Insiders: The Threat is Already Within

Similar documents
Part 1: Anatomy of an Insider Threat Attack

Part 2: How to Detect Insider Threats

Top 5 Database Security Threats WHITEPAPER

Automated Threat Management - in Real Time. Vectra Networks

Part 3: Surprising Insider Threat Findings in Enterprise Environments

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Introduction to Threat Deception for Modern Cyber Warfare

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Imperva CounterBreach

10 FOCUS AREAS FOR BREACH PREVENTION

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Advanced Threat Hunting:

Un SOC avanzato per una efficace risposta al cybercrime

Securing Office 365 with SecureCloud

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

E-BOOK. Healthcare Cyber Security and Compliance Guide

CyberArk Privileged Threat Analytics

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Using Smart Cards to Protect Against Advanced Persistent Threat

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

68 Insider Threat Red Flags

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Data Privacy and Protection GDPR Compliance for Databases

Next Generation Authentication

Becoming the Adversary

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Office 365 Buyers Guide: Best Practices for Securing Office 365

External Supplier Control Obligations. Cyber Security

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

RSA Security Analytics

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

User and Entity Behavior Analytics

Teradata and Protegrity High-Value Protection for High-Value Data

CYBERSECURITY RISK LOWERING CHECKLIST

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Understanding the Changing Cybersecurity Problem

Incident Response Agility: Leverage the Past and Present into the Future

Security Fundamentals for your Privileged Account Security Deployment

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Keep the Door Open for Users and Closed to Hackers

Behavioral Analytics A Closer Look

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Building Resilience in a Digital Enterprise

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Data Lakes & Leaks Erno Doorenspleet. IBM Security

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Bomgar Discovery Report

How Breaches Really Happen

Too Little Too Late: Top Reasons Why You Got Hacked

Checklist for Evaluating Deception Platforms

how dtex fights insider threats

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Welcome! Ready To Secure Access to Your Microsoft Applications?

Pass-the-Hash Attacks

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Are we breached? Deloitte's Cyber Threat Hunting

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Facebook API Breach. Jake Williams Rendition Infosec

METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION

RSA NetWitness Suite Respond in Minutes, Not Months

Secure Access & SWIFT Customer Security Controls Framework

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Internal Audit Report DATA CENTER LOGICAL SECURITY

How to Build a Culture of Security

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

CSci530 Final Exam. Fall 2011

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Cyber security tips and self-assessment for business

THE CLOUD SECURITY CHALLENGE:

Recipe for a Breach: Uncontrolled Employee Access + Poor Security Habits Employee Security Habits Reveal Risky Imbalance

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

the SWIFT Customer Security

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Welcome to the SafeNet Day! Prague 1st of October Insert Your Name Insert Your Title Insert Date

Hacker Explains Privilege Escalation: How Hackers Get Elevated Permissions

Applying a data driven approach to machine learning

PREVENT CREDENTIAL THEFT IN HEALTHCARE

The Cognito automated threat detection and response platform

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Solving for Compromised Credentials Across the Enterprise

Cyber-Threats and Countermeasures in Financial Sector

Transcription:

Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June 2016

About us Shiri Margel Itsik Mantin Data Security Research Team Leader Director of Security Research M. Sc. in Applied Math and Computer Science from the Weizmann Institute M. Sc. in Applied Math and Computer Science from the Weizmann Institute

Agenda Introduction Behavioral Analysis Deception Summary

People are the WEAK LINK

Compromised Careless Malicious

The Nature of Insider Breach Acquire small amount of sensitive information over a long period of time Noticed after damaging events Almost impossible to prevent Early Detection Verizon DBIR 2016

Our Research Behavioral Analysis Deception

Our Research Behavioral Analysis Deception

The Data File Sensors Cloud App Sensors File Server Database Sensors Cloud Applications Databases The Perimeter

Our Research Behavioral Analysis Collect live production data from several customers of Imperva Full database and file server audit trail - SecureSphere audit logs Machine learning algorithms identify Actors and Good Behavior in order to identify Meaningful Anomalies

Actors

Good Behavior

Behavioral Analysis Findings Malicious Insider Negligent Insider Compromised Insider

Behavioral Analysis Findings Malicious Insider Hoarding IP before leaving the company A DBA accessed financial information Negligent Insider Compromised Insider

