Insider-Focused Investigation Made Easier

Transcription

1 A SANS Product Review Written by Dave Shackleford August 2015 Sponsored by Raytheon Websense 2015 SANS Institute

2 Introduction For years, organizations have struggled with insider threats. Insider threats are those that arise from employees, contractors, partners and even customers that have already been granted some degree of access to internal computing assets and resources. According to the 2015 Verizon Data Breach Investigations Report (DBIR), insider abuse is higher than ever in breach and fraud cases. The Verizon team saw that 38 percent of insider abuse cases came from internal end users (knocking cashiers out of first place for the first time since 2011), and most of these insider abuse cases included afterthe-fact investigations and forensics. 1 In other words, most organizations don t catch insider abuse before or even during the crimes. For most insider abuse cases, the key to detection relies on monitoring behaviors and patterns of activity versus detection of a single signature-based event. Many organizations have traditionally had difficulty when developing behavior-centric monitoring programs and tools to adequately detect insider threats and malicious activity coming from trusted users and systems. SANS recently reviewed Raytheon Websense s SureView Insider Threat 6.9 monitoring and audit management platform, which focuses on user behaviors such as policy violations, malicious activities on endpoint systems and other, more complex warning signs that may indicate insider threat activity. SureView Insider Threat can augment traditional data loss prevention (DLP) tools by observing user interaction, both within and external to a network, fingerprinting files and data types, and detecting malware and suspicious indicators at the host and network levels. 1 Verizon 2015 Data Breach Investigations Report (DBIR), p. 46, Figure 38. 1

3 Interface and Ease of Use Our review first focused on the user interface and usability of SureView Insider Threat. Raytheon Websense provided a prebuilt SureView Insider Threat virtual appliance and back-end database that we found simple to connect and configure; the configuration included a number of prebuilt policies. We began by examining the configuration for the appliance and the options we would normally use as part of provisioning it for investigation teams. Our examination focused primarily on users, connectivity options and (where applicable) authentication and integration with internal systems. After a SureView Insider Threat appliance is up and running, admins can adjust its configuration through the browser-based management interface, which is simple to navigate and use. First, the Operators section allows admins to create new user accounts for operating the SureView Insider Threat investigation platform. Role-based access is easy to configure, with specific groups for various types of data access, as well as access to and control of particular functions and features in the product itself, as shown in Figure 1. Figure 1. Configuring a New Operator The Nodes section allows you to configure individual SureView Insider Threat nodes, as well as cluster node options for high availability in larger deployments. The majority of system configuration settings are in the Control Panel section. Here, you can manage passwords, RADIUS authentication and authorization options, certificate and public key infrastructure (PKI) settings, agent deployment variables and other system settings. Perhaps most important, the Control Panel section is where you configure SureView Insider Threat to automatically send events to a security information and event management (SIEM) system. 2

4 Interface and Ease of Use (CONTINUED) From here on, we connected to the appliance with the Enterprise Application Suite, a Windows client available from the Tools section of the system console. The interface has three workbench tabs: Administration, Investigation and Policy. First, we explored the Policy Workbench. The SureView Insider Threat system has a number of default policies available for monitoring Windows, Linux and Android platforms. Some policies focus on one type of event or action, while others are combination policies that monitor all activity. A number of policies concentrate on compliance requirements or access to certain data types, which the analyst can define. We reviewed the existing policies and created several test policies to determine how easy the process was. The Policy Workbench, shown in Figure 2, includes a new policy called SANS Test Policy ; this policy includes several simple rules looking for the keyword SANS in event logs and files on Windows platforms. Figure 2. SureView Insider Threat Policy Workbench and Test Policy Navigating the Policy Workbench was simple and straightforward. 3

5 Interface and Ease of Use (CONTINUED) The Administration Workbench allows you to monitor and control any agents installed on systems within the environment. The workbench pane is simple to understand, with six tabs across the bottom that allow users to manage the SureView Insider Threat deployments: Makes agent groups easy to define and edit. This tab also displays the number of agents, users and policies assigned to a group. Issues commands to agents and agent groups. You can send ad hoc commands, or define and store commands for consistent application. Saves preconfigured installer applications for simple deployment. Assembles bundles of installer applications, application adapters and collection tools, for later deployment. Configures application adapters and collection tools that integrate with endpoint operating systems and applications for gathering data and events. Defines specific aggregations of agents and users that are part of specific groups, matching specific patterns, for easy searching. An example of a command issued to one agent that gathers any error files appears in Figure 3. Figure 3. Administration Workbench Commands The ability to monitor and manage agents in the main console pane is straightforward. All major functions for deploying and controlling agents are intuitive and easy to access. The final tab, the Investigation Workbench, allows security teams to create specific cases for investigating user and system behavior, looking for insider threats in the environment. Creating cases was simple, but there are many advanced query and search features to explore and numerous ways to use the data reported from deployed agents. Creating specific investigation cases is covered in more detail later in the paper (under Insider Threats and the Investigation Workbench ), but the interface is intuitive and we quickly made ourselves comfortable. 4

