独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

The Insider Threat Perspective

Diagram Reference: Typical Security Layers

Mission Critical Assets: Data that an enterprise needs to protect.

Data Security: Typically, at this layer, enterprises would protect the storage transfer of data.

Application Security: This would be the protection of access to an application. Since the application layer is the closest layer to the end-user it is a critical protection point.

Endpoint Security: This layer allows with Endpoint security, allowed organizations to protect the connections between networks and devices, to help ensure systems integrity.

Network Security: Organizations use this layer to help them ensure their network protects them against unauthorized access to their network.

Perimeter Security: Typically, at this layer organizations , this would protect the storage transfer of data.

The questions we need to think about these days is. “Are trusted insiders changing their behaviors to put the company at risk? What can we do differently to drive high employee performance and positive sentiment, prioritize privacy and better protect regulated data and intellectual property?”

Security, like everything else, indeed does evolve. Organizations are seeing an increased demand for monitoring, assessing, and managing Insider Risk. They require the monitoring of high-risk or high-profile users while as well as leveraging things like anomaly detection of applications and data within an enterprise.

Examples of Insider Threats within an organization can be broken out into a few behavior categories. The typical ones you will hear out there would be, such things as Malicious Behaviors, Negligent or Careless Behaviors, and Compromising Behaviors.

As I previously mentioned, in my past experience, I saw security from an attack, detection, and mitigation approach, which your traditional EPP/EDR solution can provide as well as other layers in the infrastructure. Also, many might think that the insider threat challenge to organizations could be an extension or a subset of the tools I mentioned. But that is not really the case. We must remember that insiders are really in a position of trust within the organization. So, the insider threat actors can use the privileges that they have available to not only perform their jobs but do much more. As many of us have known for some time, they can turn to a rogue Systems Specialist, DBA, Developer, or even Management and Executives, perhaps. The present-day landscape is not just technical abuse but would also be theft of confidential company work product being sold, stolen, and leaked. Potential Flight risk inside an organization, when people leave, you typically see company work product also leave an organization potentially. You really need to know that the traditional tools previously mentioned are not equipped with the ability to look at focusing on sensitive data. ? They don’t have the ability to use this anomaly data to either be applied to their peer group, their organization or against themselves.

Employees typically know a lot of company information and can also have access to Intellectual Property (IP). There have been many examples of malicious and inadvertent insider attacks that have led to data breaches with the potential of harming companies. Usually, these attacks can often lead to financial loss, and reputation/brand loss, as well as potentially destroy a business entirely.

Some typical sources of Insider Threats
- Negligent Users
- Malicious Insider
- Credential Theft

Some attacks by insiders can be dangerous
- Typically, insiders in an organization know their Cyber Security Weaknesses
- Usually, Insiders are not malicious, which is precisely why it would be more difficult to detect their malicious activities vs. detecting external attacks.
- Most of the time, Insiders would know the locations of sensitive data that can be abused. Such as exfiltrating the data.

Below is a look at a real-life insider threat. Review their findings, and explain how the attacks happened.

Real World Example — General Electric employees stole trade secrets to gain a business advantage.

GE had two employees who had stolen data on their advanced computer models for calibrating turbines the company manufactured. What happened is they stole marketing and pricing information to promote this service.

Having this stolen intellectual property, one of the employees started a new company and competed with GE in bids for calibrating the turbines.

So this is the summary of the events that happened. The GE employees that were involved in this had downloaded thousands of files that had their trade secrets on them. They had downloaded them from company servers, which this would be part of the Aggregation phase for them. Once they had aggregated all this data, they Exfiltrated the data by sending them to private email addresses as well as using the cloud to upload them to. Another shocking surprise is that one of the employees involved in this happened to convince a System Administrator to grant them access to some data that he should not have been given access to.

So all this had happened, and none of the activities or actions had alerted or triggered any response from the GE Cyber Security Systems or their Cyber Security Team. Deploying User Activity Monitoring or having an Insider Threat Solution and the program would have helped the GE Cyber Security Teams or GE as a whole to detect the theft of their intellectual property and potentially would have helped them see the early indicators of intent and stop them. As well as at the same time, it would of helped the teams speed up their investigation by gathering the necessary evidence required.

