Risk Mitigation trategies: Lessons Learned from Actual Insider Attacks Randy Trzeciak eptember 24, 2012 http://www.cert.org/insider_threat/ 2012 Carnegie Mellon University
Notices 2012 Carnegie Mellon University Except for the U.. government purposes described below, this material HALL NOT be reproduced or used in any other manner without requesting formal permission from the oftware Engineering Institute at permission@sei.cmu.edu. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the oftware Engineering Institute, a federally funded research and development center. The U.. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.. government purposes, the EI recommends attendance to ensure proper understanding. THE MATERIAL I PROVIDED ON AN A I BAI, AND CARNEGIE MELLON DICLAIM ANY AND ALL WARRANTIE, IMPLIED OR OTHERWIE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNE FOR A PARTICULAR PURPOE, REULT OBTAINED FROM UE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT is a registered mark owned by Carnegie Mellon University. 2
Introduction 3
What is CERT? Center of Internet security expertise Established in 1988 by the U Department of Defense Part of the oftware Engineering Institute (EI) Federally Funded Research & Development Center (FFRDC) Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania) 4
What is the CERT Insider Threat Center? Center of insider threat expertise Began working in this area in 2001 with the U.. ecret ervice Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats. 5
CERT Insider Threat Center Objective Opportunities for prevention, detection, and response for an insider attack 6
CERT s Unique Approach to the Problem Research Models Deriving Candidate Controls and Indicators Personal Needs Insider Conformance to Rules O decreasing personal need External Organization Effort to Coopt Insider indicating personal predisposition increasin g persona l need indicating financial need or unexplained affluence <Financial Needs> <Insider tress> <Financial Greed> Financial Needs Willingness to Commit Espionage Indicators of Personal Predisposition Indicators of Financial Need or Unexplained Affluence Financial Greed decreasing financial need O B3 O decreasing financial greed increasing financial greed O reducing violations due to organization sanctions R4 Financial Predisposition Concealing Indicators and Violations unobserved emboldening of insider Insider tress increasing stress Insider's Perceived Risk of Being Caught O sanctioning for rule violations Organization's Trust of Insider insider perceiving risk Fulfilling Personal Need anctions Rule Detecting Concerning Violations Behavior and Technical <Level of Auditing Actions and Monitoring (technical and non-technical)> <unauthorized O violating accessing> rules Organization's R5 Perceived Risk of Insider Espionage organization perceiving sanctions for rule risk violations produce escalation Personal Predisposition increasing financial need O O B1a harmful actions to fulfill needs tressful Events Termination Threshold B1b harmful actions to fulfill needs B4 concealing rule violations due to organization sanctions O EAP O Cultural Reluctance to Terminate Environmental Factors Ratio of anctions to Violations O Addiction to Financial Gain Initial atisfaction O O Access Authorization Level Enforcing Authorization Level Using Access Controls Reporting of uspicious Activity ecurity Awareness Training authorized accessing by insider B2 espionage control by restricting authorization level O increasing auditing and monitoring Insider Termination O Termination Time <organization perceiving risk> <Espionage Known to Organization> ecurity Procedure Enforcement organization response to unauthorized access Level of Auditing and Monitoring (technical and non-technical) O Cultural Reluctance to Report harmful actions amplifying needs R2 trust trap Authorized Insider Accesses O unauthorized accessing <Willingness to Commit Espionage> R1a ecurity Procedure Existence Espionage Known to Organization R3 External Organization Leaking Espionage Unauthorized Insider Accesses Unknown to Organization discovering espionage B5 espionage control by enforcing access controls External Organization Paying for Espionage Receiving Money for Espionage discovering unauthorized accesses Feedback loops B2 and B5 based on expert opinion Espionage Unknown to Organization Unauthorized Insider Accesses Known to Organization espionage (R1) insider contribution to organizational group insider contribution to developing information or product insider sense of ownership of the information/product insider time and resources invested in group (R2) insider desire to contribute to organization insider sense of entitlement to products of the group insider predisposition to feeling entitled organization denial of insider requests insider dissatisfaction with job/organization insider sense of loyalty to organization insider planning to go to competing organization insider desire to steal org information precipitating event (e.g., proposal by competitor) (B1) insider concern over being caught information stolen opportunity to detect theft (R3) insider perpetrated deceptions related to the info theft org discovery of theft org discovery of deceptions level of technical and behavioral monitoring Our lab transforms that into this plunk Query Name: Last 30 Days - Possible Theft of IP Terms: 'host=hector [search host="zeus.corp.merit.lab" Message="A user account was disabled. *" eval Account_Name=mvindex(Account_Name, -1) fields Account_Name strcat Account_Name "@corp.merit.lab" sender_address fields - Account_Name] total_bytes > 50000 AND recipient_address!="*corp.merit.lab" startdaysago=30 fields client_ip, sender_address, recipient_address, message_subject, total_bytes' 7
