iq4 final presentation (1)
TRANSCRIPT
+
Insider Threat Fraud Case Study
The Threat Within - CWA University at Albany
December 10, 2015
“Regardless of the technology in place to protect data, people still represent the biggest threat”
-Alex Ryskin
+Team 2SECURE
■ Chathura Wickramage - Information Security Officer
■ Valecia Stocchetti - Cyber Threat Intelligence Analyst
■ Daniel Roberti - Cyber Threat Analyst
■ Nicholas Manzella - Security Operating Center Analyst
■ Nicholas Godfrey - IT Risk Analyst
■ Christina Frunzi - Behavioral Analyst
+Understanding Insider Threat
“It’s not a matter of if, it’s a matter of when.”
+What Is Insider Threat?
■ The ability of someone from within a company or organization, who usually has LEGAL ACCESS to files/systems, to initiate an attack with little chance of being detected without proper security measures.
■ Something that appears to be an attack, can appear normal on screen.
■ Can be both malicious and non-malicious.
■ Perception vs. Reality
+Who Can Be An Insider?
■ Ordinary Employees
■ Executive Management
■ Vendors
■ Contractors
■ Maintenance
■ Visitors
■ Former Employees
■ ...It can be anyone!
Insiders who pose the largest risk to an organization.
+
■ Tangible Assets
■ Money
What are they after?
■ Intangible Assets
■ Customer Bases
■ Vendor Relationships
■ Data
■ Intellectual Property
■ Patents/Trademarks Copyrights
■ Trade Secrets/Crown Jewels
+Why Do They Want It?
■ Motive
■ Reason to commit the crime - Greed, Disgruntlement, Revenge (The Big Three)
■ Opportunity
■ Poor Security, Lack of policy, etc.
■ Rationalization
■ “I did it because…”
+
Case Study
+Company Profile:
Main Street Banking
Headquartered in New York, NY
50,000 Employees
Global, operating in 90+ countries across Americas, Asia,
Europe & Latin America directly or indirectly via
subsidiaries, affiliates or joint ventures.
+What Happened?
A lead software developer, Mark Smith, at Main Street Banking
devised a scheme by which he could earn fraudulent rewards
points by linking his personal accounts to corporate business
credit card accounts of third-party companies. He cashed in
the rewards points for gift cards and sold them at online
auctions for cash. Ultimately, he was able to accumulate
approximately 46 million rewards points, converting the points
into $300,000 cash.
+Who is 2Secure?
We are a part of Main Street Banking’s Security Operations
Center. As a team, we have been entrusted with analyzing and
solving the problem described above. We have utilized the
NIST framework along with many other additional documents
to comprise what we feel is the ideal insider threat protection
plan. Insider threat is not an easy problem to solve. It requires
not only technical controls but also heavily relies on behavioral
controls. Insider threat is not 100% preventable, however, the
key is to detect it quickly and mitigate the risks.
+ What made the attack possible?
■ Employees not properly trained
on how to detect insider attack.
■ Poor governance
■ Proper system controls not in
place to detect an attack.
■ Poor access controls in place.
+ How was the attack discovered?
■ An anonymous tip by an internal employee who knows the suspected insider was sent to the Security Operations Center (2Secure).
+Governance
+Governance
■ Objectives
■ Support the business.
■ Defend the business.
■ Promote responsible Information
Security Behavior.
■ Identify Stakeholders
■ Create RACI Matrix
■ Responsible
■ Accountable
■ Consulted
■ Informed
+ Governance
+Risk Assessment
+ Risk Identification & Assessment
■ Risks Identified■ Attacks using legitimate credentials to bypass access controls.■ Unauthorized access to confidential information.■ Theft of customer data.■ Unusual activity and protocols observed on the network.
■ Unauthorized disclosure, modification or destruction of information.
■ Assessment■ What is the asset?
■ What is its function?
■ What type of data is stored?
■ What is the criticality level?
■ How will it impact the company if compromised?
■ Risk = Threat Likelihood * Magnitude of Impact
+Prevention & Protection
+How could the attack be prevented?