Malicious Insider: Behavioral Analysis finds the IP Hoarder A Technical Writing employee copied > 100,000 files Employee was authorized to access data Operation took 3 weeks Each copy contained a few thousand files Some copies - in the middle of the night and/or on the weekend

Malicious Insider: Behavioral Analysis finds the IP Hoarder The employee / department never copied this amount of files The employee never worked on weekends / middle of the night Week days Weekend

Malicious Insider: Behavioral Analysis finds the IP Hoarder The employee / department never copied this amount of files The employee never worked on weekends / middle of the night Week days Weekend Employee was authorized to access data

Malicious Insider: Behavioral Analysis finds the IP Hoarder Organization Feedback: The employee was planning to leave the organization shortly after the incident took place

Behavioral Analysis Findings Malicious Insider Hoarding IP before leaving the company A DBA accessed financial information Negligent Insider Compromised Insider

Malicious Insider: Behavioral Analysis flags DBA abusing privileges Clients Application Database DBA Applicative Tables

Malicious Insider: Behavioral Analysis flags DBA abusing privileges Clients Application Database DBA Applicative Tables A DBA from IT retrieved and modified multiple records from PeopleSoft application tables on a specific day Didn t access these tables through the PeopleSoft interface bypassed PeopleSoft logging and retrieval limitations

Malicious Insider: Behavioral Analysis flags DBA abusing privileges Retrieved many records Compared to other users - Compared to himself -

Malicious Insider: Behavioral Analysis flags DBA abusing privileges Modified several thousands of records in one table The tables contained sensitive financial information

Malicious Insider: Behavioral Analysis flags DBA abusing privileges Modified several thousands of records in one table The tables contained sensitive financial information Should a DBA access financial information???

Malicious Insider: Behavioral Analysis flags DBA abusing privileges Organization Feedback: A DBA from IT should never be exposed to financial information Certainly not modify this information outside of application processes

Behavioral Analysis Findings Malicious Insider Negligent Insider Account Sharing Compromised Insider

Negligent Users: Behavioral Analysis flags Account Sharing Bypass organization permissions and privileges Provide people with access that they are not entitled to Leave incorrect access trail to the data Sharing is not caring! 2016 Imperva, 27 Inc. All rights reserved.

Negligent Users: Behavioral Analysis flags Account Sharing A and B share privileges C and D use B s account H uses the accounts of E, G J uses the accounts of G, I L uses the account of K

Behavioral Analysis Findings Malicious Insider Negligent Insider Compromised Insider Multiple failed login attempts

Compromised Users : How failed logins are flagged as anomalous Baseline period the user always successfully logs into DB1 using red account never logs into DB2 On the day of the incident the user tried and failed to log into DB2 11 times using 4 different account Succeeded using 5 th account

Behavioral Analysis - Summary

Behavioral Analysis - Summary We found interesting incidents for all insiders options It was hard to find them without behavioral analysis methods Used valid privileges Chose meaningful anomalies Concentrated on the actors and on their access to the data

Our Research Behavioral Analysis Deception

Deception Why? Because Compromise is Inevitable No Perimeter: BYOD, Cloud Apps, VPN Legitimate apps (TeamViewer, DropBox) Zero Days Social Engineering Find Data Breach within Compromises Compromises happen all the time few of them may turn into a breach! Response team have to prioritize 100 alerts << 1 alert Detect a breach ASAP Reconnaissance & Lateral Movement

Data Center Attack Cycle Files Compromise Reconnaissance Lateral Movement Data Access Exfiltration Web Apps Databases

Deception Tokens Point the attacker towards a Trap Web, File, DB Server (etc) Local / Domain Account Passwords, Cookies, Authentication Tokens Trap Server is Real Not a Honeypot Detection = Harvest + Use token Deliberate attempt at the data center / gain more privileges

Using Sensors for Deception File Sensors Cloud App Sensors File Server Database Sensors Cloud Applications Databases The Perimeter

Browser Passwords Where are autocomplete passwords saved? Are they safe?

Browser Passwords Return to Index

MimiKatz Pulling plaintext passwords from Windows Relies on Wdigest interface through LSASS Wdigest: a DLL used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. (un)fortunately, these require the plain-text password

MimiKatz Return to Index

Compromised User Scenario Trojan got through to the endpoint via phishing Planted credentials inside Windows Vault, Internet Explorer were used Determine the source and scope of the attack without tipping off the attacker

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback