Part 1: Anatomy of an Insider Threat Attack Shiri Margel Data Security Research Team Lead Imperva Carrie McDaniel Emerging Products Team Lead Imperva
Shiri Margel Data Security Research Team Lead Masters of Science in Computer Science and Mathematics 15+ Years Algorithmic Experience 3+ Years Information Security Experience Session moderated by Carrie McDaniel Emerging Products Team Lead 2
70% of insider breaches took months or years to discover 16.3% of data breaches attributed to insider and privilege misuse Verizon DBIR April 2016 3
Insider Threat Hacker Intelligence Initiative March 2016 Insider threat events were present in 100 percent of the studied environments Insider threat incidents were not identified by any existing in-place security infrastructure Identified insider threats spanned malicious, compromised and careless insiders 4
The Research Behavioral Analysis Collected live production data from several volunteer customers of Imperva Imperva SecureSphere audit logs - full database and file server audit trail Provides full visibility into which users accessed what data Machine learning algorithms identify actors and good behavior in order to identify meaningful anomalies 5
Actors
Good Behavior
Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 8
Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 9
Malicious Insiders: The Worst Nightmare Scenario Trusted insiders that intentionally steal data for their own purpose > 15% of the breaches are done by malicious insiders Motivation: Financial, Espionage or Grudge Examples: Edward Snowden, Chelsea Manning (born Bradley Manning) 10
Malicious Insider: Behavioral Analysis Finds the IP Hoarder A Technical Writing employee copied > 100,000 files Employee was authorized to access data Operation took 3 weeks Each copy contained a few thousand files Some copies - in the middle of the night and/or on the weekend
Malicious Insider: Behavioral Analysis finds the IP Hoarder The employee/department never copied this amount of files The employee never worked on weekends/middle of the night
Malicious Insider: Behavioral Analysis finds the IP Hoarder The employee/department never copied this amount of files The employee never worked on weekends/middle of the night Employee was authorized to access data
Malicious Insider: Behavioral Analysis finds the IP Hoarder Organization s Feedback: The employee was planning to leave the organization shortly after the incident took place
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Clients Application Database DBA Applicative Tables
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Clients Application Database DBA Applicative Tables A DBA from IT retrieved and modified multiple records from PeopleSoft application tables on a specific day Didn t access these tables through the PeopleSoft interface bypassed PeopleSoft logging and retrieval limitations
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Retrieved many records: Compared to other users Compared to their usual activity
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Modified several thousands of records in one table Used highly privileged DB account The tables contained sensitive financial information Should a DBA from IT have direct access to financial information?
Malicious Insider: Behavioral Analysis Flags DBA Abusing Privileges Organization Feedback: A DBA from IT should never be exposed to financial information Certainly not modify this information outside of application processes
Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 20
Negligent Insiders: The Road to Hell is Paved with Good Intentions Do not have malicious intent Expose sensitive enterprise data due to careless behavior - cut corners or simplifying daily tasks 21
Negligent User Example 1: Behavioral Analysis Flags Account Sharing Bypass the organization s permissions and privileges Provide people with access that they are not entitled to Leave incorrect access trail to the data Sharing is not caring! 22
Negligent User Example 1: Behavioral Analysis Flags Account Sharing A and B share privileges C and D use B s account H uses the accounts of E, G J uses the accounts of G, I L uses the account of K 23 USER A B C D E F G H I J K L
Negligent User Example 2: File Exfiltration An employee copied 1500 files from the file share Each file copy operation 14 seconds on average An average normal file copy 1 second
Negligent User Example 2: File Exfiltration An employee copied 1500 files from the file share Each file copy operation 14 seconds on average An average normal file copy 1 second Slow copy rate may indicate a file exfiltration attempt Connect through VPN Copy files to a device outside the organization Exfiltration of a large amount of files is concerning and uncommon
Our Recommendation Further investigation required Which files were copied? What other activities were done by the employee related to unstructured data (File shares? Databases?)
Behavioral Analysis Malicious Careless Compromised Compromised Careless Malicious 27
Compromised Insiders: More Dangerous Than You Think Compromised users: external threats that act with the same level of freedom as the trusted insider 30% of recipients click on phishing emails 12% went on to open attachments or click links Top 10 known vulnerabilities accounted for 85% of successful exploits 63% of data breaches involved weak, default or stolen passwords Source - Verizon DBIR 2016 28
Compromised Users : How Failed Logins are Flagged as Anomalous Failed logins to a database are not uncommon In this example, a user tried to access a database they never accessed before, using several different DB accounts 29
Compromised Users : How Failed Logins are Flagged as Anomalous Failed logins to a database are not uncommon In this example, a user tried to access a database they never accessed before, using several different DB accounts 4 failed login attempts in an hour One attempt used credentials of the user on another database The other 3 attempts in less than 10 minutes 30
Compromised Users : How Failed Logins are Flagged as Anomalous Failed logins to a database are not uncommon In this example, a user tried to access a database they never accessed before, using several different DB accounts 4 failed login attempts in an hour One attempt used credentials of the user on another database The other 3 attempts in less than 10 minutes The user succeeded on their 5 th attempt Insufficient privileges Couldn t perform any operations 31
Compromised Users : How Failed Logins are Flagged as Anomalous Baseline period The user always successfully logs into DB1 using red account never logs into DB2 On the day of the incident The user tried and failed to log into DB2 11 times using 4 different account 32 Succeeded using 5 th account
Malicious Careless Compromised Compromised Careless Malicious 33
Learn More Read the HII Report Imperva.com/DefenseCenter 34
Q&A
5 Minute Break