Who is a Malicious Insider? Current or former employee, contractor, or other business partner who has or had authorized access to an organization s network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization s information or information systems. 8
Types of Insider Crimes Insider IT sabotage An insider s use of IT to direct specific harm at an organization or an individual. Insider theft of intellectual property (IP) An insider s use of IT to steal intellectual property from the organization. This category includes industrial espionage involving insiders. Insider fraud An insider s use of IT for the unauthorized modification, addition, or deletion of an organization's data (not programs or systems) for personal gain, or theft of information which leads to fraud (identity theft, credit card fraud). 9
How bad is the Insider Threat problem? 10
Insider Threat Issue -1 Insiders pose a substantial threat by virtue of their knowledge of, and access to, their employers systems and/or databases. Insiders can bypass existing physical and electronic security measures through legitimate measures. 11
Insider Threat Issue -2 Has your organization been the victim of an insider attack? Can you confidently say you have not been the victim of an insider attack? 12
2011 Cyberecurity Watch urvey - 1 CO Magazine, U, CERT & Deloitte 607 respondents Percentage of Participants Who Experienced an Insider Incident 38% of organizations 100 have more than 5000 employees 80 37% of organizations have less than 500 employees 60 40 41 39 55 49 51 43 20 0 2004 2005 2006 2007 2008 2010 ource: 2011 Cyberecuirty Watch urvey, CO Magazine, U.. ecret ervice, oftware Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011. 13
2011 Cyberecurity Watch urvey - 2 46 % of respondents Damage caused by insider attacks more damaging than outsider attacks Most common insider e-crime Unauthorized access to / use of corporate information (63%) Unintentional exposure of private or sensitive data (57%) Virus, worms, or other malicious code (37%) Theft of intellectual property (32%) ource: 2011 Cyberecuirty Watch urvey, CO Magazine, U.. ecret ervice, oftware Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011. 14
2011 Cyberecurity Watch urvey - 3 How Insider Intrusions Are Handled 12% 8% 3% 76% Internally (without legal action or law enforcement) Internally (with legal action) Externally (notifying law enforcement) Externally (filing a civil action) Reason(s) CyberCrimes were not referred for legal action Damage level insufficient to warrant prosecution Could not identify the individual/ individuals responsible for committing the ecrime Lack of evidence/not enough information to prosecute 2011 2010 42% 37% 40% 29% 39% 35% Concerns about negative publicity 12% 15% Concerns about liability 8% 7% Concerns that competitors would use incident to their advantage Prior negative response from law enforcement 6% 5% 5% 7% Unaware that we could report these crimes 4% 5% Other 11% 5% Don't know 20% 14% Not applicable N/A 24% ource: 2011 Cyberecuirty Watch urvey, CO Magazine, U.. ecret ervice, oftware Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011. 15
IT abotage 16
911 services disrupted for 4 major cities Disgruntled former employee arrested and convicted for this deliberate act of sabotage. 17
CADA sabotage releases 800,000 liters raw sewage 18
Insider IT abotage: True tory A disgruntled system administrator is able to deploy a logic bomb and modify the system logs to frame his supervisor even though he had been demoted and his privileges should have been restricted. Insider had difficulties prior to hiring High school dropout Fired from prior job History of drug use Expressed feelings of dissatisfaction and frustration with work conditions Complained that he did all the work Frequently late for work Drug use on the job Demoted ubject frames his supervisor for sabotage Discovered plans to fire him Installed logic bomb to delete all files on all servers et to execute from supervisor s.profile Included ha ha message Also planted in script to run when system log file reached certain size Tried to hide actions technically, but admitted to coworker Took great pains to conceal act by deleting system logs Forgot to modify one system log, which was used to identify him as perpetrator Told co-worker the day before attack that he would see some serious stuff happen 19
Other Cases of IT abotage A subcontractor at an energy management facility breaks the glass enclosing the emergency power button, then shuts down computers that regulate the exchange of electricity between power grids, even though his own employer had disabled his access to their own facility following a dispute. Impact: Internal power outage; hutdown of electricity between the power grids in the U. CADA systems for an oil-exploration company is temporarily disabled A contractor, who s request for permanent employment was rejected, planted malicious code following termination ystem administrator at a manufacturing plant, passed over for promotion, deployed logic bomb prior to resigning, deleting critical software required to run operation Financial damage $10M; Forced to lay off 80 employees 20