■ Modifications to the Hiring Process
■ Background Checks■ Psychological Testing■ Social Media Disclosure
■ Prior Employment Terminations/Call References■ Credit Score Disclosure (With Consent)■ Periodic Checks on all of the above
■ Communication
■ Conduct Weekly Team Meetings■ Schedule Bi-Weekly Check-Ins With Each Team
Member■ Semi-Annual Evaluations/Annual Reviews
+How could the attack be prevented?
■ Awareness & Training■ Training employees to recognize an insider attack
and how to report it anonymously ■ Create best practices & develop safeguards to
mitigate ignorance/negligence/carelessness.
■ Policies■ Create a Whistleblower protection policy to protect
the anonymous person ■ Have current employees & new hires sign off on the
policy to cover the company legally.
■ Enforcement■ Enforce the policies and develop a plan on how to
monitor when a policy is violated.■ Stakeholders need to demonstrate an interest to
help the overall problem at stake, not just help with implementation.
+How could the attack be prevented?
■ Access Controls
■ Create a hierarchy for current or desired
access levels.
■ Install software that will track permission levels -
Normal behavior VS Abnormal behavior.
■ Monitor all employees including ones who
have higher access controls.■ Implementation of timeframes
■ Install monitoring equipment that will record the
session.
■ Have a team/employee that reviews the session to
ensure that there is no suspicious activity.
+How could the attack be prevented?
■ Separation of Duties (SOD)■ Identify processes and procedures along with the
employee(s) responsible.■ Create a tier structure so one person does not
complete a process from start to finish.■ Rotate roles to ensure that another set of eyes is on
a particular process.
■ Data Security■ Implement mechanisms to verify integrity of
software, firmware and information.■ Implement detection software/processes of third
party sites.
+Detection
+What detection techniques should have been utilized?
Behavioral Detection Indicators:
■ Accessing the network while off the clock.
■ Working odd hours and/or excessively willing to take overtime.
■ Takes excessive notes.
■ High interest in topics not pertaining to their job duties.
■ Demonstrating high risk behaviors such as:
■ Past/current drug or alcohol abuse■ Struggles financially■ Excessively gambles
■ Exhibits hostile/aggressive behavior
+What detection techniques should have been utilized?
Anomalies and events■ Ensure that there is coordination between all stakeholders
to detect anomalies and events.
■ Analyze traffic & event patterns for the information system.
■ Develop profiles representing common traffic patterns and/or events.
Security Continuous Monitoring ■ Implement a software that will track permission levels to
detect ‘abnormal behavior’ (as compared to normal behavior).
■ Limit, restrict and monitor all internal and external applications. (i.e 3rd Party Banking Sites)
+ What detection techniques should have been utilized?
Security Control Monitoring
■ Routine scans should be conducted regularly, such as:■ Low-Impact Systems: Every day■ Moderate-Impact Systems: Every hour■ High-Impact Systems: Every 5, 10 or 15 minutes
■ Automated Processes
■ Vulnerability Scanners, Web Application Scanners, Patch Management Software, Security Information and Event Management
■ Audits should be performed on a regular basis.*■ Rotate Log Files■ Transfer Log Data■ Retain Log Data■ Analyze Log Data
*Frequency depends on the criticality of the system.
+Respond
+Establishing a Response Plan
Establish a Team of People■ Outsourced vs. In-House
■ Recommendation: In-House
■ To eliminate risk of exposing issues to media and law enforcement when not intended to.
Determine how the team will be organized■ Centralized vs. Distributed
■ Recommendation: Distributed
■ Consists of several teams, each responsible for their own unit along with a central team to coordinate and communicate the plan.
Cost Assessment
■ Determine resources required, money needed and time.
+Establishing a Response Plan
Identification of Stakeholders■ Management for policies, budgeting and staffing support.
■ Information Security Staff for support with systems and organization.
■ Legal for rules, rights, and regulations guidance.
■ Public Relations for communications with the media.
■ Human Resources for employee relations support.
■ Physical Security for building security management and regulation.
Stakeholder Buy-In - Imperative that they:■ Maintain an expressed interest.
■ Continually upkeep, improve and enforce the plan.
■ Adapt to changes in new emerging technologies, security patches, laws and regulations.
