Part 1: Anatomy of an Insider Threat Attack

Similar documents
Insiders: The Threat is Already Within

Top 5 Database Security Threats WHITEPAPER

Part 2: How to Detect Insider Threats

Insiders are the New Malware

Part 3: Surprising Insider Threat Findings in Enterprise Environments

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

E-BOOK. Healthcare Cyber Security and Compliance Guide

Imperva CounterBreach

CyberArk Privileged Threat Analytics

Privileged Account Security: A Balanced Approach to Securing Unix Environments

10 FOCUS AREAS FOR BREACH PREVENTION

Recipe for a Breach: Uncontrolled Employee Access + Poor Security Habits Employee Security Habits Reveal Risky Imbalance

Onapsis: The CISO Imperative Taking Control of SAP

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

Securing Office 365 with SecureCloud

Reviewing the 2017 Verizon DBIR

Teradata and Protegrity High-Value Protection for High-Value Data

RSA NetWitness Suite Respond in Minutes, Not Months

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Facebook API Breach. Jake Williams Rendition Infosec

Office 365 Buyers Guide: Best Practices for Securing Office 365

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Bomgar Discovery Report

Understanding the Changing Cybersecurity Problem

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

WHITE PAPER TAMING THE BEAST CONTROLLING SSH FOR SECURITY AND COMPLIANCE. Fox Technologies, Inc

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

SECURING DEVICES IN THE INTERNET OF THINGS

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

SECURING DEVICES IN THE INTERNET OF THINGS

Incident Response Agility: Leverage the Past and Present into the Future

CYBERARK GDPR ADVISORY. SECURE CREDENTIALS. SECURE ACCESS. A PRIVILEGED ACCOUNT SECURITY APPROACH TO GDPR READINESS

How Breaches Really Happen

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

THE EVOLUTION OF SIEM

Cracking the code on an IT career

Are we breached? Deloitte's Cyber Threat Hunting

Cloud Under Control. HyTrust Two-Man Rule Solution Brief

Data Lakes & Leaks Erno Doorenspleet. IBM Security

Securing Devices in the Internet of Things

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

IT Needs More Control

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

SANS Institute Product Review: Oracle Database Vault

Combating Cyber Risk in the Supply Chain

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Protect Your Organization from Cyber Attacks

68 Insider Threat Red Flags

Cyber Security. Our part of the journey

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Topics. Ensuring Security on Mobile Devices

how dtex fights insider threats

Un SOC avanzato per una efficace risposta al cybercrime

ISO/IEC Common Criteria. Threat Categories

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Measures to Protect Domain Registration Services against Exploitation or Misuse. June 2009 Dave Piscitello ICANN SSAC

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Cyber-Threats and Countermeasures in Financial Sector

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Business Context: Key for Successful Risk Management

Speed Up Incident Response with Actionable Forensic Analytics

THE CLOUD SECURITY CHALLENGE:

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

User and Entity Behavior Analytics

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Exposing The Misuse of The Foundation of Online Security

Managing an Active Incident Response Case. Paul Underwood, COO

6 Vulnerabilities of the Retail Payment Ecosystem

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Keep the Door Open for Users and Closed to Hackers

CASE STUDY: REGIONAL BANK

PEOPLE CENTRIC SECURITY THE NEW

WHITE PAPER. Vericlave The Kemuri Water Company Hack

4 Ways to Protect Your Organization from a Data Breach

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Preventing Unauthorized Access & Attacks: Strategies for Securing Mobile Certificates

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

SECURITY TESTING. Towards a safer web world

The Ten Pains of Unix Security. Learn How Privileged Account Security Solutions are the Right Remedy

align security instill confidence

Building Trust in the Internet of Things

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Copyright

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

RSA Security Analytics

ISACA West Florida Chapter - Cybersecurity Event

Transcription:

Part 1: Anatomy of an Insider Threat Attack Shiri Margel Data Security Research Team Lead Imperva Carrie McDaniel Emerging Products Team Lead Imperva

Shiri Margel Data Security Research Team Lead Masters of Science in Computer Science and Mathematics 15+ Years Algorithmic Experience 3+ Years Information Security Experience Session moderated by Carrie McDaniel Emerging Products Team Lead 2

70% of insider breaches took months or years to discover 16.3% of data breaches attributed to insider and privilege misuse Verizon DBIR April 2016 3

Insider Threat Hacker Intelligence Initiative March 2016 Insider threat events were present in 100 percent of the studied environments Insider threat incidents were not identified by any existing in-place security infrastructure Identified insider threats spanned malicious, compromised and careless insiders 4