6 Audit Trail Monitoring The SureView Insider Threat management interface s Audit section includes a detailed list of all activities performed on the SureView Insider Threat platform, ranging from operational tasks to authentication, as well as configuration changes and system status messages. This audit trail is simple to access and query, and should be useful in proving to auditors or investigators that operators performed certain actions. A snapshot of the audit log appears in Figure 4. Figure 4. SureView Insider Threat Audit Trail Logs and events can be viewed in more detail, as shown in Figure 5. Figure 5. Log and Event Detail View 5

7 Policy Creation and Management With SureView Insider Threat, new policies are simple to create, even when you are working from scratch. Existing policies can serve as templates right-clicking the existing policy and selecting Copy enables you to clone a policy and adapt the clone for Windows, Linux or Android systems. You can also add policies directly to Investigation Workbench queries from the context (right-click) menu or export them for future editing. The context (right-click) menu for policy editing and actions appears in Figure 6. SureView Insider Threat s configuration options fall into these categories: Rules are the heart of policy templates and can make use of document fingerprints (which can also include s, web content, printed documents, application content and clipboard data), regular expressions, file types observed, filters on document attributes, file hashes and other attributes. Each rule has editable links in the syntax view; you can modify the syntax with a click, changing menu options or typing text strings to create pattern matches. Figure 6. Policy Editing and Actions Menu Actions occur after an event triggers a rule or set of rules. The most basic actions are logging and reporting events within the SureView Insider Threat system or collecting data from the system in question. Data collection is incredibly flexible, with options to collect data from file content or actions taken, instant messaging apps, , web content, network activity, the Windows registry and other sources. Much like the rules formatting, actions are comprised of statements with clickable links you can modify via inline menus. Other available actions include sending s or events to a SIEM platform, adding the system reporting the event to a particular group (for example, a watchlist to monitor for suspicious behavior), prompting users, stopping processes or preventing storage devices from being mounted. 6

8 Policy Creation and Management (CONTINUED) Pre-filtering can reduce false alarms by performing certain checks before triggering rules, potentially excluding events related to specific processes, files, network events or Windows registry entries. Categories can help organize policies, which is useful when a large number of different policies are in place within an organization. These categories are also used when assigning policies to a specific group of agents and users. Figure 7 shows an example of a simple policy we used in our testing. Figure 7. Test Policy in Policy Workbench All policies can have a priority assigned to them, as well as a definition of scope where they apply across deployed agents. 7

9 Insider Threats and the Investigation Workbench The real power of SureView Insider Threat comes from the Investigation Workbench, where analysts will likely spend the majority of their time once policies are created and deployed, building cases that chronicle searches and analysis of system- and user-driven events. During this review, we ran several mock investigations using the sample data in the testbed. In the first investigation, we investigated a user ( Christopher Foster ) to follow up on unusual activity recorded by a SureView Insider Threat agent deployed on his system. Our first step was to start a new investigation in the Investigation Workbench, either by clicking the Create a new case button in the workbench s Cases pane, or by selecting the Cases menu item and choosing Create. We then provided a case name and designated the case s security level (who can see it and access it). Once our case was created, we ran our first query against the SureView Insider Threat database using the query engine at the top of the window. Our first order of business was limiting the events to only those seen on 01/27/2015, as shown in Figure 8. Figure 8. Limiting Events to a Date/Time Range 8

10 Insider Threats and the Investigation Workbench (CONTINUED) The event highlighted in Figure 8 also corresponds to the subject of our investigation (CFOSTER in the REALWORLD2008 domain). Right-clicking the event record let us add this user to the query, thus limiting the data to only those events on 01/27/2015 recorded for user REALWORLD2008/CFOSTER. The output of this new result appears in Figure 9. Figure 9. Limiting Events to a Specific User and Agent Having limited the view to one user on a specific day, we could evaluate the specific events listed. Selecting an event caused a side pane to open with minute details about the event. First, we looked at the Webmail with Attachment event, which the keyword mail.google.com triggered. Figure 10 shows this event. Figure 10. Webmail with Attachment Event 9

11 Insider Threats and the Investigation Workbench (CONTINUED) In this detailed view, we could see the time of the event, which application was in use (Mozilla Firefox, in a Private Browsing window), and where the user was going (Gmail). This agent captured the event as a video, with replay capabilities that enabled us to watch exactly what the subject was doing. The he sent appears in Figure 11; note the attachment named FamilyReunionInfo.doc.gpg. Figure 11. Video Replay of User Actions 10