+Establishing a Response Plan
Determine Scenario(s) and How to Respond
■ Is it malicious/non-malicious?
■ Where is the source of the attack?
■ What permission levels are in place for that employee (if attacker known)?
■ Locate the intrusion, seize the evidence.
Assessment of the Scenario
■ Volatility of Evidence
■ Network traffic, memory, hard drive, data analysis
■ Network (more dynamic) vs. Hard Drive (less dynamic)
■ Availability
■ How will this affect day to day operations?
■ Assess the damage and limit the loss of resources.
+Establishing a Response Plan
Training Plan■ Employee Training (New & Existing)
■ How to identify insider attacks, eliminate negligence and properly report an insider attack.
■ Creation of a website to provide up-to-date insider threat resources to employees ■ Set up an anonymous tip line to protect the employee from the attacker targeting them.
Communication Plan■ Who: Know who you are going to inform in the case of an insider threat.■ When: Know the order of who you are going to inform. ■ What: Know what you are going to tell them, not every party needs to know all of the
details.
Overall Plan Evaluation■ Evaluate effectiveness of the plan■ How long with the solution prevent the problem?■ Improve and continually update to adapt to changes.
+Establishing a Response Plan
Seizure of Evidence■ To seize or not to seize?
■ Servers - crucial to operation of the company, ideal to make a forensic image instead.
■ Hard Drives - may be able to seize and investigate in the lab.
■ Utilize Chain of Custody Forms■ Provides admissibility if used in court.■ Documents evidence in every step of the
investigation.
+Establishing a Response Plan
Behavioral Considerations:
■ Frequent field observations
■ Follow legal action to ensure the problem employee is not introduced to
another company
■ Prevent file-sharing
■ Tighten monitoring measures
■ Improve previous precautions
■ Enhance employee awareness
■ Record the incident and the actions following
■ This keeps a reference for when another incident takes place and helps
to ensure the same mistakes are not repeated.
+Response Plan in Action
■ Initiation of the Plan■ Contain attack to mitigate the effects.
■ Isolate the system to protect from infecting other systems.
■ Eradicate the damage caused & disable account privileges.
■ Availability - Ensure that systems can operate & monitor the activity.
■ Evidence - Ensure admissibility for legal purposes.
■ Refer to legal guidelines and regulations on how to properly handle evidence.
■ Documentation■ Logs should include events, times, dates and be signed.
■ Team of two should have access to logs to ensure integrity.
+
Recovery
+Recovery Plan in Action
■ Recovery is important to...■ Restore systems to normal operations.
■ Confirm that systems are functioning normally.
■ To prevent similar incidents from happening in the future.
■ Prioritize Incidents■ Determine a time frame when the company will fully
recover.
■ Large Scale Incidents: Months & up to a year.
■ Small Scale Incidents (such as this one): 6-8 weeks with proper management of recovery plan.
+Recovery Plan in Action
■ Once the system is clean:■ Test, monitor and validate systems are back in production to verify the systems are
not that systems are not re-infected or compromised again.
■ Address Vulnerabilities or Loopholes:■ Tighten Access Controls
■ Establish access permissions with least user privileges that are required.
■ Grant software developers elevated but temporary access when required.
■ Install Monitoring Software
■ Monitor software developers or any employee who requires increased access controls.
■ Monitor the system in general for at least 30-60 days to make sure the vulnerability has been identified and corrected.
■ Recover the stolen money
■ Determine how the company will recover the stolen goods (i.e. Civil Court)
+Recovery Plan in Action
■ Communication■ Notify all involved/affected parties.
■ Notify employees that this type of behavior has zero-tolerance.
■ Have a Zero-Tolerance Policy for all employees to sign off on to cover the company legally.
■ The Insubordinate Employee…■ Should be terminated immediately.
■ Access permissions should be removed to ensure they do not infect the system anymore.
■ Vulnerability Scans■ Detect and remove any vulnerabilities within the
system or network.
+
Thank You!
Questions?
Contact us at:Chathura Wickramage <[email protected]> Valecia Stocchetti <[email protected]>Daniel P Roberti <[email protected]>Nicholas Manzella <[email protected]>Nicholas Godfrey <[email protected]>Christina Frunzi <[email protected]>