamale and the Rotten Apple, are sometimes even harder to counter due to the difficulty in detecting their malicious behavior. Finally, one other type of insider threat, as covered in the Imperfect Stranger involves those employees (or business partners) who inadvertently—due to their actions—compromise or destroy data or disrupt business operations.
When we examine varieties of misuse over the previous year (2016), we see Privilege Abuse (66.2%), Data Mishandling (32.5%), and Possession Abuse (14.7%) as the top three misuse varieties. The top six misuse varieties within Insider and Privilege Misuse for 2016 and for the previous three years (2014-2016) are shown in Figure 5.
When we look at threat actor misuse vectors within Insider and Privilege Misuse over the previous year (2016), we see LAN Access (71.8%), Physical Access (20.5%), and Remote Access (9.0%) as the top three misuse vectors. The top five misuse vectors within Insider and Privilege Misuse for 2016 and for the previous three years (2014-2016) are shown in Figure 6.
0 10 20 30 40 50 60 70 80
Email Misuse4.0%
1.8%
UnapprovedHardware 8.8%
3.1%
KnowledgeAbuse 5.8%
6.7%
PossessionAbuse 15.5%
14.7%
DataMishandling 15.4%
32.5%
Privilege Abuse71.3%
66.2%
Frequency
1 Year (n=163)3 Years (n=637)
Figure 5 – Top six misuse varieties within Insider and Privilege Misuse breaches
0 10 20 30 40 50 60 70 80
Non-Corporate2.5%1.9%
Other4.2%
1.9%
RemoteAccess 6.9%
9.0%
PhysicalAccess 21.9%
20.5%
LAN Access71.1%71.8%
Frequency
1 Year (n=156)3 Years (n=571)
Figure 6 – Top five misuse vectors within Insider and Privilege Misuse breaches
Insider misuse
7 The Insider Threat: Protecting the Keys to the Kingdom
Report suspicious insider activity
Train and sensitize employees to recognize and report suspicious activity. Start with their first day while in-processing and from then on, conduct annual refresher training sessions. Supplement this training throughout the year with email reminders, system login banners, and old-school awareness posters in common areas of the workplace. Drive compliance by obtaining online/written acknowledgement on users’ responsibilities to report suspicious behavior.
Training materials should educate employees on the ‘signs of suspicious behavior’ (SSBs), such as co-workers working outside of normal duty hours (e.g. when nobody is around), involved in patterns of security violations (e.g. repeatedly circumventing security protocols by using unauthorized USB flash drives), attempting to gain access to data, systems, or facilities without a valid reason (a need to know), or making comments and suggestions implying the intended theft or destruction of data.
Log and monitor user account activity
Determine normal user account behavior and look for suspicious activities. Enhance logical access controls by restricting, monitoring, and logging logical access to sensitive systems and data. This includes critical network segments, network devices, servers, and workstations, as well as key accounts, applications, and files.
Use a Security Incident and Event Monitoring (SIEM) solution, or more preferably a User Behavior Analytics (UBA) solution to monitor, detect, and log suspicious user account activities. Implement robust access controls and monitoring policies on privileged user accounts. Apply strict account management and credential strength policies. Review user account, application, system, and network logs to determine the extent of the compromise and to identify other assets which may have been targeted. Test logging and monitoring systems to ensure the required data exists and can be used in the event of an attack.
PASS
Inventory and monitor sensitive data
Track your assets and know where your sensitive data is. Conduct periodic asset inventories and e-discovery exercises. Keep employee-assigned systems and data storage devices for a predetermined amount of time after employee departure from the organization. For current employees, monitor systems for data loss. If external media devices are authorized, monitor and log data transfers. Scan for sensitive data improperly marked or stored in unauthorized locations.
Use an Intrusion Detection System / Intrusion Prevention System (IDS / IPS). When possible, leverage a File Integrity Monitoring (FIM) solution and white-list applications. FIM validates the integrity of OS and application software files using a verification comparison between the current file state and the known, good baseline. By using a FIM solution, data changes can be detected and alerted. If possible, limit unauthorized or BYOD access by disabling automatic network configuration, such as DHCP.
Ye Royale AssetsAssigned to:
the Hot Tamale
Detection and validation
8Verizon 2017 Data Breach Digest Update
As we have seen, threat actors have various motivations—the intangibles, such as Financial or Espionage. However, for every data breach, there are also the tangibles, those things that threat actors target.VERIS breaks down these tangibles in two ways: affected assets and data varieties. Affected assets are data ‘containers’ that hold the targeted data, such as a database or an email or a mobile phone. Data varieties are the type of data targeted, such as personal or secrets or source code.
When we look at VERIS for affected victim assets within Insider and Privilege Misuse over the previous year (2016), we see Database (52.5%), Documents (15.0%), and Mail (11.7%) as the top three affected assets. The top 10 affected assets within Insider and Privilege Misuse for 2016 and for the previous three years (2014-2016) are shown in Figure 7.
When we look at victim data varieties within Insider and Privilege Misuse over the previous year (2016), we see Personal (41.9%), Internal (20.5%) and Medical (19.3%) as the top three data varieties. The top 10 data varieties within Insider and Privilege Misuse for 2016 and for the previous three years (2014–2016) are shown in Figure 8.