12 Insider Threats and the Investigation Workbench (CONTINUED) Going back to the event detail, we found the attached file referenced in the Gmail upload event. We then dug further, looking for all applications in use, this filename, and any related actions from collections and events. By performing a more thorough query for all activity related to our subject, we found File Renamed activities that eventually led us to the true nature of the incident CFOSTER renamed FJEA Business Expense Budget.xlsx to the seemingly innocuous.gpg file we saw in the , as shown in Figure 12. Figure 12. File Renamed Activity by the Insider Suspect Digging even further, we discovered that the subject had renamed a sensitive file, encrypted it (using kleopatra.exe, a GPG component) and then ed it to an accomplice outside the organization. We found the process of starting an investigation, creating queries and reviewing evidence results with SureView Insider Threat to be simple and straightforward, especially when compared to similar endpoint security and forensics tools. 11

13 Insider Threats and the Investigation Workbench (CONTINUED) In our second investigation, we investigated Greg Alexander after the SureView Insider Threat agent recorded some unusual activity on his system. As in the first investigation, we searched for all events and collections from the date of the activity but added the agent name JEAGALEXANDER_laptop so the query would pull results for that machine only. Looking at the list of applications the user ran on that day led us to an unauthorized application: the Tor browser, used for anonymized browsing, as shown in Figure 13. Figure 13. Tor Browser Launched by Suspected Hostile Insider In looking at specific times when our subject started the Tor browser, we found he initiated a remote desktop connection into another server approximately five minutes before opening the browser. Fortunately, we could easily query for the startup of the remote desktop application (mstsc.exe) and look for all collected evidence, as shown in Figure 14. Figure 14. Events and Collection from a Remote Desktop Connection 12

14 Insider Threats and the Investigation Workbench (CONTINUED) Selecting the item Keys Typed enabled us to see the keystrokes the subject made while logging in to the server, as shown in Figure 15. Having learned that the subject was logging in to servers and systems within our environment, we wanted to discover any user accounts associated with his name, no matter their location. SureView Insider Threat enabled us to query or browse based on entities as well as events or collection data. In this case, we looked through entities such as LDAP records and other information for the subject s full name ( Gregory P Alexander ). We discovered the subject had two accounts: REALWORLD2008/ GALEXANDER and TRAINING1407/ ADMIN1407, as shown in Figure 16. Figure 15. Keystroke Recording of Remote Desktop Password Figure 16. Finding the Subject s User Accounts 13

15 Insider Threats and the Investigation Workbench (CONTINUED) In this case, the second account (TRAINING1407/ADMIN1407) was unauthorized, and we wanted to know more about any associated devices or device activity recorded for that account. The SureView Insider Threat entity browser came to our rescue again; performing a query for that entity was easy. The results showed three removable devices associated with the TRAINING1407/ADMIN1407 account, as shown in Figure 17. Figure 17. Removable Drives Associated with Illicit Account At this point in our investigation, we could drill into the drives themselves as entities. In particular, the SanDisk Cruzer device looked interesting, so we searched for related items by right-clicking the entity in the console and looking for related items. This search returned numerous Drive Mounted events for our investigation s timeframe, as shown in Figure 18. Figure 18. Drive Mounted Events 14

16 Insider Threats and the Investigation Workbench (CONTINUED) Finally, by looking at more detail for some of these events, we could see the files associated with the drive. These results indicated the device held a bootable Linux installation, as shown in Figure 19. This information may indicate that the subject was booting a system (or systems) into Linux to compromise credentials or other information by accessing data from a different OS and thus avoiding the permissions of the normal OS. As in the first example, the process of starting an investigation with SureView Insider Threat, discovering what the subject was doing and creating queries that accurately gathered evidence of malicious activity was straightforward and painless. In addition to these two complete cases, we explored many more example cases of detecting illicit web browsing and access to systems and network data. Throughout, we found the investigation features of SureView Insider Threat easy to use; they enabled us to quickly find data and events related to both users and computers within the test Figure 19. File List for Bootable USB environment. Although there seemed to be an almost infinite number of search and discovery options, any of which we could use to build new queries and aggregate data into cases, the user interface greatly simplified the assessment of the data. The depth and completeness of the data SureView Insider Threat gathers from system agents impressed us as well. Security analysts can easily replay content and activity, or examine files and applications used within specific timeframes, to gain a better understanding of the events they investigate. 15

17 Conclusion After spending time with SureView Insider Threat, we concluded it is a powerful tool that can collect just about any type of system data imaginable, enabling investigators to build cases by highlighting points of evidence including: Although Raytheon Websense configured the system we tested, we found accessing and configuring the platform s configuration options to be simple and straightforward. The interfaces for the SureView Insider Threat workbenches were also easy to use and intuitive. In particular, the policy creation and management engine allowed us to create flexible and robust policies for Windows, Linux and Android systems quickly and then apply them to groups and categories of known users and deployed agent systems. The Administration Workbench provides a simple and flexible tool to manage all aspects of the deployment and monitoring processes for agents, and the capability to issue onetime or scheduled commands to agent systems is useful for both operations and security teams. However, the most impressive part of SureView Insider Threat is its Investigation Workbench. By creating cases and adding evidence items based on queries across numerous systems and date ranges, security teams can rapidly analyze insider threat scenarios within their environments. 16

18 About the Author, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vexpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance. Sponsor SANS would like to thank its sponsor: 17