Being Proactive

Here is a little explanation of the DTEX Kill Chain for your information. To fully understand any insider incident, visibility into the entire kill chain is very important. As mentioned earlier, this is usually because when you can see the earlier phases of the Kill Chain, it usually has a lot of the answers to the most important question or perhaps can help you mitigate things early to stop them.

DTEX offers comprehensive user visibility data and intelligence that spans every stage of the kill chain. With this data, analysts can answer all these questions, and more, at a glance — without resorting to hiring outside contractors to investigate incidents. What’s more, DTEX’s full visibility of the kill chain, combined with machine learning and behavioral models that highlight anomalous behavior, allows it to elevate early warning signs before a breach occurs.

When preparing for data theft, the users typically begins with research. This is where they locate the data that they would like to steal or, in the case of compromised credentials, where the attacker will test the bounds of the stolen credentials’ privileges. DTEX sees all file access activity, failed attempts at access, web activity, etc. Examples of reconnaissance activity recorded by DTEX include:

This is the stage where the attacker attempts to get around existing security measures such as web blocking, DLP tools, IPS devices, and others. It is particularly important to have visibility into this activity because it can shed light on intent; if a user is going to great lengths to get around company security, this is deliberate behavior.

This is also often where organizations can see the gaps in their security posture and where they’re failing. By capturing circumvention activity, DTEX shows analysts where and how users can bypass existing measures.

DTEX sees circumvention activity like:

This is when the attacker assembles all the data that they plan to steal, often moving it into a single file directory or compressing it in a single location. DTEX sees this step by capturing activity like:

In the Obfuscation step, the attacker will cover their tracks to avoid detection, often by renaming files, changing file types, or using more advanced tactics such as steganography. This is another important step to capture to prove malicious intent, as well as to understand where other security tools are gaps.

DTEX captures all evidence of obfuscation activity, including:

This is the final step in the process of stealing data, the moment that the data is actually transferred out of the organization. Many security tools focus only on this specific step and often by way of setting rules in blocking tools. However, rigid rules can’t catch the hundreds of methods that can be used to exfiltrate data out of the organization. Since DTEX sees all activity from the point closest to the user, it has visibility into less common exfiltration methods that other tools often miss.

Some examples include:

Preventing Insider Breaches

By offering visibility into the entire Insider Threat Kill Chain, DTEX provides a complete contextual understanding of an incident. To elevate your highest risks and see what slips through the cracks, visibility into one or two of these steps isn’t enough. But armed with a full audit trail, enterprises can both identify users displaying early-warning signs before an incident occurs, being proactive, as well as drastically shorten resolution times during investigations. Detecting and investigating human-based risks requires dedicated user activity intelligence delivered from the endpoint.

Conclusion

The modern enterprise spends far too much time and money trying to investigate incidents and piece things together, never mind trying to constantly stop breaches from happening. These days, a lot of efforts were put into prevention through tools such as EPP, IPS, Firewalls, and leveraging SIEMS to put all this together to prevent malicious activity. These tools are great, but as it stands today, they don’t address insider threats. So having an Insider Threat program with a Platform will help you monitor user behavior and user intent, which will only strengthen an enterprise's investment in their other Security Tools such as SIEM/SOAR etc. It will enrich the data feeding these SIEM/SOAR systems to help automate and prevent breaches in the enterprise. This will hopefully reduce the amount of work for security teams and help reduce the amount of time needed for legal teams to be involved in unnecessary litigation.

Acknowledgements

Special thanks to many on the DTEX team for some of the information above and the opportunity for me to open my eyes to a whole new threat perspective from the Insiders point of view. My previous experience is within organizations looking to protect from the outside in perspective. It’s been very enlightening to learn the inside-out perspective.

Add a comment

What is your view?

Send

Related posts:

My journey with Azure Pipelines. Ep I

Azure DevOps is a set of services provided by Microsoft that help developers build and ship their products. The name Azure DevOps implies that those services are tight to the Microsoft Azure cloud…

Virtual Reality Video Camera Will be Launched in Barcelona

To view full content, click => https://9to5game.com/2021/01/10/virtual-reality-video-camera-will-be-launched-in-barcelona/?feed_id=22&_unique_id=6043030e892db A collection of samples out on the table…

Why should you use TypeScript over JavaScript?

TypeScript is a programming language developed and maintained by Microsoft. It is a strict syntactical superset of JavaScript and adds optional static typing to the language. TypeScript is designed…