End-User and Other General Employee
0 10 20 30 40 50 60
Mobile Phone1.6%
4.2%
Flash Drive3.0%4.2%
File Server4.7%4.2%
Web Application3.2%5.0%
Laptop9.3%
2.5%
Desktop7.3%
5.0%
Payment Card7.3%
5.0%
Mail8.7%
11.7%
Documents12.2%
15.0%
52.9%52.5%
Database
Frequency
1 Year (n=120)3 Years (n=507)
Figure 7 – Top ten affected assets within Insider and Privilege Misuse breaches
0 10 20 30 40 50
Classified1.8%<1.0%
Source Code1.9%
<1.0%
Other1.4%1.8%
Credentials3.0%3.0%
Bank8.0%
4.2%
Payment10.2%
7.8%
Secrets11.5%10.8%
Medical29.8%
19.3%
Internal16.9%
20.5%
35.2%41.9%Personal
0 10 20 30 40 50
Frequency
1 Year (n=166)3 Years (n=628)
Figure 8 – Top ten data varieties within Insider and Privilege Misuse breaches
Assets and data
9 The Insider Threat: Protecting the Keys to the Kingdom
Assemble the incident response team
Responding to and resolving cybersecurity incidents and data breaches requires various stakeholders, both technical and non-technical. For insider threat situations, HR, legal counsel, IT security, and other as-needed IR stakeholders should work closely throughout the investigation – in particular to address such topics as scope expansion, discovering other illicit activity, sensitive data exposure (and reporting), privacy considerations, and eventual employee termination.
Engage LE at the right time and in conjunction with advice from legal counsel. Engage a qualified and experienced digital forensics firm for breach response activities to include deep-dive forensic investigation, as well as containment and eradication support.
Incident Response Plan
1
23
Activate the insider threat playbook
As part of the overall Incident Response (IR) Plan, create an Insider Threat Playbook and then regularly review, test and update it. It should parallel the IR Plan, but provide specific guidance for managing an insider threat data breach or cybersecurity incident. It should include guidance to involve specific stakeholders, such as legal counsel, HR, a digital forensics firm, and, if required, law enforcement (LE). It should also include guidance on handling employee-related investigations as per policy, to include collecting and analyzing evidence sources, conducting witness and subject interviews, and notifying organization oversight bodies, regulators, and other external entities.
Collect and preserve evidence
Scope and triage the incident quickly. Be flexible as the scope may need adjustment as the investigation continues. Use previously tested and familiar tools and procedures for evidence collection and preservation. These should include software and hardware capable of collecting physical memory dumps, volatile data, hard disk drive images, removable media images, network packet captures and NetFlow and log data.
Leverage established and documented evidence handling procedures and templates use evidence tags, chain of custody forms, and an evidence tracking log to secure, preserve, collect, and store evidence.
HOTTAMALESAUCE
Response and investigation
Contain and eradicate the threat
In addition to collecting and preserving any potential evidence, take steps to contain and eradicate any previous, ongoing, or future threats. These may include hacking into systems, deploying malware, stealing data, destroying hardware, modifying code, or even setting up logic bombs to cause data destruction or system disruption in the future. Containment activities may include temporarily blocking outbound internet traffic, changing user account passwords, and searching for malware across the network. Eradication may include rebuilding affected systems, disabling compromised user accounts, and removing suspicious and malicious files as well as any HR-related activities.
04650758
01350937
It was THEM!
Conduct personnel interviews
Interview employees, contractors, and other potential witnesses with access to facilities, workspaces, systems, devices, and removable media to provide additional insight to digital forensic findings, as well as the overall investigative picture.
For insiders suspected of conducting malicious activity, initial and final interviews can be used to determine the nature of the malicious activity. These interviews should be conducted in accordance with organizational policy, and typically with HR and legal counsel involvement.
The way forward
These recommendations can help reduce the risk of insider threats, or assist with an investigation in the event that you find your organization dealing with this type of threat actor. Prevent the Absolute Zero, the Hot Tamale, the Rotten Apple, or the Imperfect Stranger from gaining unauthorized access to your kingdom and stealing or destroying its keys, disrupting your operations, and/or bringing embarrassment to you.
Using these mitigation, detection, and response countermeasures can help keep your organization out of the headlines and save you from sending out data breach notifications to customers, employees, and regulators. In the unfortunate event you do get that call, remember the Verizon Threat Research Advisory Center (VTRAC) | Investigative Response Team is here to help you respond to and investigate these situations.
Response and investigation (continued)
10Verizon 2017 Data Breach Digest Update
2017 Data Breach Investigations ReportGet the 2017 Data Breach Investigations Report (DBIR). It’s our foremost publication on cybersecurity, and one of the industry’s most respected sources of information.
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
2017 Data Breach DigestRead the Data Breach Digest (DBD) for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attackers’ tactics, the victims’ mistakes and the scramble to limit the damage.
http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
VERIS ResourcesCheck out the Vocabulary for Event Recording and Incident Sharing (VERIS) Community Database, as well as these other VERIS–related resources.
• VERIS Framework: veriscommunity.net
• VERIS Schema: github.com/vz-risk/veris
• VERIS Community Database: github.com/vz-risk/vcdb
60
300Kcal
Data Breach Digest
60
Perspective is Reality.
2017 Data BreachInvestigations Report10th Edition
OFX
PB
U2FsdGVkX19xySK0fJn+xJH2VKLfWI8u+gK2bIHpVeoudbc5Slk0HosGiUNH7oiq
CNjiSkfygVslq77WCIM0rqxOZoW/qGMN+eqKMBnhfkhWgtAtcnGc2xm9vxpx5quA
Would you like to know more?
11 The Insider Threat: Protecting the Keys to the Kingdom
VerizonEnterprise.com© 2017 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. 16985 07/17