The Research Behavioral Analysis Collected live production data from several volunteer customers of Imperva Imperva SecureSphere audit logs - full database and file server audit trail Provides full visibility into which users accessed what data Machine learning algorithms identify actors and good behavior in order to identify meaningful anomalies 5

Actors

Good Behavior

Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 8

Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 9

Malicious Insiders: The Worst Nightmare Scenario Trusted insiders that intentionally steal data for their own purpose > 15% of the breaches are done by malicious insiders Motivation: Financial, Espionage or Grudge Examples: Edward Snowden, Chelsea Manning (born Bradley Manning) 10

Malicious Insider: Behavioral Analysis Finds the IP Hoarder A Technical Writing employee copied > 100,000 files Employee was authorized to access data Operation took 3 weeks Each copy contained a few thousand files Some copies - in the middle of the night and/or on the weekend

Malicious Insider: Behavioral Analysis finds the IP Hoarder The employee/department never copied this amount of files The employee never worked on weekends/middle of the night

Malicious Insider: Behavioral Analysis finds the IP Hoarder The employee/department never copied this amount of files The employee never worked on weekends/middle of the night Employee was authorized to access data

Malicious Insider: Behavioral Analysis finds the IP Hoarder Organization s Feedback: The employee was planning to leave the organization shortly after the incident took place

Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Clients Application Database DBA Applicative Tables

Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Clients Application Database DBA Applicative Tables A DBA from IT retrieved and modified multiple records from PeopleSoft application tables on a specific day Didn t access these tables through the PeopleSoft interface bypassed PeopleSoft logging and retrieval limitations

Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Retrieved many records: Compared to other users Compared to their usual activity

Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Modified several thousands of records in one table Used highly privileged DB account The tables contained sensitive financial information Should a DBA from IT have direct access to financial information?

Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Organization Feedback: A DBA from IT should never be exposed to financial information Certainly not modify this information outside of application processes

Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 20

Negligent Insiders: The Road to Hell is Paved with Good Intentions Do not have malicious intent Expose sensitive enterprise data due to careless behavior - cut corners or simplifying daily tasks 21

Negligent User Example 1: Behavioral Analysis Flags Account Sharing Bypass the organization s permissions and privileges Provide people with access that they are not entitled to Leave incorrect access trail to the data Sharing is not caring! 22

Negligent User Example 1: Behavioral Analysis Flags Account Sharing A and B share privileges C and D use B s account H uses the accounts of E, G J uses the accounts of G, I L uses the account of K 23 USER A B C D E F G H I J K L

Negligent User Example 2: File Exfiltration An employee copied 1500 files from the file share Each file copy operation 14 seconds on average An average normal file copy 1 second

Negligent User Example 2: File Exfiltration An employee copied 1500 files from the file share Each file copy operation 14 seconds on average An average normal file copy 1 second Slow copy rate may indicate a file exfiltration attempt Connect through VPN Copy files to a device outside the organization Exfiltration of a large amount of files is concerning and uncommon

Our Recommendation Further investigation required Which files were copied? What other activities were done by the employee related to unstructured data (File shares? Databases?)

Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 27

Compromised Insiders: More Dangerous Than You Think Compromised users: external threats that act with the same level of freedom as the trusted insider 30% of recipients click on phishing emails 12% went on to open attachments or click links Top 10 known vulnerabilities accounted for 85% of successful exploits 63% of data breaches involved weak, default or stolen passwords Source - Verizon DBIR 2016 28

Compromised Users : How Failed Logins are Flagged as Anomalous Failed logins to a database are not uncommon In this example, a user tried to access a database they never accessed before, using several different DB accounts 29

Compromised Users : How Failed Logins are Flagged as Anomalous Failed logins to a database are not uncommon In this example, a user tried to access a database they never accessed before, using several different DB accounts 4 failed login attempts in an hour One attempt used credentials of the user on another database The other 3 attempts in less than 10 minutes 30

Compromised Users : How Failed Logins are Flagged as Anomalous Failed logins to a database are not uncommon In this example, a user tried to access a database they never accessed before, using several different DB accounts 4 failed login attempts in an hour One attempt used credentials of the user on another database The other 3 attempts in less than 10 minutes The user succeeded on their 5 th attempt Insufficient privileges Couldn t perform any operations 31

Compromised Users : How Failed Logins are Flagged as Anomalous Baseline period The user always successfully logs into DB1 using red account never logs into DB2 On the day of the incident The user tried and failed to log into DB2 11 times using 4 different account 32 Succeeded using 5 th account

Malicious Careless Compromised Compromised Careless Malicious 33

Learn More Read the HII Report Imperva.com/DefenseCenter 34

Q&A

5 Minute Break

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback