+

Insider Threat Fraud Case Study

The Threat Within - CWA University at Albany

December 10, 2015

“Regardless of the technology in place to protect data, people still represent the biggest threat”

-Alex Ryskin

+Team 2SECURE

■ Chathura Wickramage - Information Security Officer

■ Valecia Stocchetti - Cyber Threat Intelligence Analyst

■ Daniel Roberti - Cyber Threat Analyst

■ Nicholas Manzella - Security Operating Center Analyst

■ Nicholas Godfrey - IT Risk Analyst

■ Christina Frunzi - Behavioral Analyst

+Understanding Insider Threat

“It’s not a matter of if, it’s a matter of when.”

+What Is Insider Threat?

■ The ability of someone from within a company or organization, who usually has LEGAL ACCESS to files/systems, to initiate an attack with little chance of being detected without proper security measures.

■ Something that appears to be an attack, can appear normal on screen.

■ Can be both malicious and non-malicious.

■ Perception vs. Reality

+Who Can Be An Insider?

■ Ordinary Employees

■ Executive Management

■ Vendors

■ Contractors

■ Maintenance

■ Visitors

■ Former Employees

■ ...It can be anyone!

Insiders who pose the largest risk to an organization.

+

■ Tangible Assets

■ Money

What are they after?

■ Intangible Assets

■ Customer Bases

■ Vendor Relationships

■ Data

■ Intellectual Property

■ Patents/Trademarks Copyrights

■ Trade Secrets/Crown Jewels

+Why Do They Want It?

■ Motive

■ Reason to commit the crime - Greed, Disgruntlement, Revenge (The Big Three)

■ Opportunity

■ Poor Security, Lack of policy, etc.

■ Rationalization

■ “I did it because…”

+

Case Study

+Company Profile:

Main Street Banking

Headquartered in New York, NY

50,000 Employees

Global, operating in 90+ countries across Americas, Asia,

Europe & Latin America directly or indirectly via

subsidiaries, affiliates or joint ventures.

+What Happened?

A lead software developer, Mark Smith, at Main Street Banking

devised a scheme by which he could earn fraudulent rewards

points by linking his personal accounts to corporate business

credit card accounts of third-party companies. He cashed in

the rewards points for gift cards and sold them at online

auctions for cash. Ultimately, he was able to accumulate

approximately 46 million rewards points, converting the points

into $300,000 cash.

+Who is 2Secure?

We are a part of Main Street Banking’s Security Operations

Center. As a team, we have been entrusted with analyzing and

solving the problem described above. We have utilized the

NIST framework along with many other additional documents

to comprise what we feel is the ideal insider threat protection

plan. Insider threat is not an easy problem to solve. It requires

not only technical controls but also heavily relies on behavioral

controls. Insider threat is not 100% preventable, however, the

key is to detect it quickly and mitigate the risks.

+ What made the attack possible?

■ Employees not properly trained

on how to detect insider attack.

■ Poor governance

■ Proper system controls not in

place to detect an attack.

■ Poor access controls in place.

+ How was the attack discovered?

■ An anonymous tip by an internal employee who knows the suspected insider was sent to the Security Operations Center (2Secure).

+Governance

+Governance

■ Objectives

■ Support the business.

■ Defend the business.

■ Promote responsible Information

Security Behavior.

■ Identify Stakeholders

■ Create RACI Matrix

■ Responsible

■ Accountable

■ Consulted

■ Informed

+ Governance

+Risk Assessment

+ Risk Identification & Assessment

■ Risks Identified■ Attacks using legitimate credentials to bypass access controls.■ Unauthorized access to confidential information.■ Theft of customer data.■ Unusual activity and protocols observed on the network.

■ Unauthorized disclosure, modification or destruction of information.

■ Assessment■ What is the asset?

■ What is its function?

■ What type of data is stored?

■ What is the criticality level?

■ How will it impact the company if compromised?

■ Risk = Threat Likelihood * Magnitude of Impact

+Prevention & Protection

+How could the attack be prevented?

■ Modifications to the Hiring Process

■ Background Checks■ Psychological Testing■ Social Media Disclosure

■ Prior Employment Terminations/Call References■ Credit Score Disclosure (With Consent)■ Periodic Checks on all of the above

■ Communication

■ Conduct Weekly Team Meetings■ Schedule Bi-Weekly Check-Ins With Each Team

Member■ Semi-Annual Evaluations/Annual Reviews

+How could the attack be prevented?

■ Awareness & Training■ Training employees to recognize an insider attack

and how to report it anonymously ■ Create best practices & develop safeguards to

mitigate ignorance/negligence/carelessness.

■ Policies■ Create a Whistleblower protection policy to protect

the anonymous person ■ Have current employees & new hires sign off on the

policy to cover the company legally.

■ Enforcement■ Enforce the policies and develop a plan on how to

monitor when a policy is violated.■ Stakeholders need to demonstrate an interest to

help the overall problem at stake, not just help with implementation.

+How could the attack be prevented?

■ Access Controls

■ Create a hierarchy for current or desired

access levels.

■ Install software that will track permission levels -

Normal behavior VS Abnormal behavior.

■ Monitor all employees including ones who

have higher access controls.■ Implementation of timeframes

■ Install monitoring equipment that will record the

session.

■ Have a team/employee that reviews the session to

ensure that there is no suspicious activity.

+How could the attack be prevented?

■ Separation of Duties (SOD)■ Identify processes and procedures along with the

employee(s) responsible.■ Create a tier structure so one person does not

complete a process from start to finish.■ Rotate roles to ensure that another set of eyes is on

a particular process.

■ Data Security■ Implement mechanisms to verify integrity of

software, firmware and information.■ Implement detection software/processes of third

party sites.

+Detection

+What detection techniques should have been utilized?

Behavioral Detection Indicators:

■ Accessing the network while off the clock.

■ Working odd hours and/or excessively willing to take overtime.

■ Takes excessive notes.

■ High interest in topics not pertaining to their job duties.

■ Demonstrating high risk behaviors such as:

■ Past/current drug or alcohol abuse■ Struggles financially■ Excessively gambles

■ Exhibits hostile/aggressive behavior

+What detection techniques should have been utilized?

Anomalies and events■ Ensure that there is coordination between all stakeholders

to detect anomalies and events.

■ Analyze traffic & event patterns for the information system.

■ Develop profiles representing common traffic patterns and/or events.

Security Continuous Monitoring ■ Implement a software that will track permission levels to

detect ‘abnormal behavior’ (as compared to normal behavior).

■ Limit, restrict and monitor all internal and external applications. (i.e 3rd Party Banking Sites)

+ What detection techniques should have been utilized?

Security Control Monitoring

■ Routine scans should be conducted regularly, such as:■ Low-Impact Systems: Every day■ Moderate-Impact Systems: Every hour■ High-Impact Systems: Every 5, 10 or 15 minutes

■ Automated Processes

■ Vulnerability Scanners, Web Application Scanners, Patch Management Software, Security Information and Event Management

■ Audits should be performed on a regular basis.*■ Rotate Log Files■ Transfer Log Data■ Retain Log Data■ Analyze Log Data

*Frequency depends on the criticality of the system.

+Respond

+Establishing a Response Plan

Establish a Team of People■ Outsourced vs. In-House

■ Recommendation: In-House

■ To eliminate risk of exposing issues to media and law enforcement when not intended to.

Determine how the team will be organized■ Centralized vs. Distributed

■ Recommendation: Distributed

■ Consists of several teams, each responsible for their own unit along with a central team to coordinate and communicate the plan.

Cost Assessment

■ Determine resources required, money needed and time.

+Establishing a Response Plan

Identification of Stakeholders■ Management for policies, budgeting and staffing support.

■ Information Security Staff for support with systems and organization.

■ Legal for rules, rights, and regulations guidance.

■ Public Relations for communications with the media.

■ Human Resources for employee relations support.

■ Physical Security for building security management and regulation.

Stakeholder Buy-In - Imperative that they:■ Maintain an expressed interest.

■ Continually upkeep, improve and enforce the plan.

■ Adapt to changes in new emerging technologies, security patches, laws and regulations.

+Establishing a Response Plan

Determine Scenario(s) and How to Respond

■ Is it malicious/non-malicious?

■ Where is the source of the attack?