How do organizations handle privileged technical employees and contractors who are on the HR radar? 21
Theft of Intellectual Property 22
TRUE TORY: imulation software for the reactor control room in a U nuclear power plant was being run from Iran A former software engineer born in that country took it with him when he left the company. 23
TRUE TORY: Research scientist downloads 38,000 documents containing his company s trade secrets before going to work for a competitor Information was valued at $400 Million 24
Other Cases of Theft of IP A technical operations associate at a pharmaceutical company downloads 65 GB of information, including 1300 confidential and proprietary documents, intending to start a competing company, in a foreign country Organization spent over $500M in development costs 25
Do you check for stolen information when employees and contractors with access to critical information leave? 26
Fraud 27
TRUE TORY: An undercover agent who claims to be on the No Fly list buys a fake drivers license from a ring of DMV employees... The identity theft ring consisted of 7 employees who sold more than 200 fake licenses for more than $1 Million. 28
Other Cases of Fraud An accounts payable clerk, over a period of 3 years, issues 127 unauthorized checks to herself an others... Checks totaled over $875,000 A front desk office coordinator stole PII from hospital... Over 1100 victims and over $2.8 M in fraudulent claims A database administrator at major U Insurance Co. downloaded 60,000 employee records onto removable and solicited bids for sale over the Internet An office manager for a trucking firm fraudulently puts her husband on the payroll for weekly payouts, and erases records of payments Over almost a year loss of over $100K 29
Have you thought about how your employees could misuse your systems for financial personal gain? 30
ummary of Findings Current or former employee? Type of position Gender Target IT abotage Former Technical (e.g. sys admins, programmers, or DBAs) Male Network, systems, or data Fraud Current Non-technical (e.g. data entry, customer service) or their managers Fairly equally split between male and female PII or Customer Information Theft of Intellectual Property Current (within 30 days of resignation) Technical (e.g. scientists, programmers, engineers) or sales Male IP (trade secrets) or customer Info Access used Unauthorized Authorized Authorized When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work 31
Mitigation trategies 32
Our uggestion Continuous Logging Targeted Monitoring Real-time Alerting 33
hort Term and Long Term olutions 34
hort Term 1. Form an insider threat team that includes HR, Legal, IT, Information ecurity, Data Owners, Management, ecurity 2. Create policies that cross organizational boundaries work with legal counsel 3. Consistently enforce the policies 4. Develop processes and implement controls that enforce communication across departments 35
Long Term Automated detection mechanism Unified rules engine configured with insider threat indicators and risk thresholds Data mining system that correlates unstructured data contained in logs, browsing information, email, internal documents, performance reviews, physical access, etc. Intelligent reasoning system that can make a decision about whether to flag a user as being a risk to the organization. 36
Common ense Guide to Prevention and Detection of Insider Threats http://www.cert.org/archive/pdf/cg-v3.pdf 37
ummary of Best Practices in CG Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce policies and controls. Institute periodic security awareness training for all employees. Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process. Anticipate and manage negative workplace issues. Track and secure the physical environment. Implement strict password and account management policies and practices. Enforce separation of duties and least privilege. Consider insider threats in the software development life cycle. Use extra caution with system administrators and technical or privileged users. Implement system change controls. Log, monitor, and audit employee online actions. Use layered defense against remote attacks. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan. 38
Insider Threat Controls http://www.cert.org/insider_threat/controls/ 39
CERT s Insider Threat Controls Problem: Malicious insiders attack systems remotely outside of business hours. olution: Using a IEM signature to detect potential precursors to IT abotage Problem: Malicious insiders take sensitive company information with them before leaving the organization. olution: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination 40
CERT Resources Insider Threat Center website (http://www.cert.org/insider_threat/) Common ense Guide to Prevention and Detection of Insider Threats (http://www.cert.org/archive/pdf/cg-v3.pdf) Insider threat workshops Insider threat assessments New controls from CERT Insider Threat Lab Insider threat exercises The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, abotage, Fraud) (EI eries in oftware Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak 41
Point of Contact Randall F. Trzeciak Technical Team Lead, CERT Insider Threat Center CERT Program, oftware Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-3890 +1 412 268-7040 Phone rft@cert.org Email http://www.cert.org/insider_threat/ 42