■ What permission levels are in place for that employee (if attacker known)?

■ Locate the intrusion, seize the evidence.

Assessment of the Scenario

■ Volatility of Evidence

■ Network traffic, memory, hard drive, data analysis

■ Network (more dynamic) vs. Hard Drive (less dynamic)

■ Availability

■ How will this affect day to day operations?

■ Assess the damage and limit the loss of resources.

+Establishing a Response Plan

Training Plan■ Employee Training (New & Existing)

■ How to identify insider attacks, eliminate negligence and properly report an insider attack.

■ Creation of a website to provide up-to-date insider threat resources to employees ■ Set up an anonymous tip line to protect the employee from the attacker targeting them.

Communication Plan■ Who: Know who you are going to inform in the case of an insider threat.■ When: Know the order of who you are going to inform. ■ What: Know what you are going to tell them, not every party needs to know all of the

details.

Overall Plan Evaluation■ Evaluate effectiveness of the plan■ How long with the solution prevent the problem?■ Improve and continually update to adapt to changes.

+Establishing a Response Plan

Seizure of Evidence■ To seize or not to seize?

■ Servers - crucial to operation of the company, ideal to make a forensic image instead.

■ Hard Drives - may be able to seize and investigate in the lab.

■ Utilize Chain of Custody Forms■ Provides admissibility if used in court.■ Documents evidence in every step of the

investigation.

+Establishing a Response Plan

Behavioral Considerations:

■ Frequent field observations

■ Follow legal action to ensure the problem employee is not introduced to

another company

■ Prevent file-sharing

■ Tighten monitoring measures

■ Improve previous precautions

■ Enhance employee awareness

■ Record the incident and the actions following

■ This keeps a reference for when another incident takes place and helps

to ensure the same mistakes are not repeated.

+Response Plan in Action

■ Initiation of the Plan■ Contain attack to mitigate the effects.

■ Isolate the system to protect from infecting other systems.

■ Eradicate the damage caused & disable account privileges.

■ Availability - Ensure that systems can operate & monitor the activity.

■ Evidence - Ensure admissibility for legal purposes.

■ Refer to legal guidelines and regulations on how to properly handle evidence.

■ Documentation■ Logs should include events, times, dates and be signed.

■ Team of two should have access to logs to ensure integrity.

+

Recovery

+Recovery Plan in Action

■ Recovery is important to...■ Restore systems to normal operations.

■ Confirm that systems are functioning normally.

■ To prevent similar incidents from happening in the future.

■ Prioritize Incidents■ Determine a time frame when the company will fully

recover.

■ Large Scale Incidents: Months & up to a year.

■ Small Scale Incidents (such as this one): 6-8 weeks with proper management of recovery plan.

+Recovery Plan in Action

■ Once the system is clean:■ Test, monitor and validate systems are back in production to verify the systems are

not that systems are not re-infected or compromised again.

■ Address Vulnerabilities or Loopholes:■ Tighten Access Controls

■ Establish access permissions with least user privileges that are required.

■ Grant software developers elevated but temporary access when required.

■ Install Monitoring Software

■ Monitor software developers or any employee who requires increased access controls.

■ Monitor the system in general for at least 30-60 days to make sure the vulnerability has been identified and corrected.

■ Recover the stolen money

■ Determine how the company will recover the stolen goods (i.e. Civil Court)

+Recovery Plan in Action

■ Communication■ Notify all involved/affected parties.

■ Notify employees that this type of behavior has zero-tolerance.

■ Have a Zero-Tolerance Policy for all employees to sign off on to cover the company legally.

■ The Insubordinate Employee…■ Should be terminated immediately.

■ Access permissions should be removed to ensure they do not infect the system anymore.

■ Vulnerability Scans■ Detect and remove any vulnerabilities within the

system or network.

+

Thank You!

Questions?

Contact us at:Chathura Wickramage <cwickramage@albany.edu> Valecia Stocchetti <vstocchetti@albany.edu>Daniel P Roberti <droberti@albany.edu>Nicholas Manzella <nmanzella2@albany.edu>Nicholas Godfrey <ngodfrey@albany.edu>Christina Frunzi <cfrunzi@albany.edu>