Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Title - First Pillar of Insider Threat Protection: Technology
In this episode we cover the technology of insider threat protection, heinousity at Honeywell (hey, if it’s in urban dictionary, it must be real), Korea winning at artificial intelligence, and more. Don't touch that dial!
Welcome back! This is episode 16 of The Insider Threat podcast, for the week of September 4th, 2017.
Thanks for taking the time to listen again this week. I think we have some good discussion topics lined up, which could help you in your efforts to tackle insider threat in your organization. There are quite a few security conferences coming up that I’m either going to or volunteering at, to include the Insider Threat Symposium, BSides DC, and BSides NoVA. I’ve also been asked to speak at a Global CISO Gathering at LA in January, so I hope that all works out. If you happen to see me at one of these events, please take the time to stop me and share any thoughts or ideas about the show or insider threat or the best whiskey to put in hot toddies, or anything, really.
Infosec Question of the Week
You know that sound. It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "A Cuban-born hacker plagued United States retailers from 2005 through 2007 and is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers across the country. Who is this notorious hacker?"
The answer was "Albert Gonzalez".
If you've never read about this guy's exploits, you're definitely missing out. Basically, he was behind one of, if not THE biggest payment card breaches in history. The kicker is that for a period of time that he was conducting all these heinous crimes, he was actually doubling as an informant for the federal government. It's a pretty interesting story, so you should check it out.
Ahmed from Arlington, Carolyn from Salt Lake City, Will from New Haven, and Leo from Kansas City for getting the correct answer.
Here's your question for this week: "On August 29th, 1831, English scientist Michael Faraday made a groundbreaking discovery that has led to big advancements in the electronic privacy industry. What did he find?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "gave away the answer in the question".
Our news from this week comes from Ryan Perry at Dailymail.uk. I won't share the title yet because it basically gives away the story.
Robert Miller, a former satellite expert at Honeywell, was upset because he didn't get the raise he was looking for. Instead of working harder, looking for some sort of upward mobility, or trying to find a job elsewhere, he decided that he would take revenge on his employer by trying to sell information pertaining to the location of DEA agents to a Mexican cartel for the sum of 2 million dollars.
Access to this information by a drug cartel could let them know the exact location of ground agents, boats, and aircraft. In other words, they would know that the cops were coming their way with plenty of time to move their loot.
By the time he was arrested, Millar had already been let go from Honeywell and his account had been either disabled or deleted. The problem is that he still had tech support login credentials that could get him into the company's systems. This just further proves how important it is to set expiration dates even on group accounts, monitor their activity, and periodically check to see who has access to them. This malicious insider could have caused quite a bit of damage against the United States war on drugs. It could have also put the lives of DEA agents in danger.
First Pillar of Insider Threat Protection - Technology
As I said last week, I'm working on a piece that explains the different types of protection that can help address insider threat risk. It consists of four "pillars", and starts will a bit of a story. Here's that story and an overview of the first pillar.
You wake up on Monday morning, get ready, pour yourself a cup of coffee and sit at the kitchen table for your daily dive into your work phone to see what sort of meetings you have planned for the day. The number of notifications on your lock screen instantly alerts your senses. Reading the top email, you find out that full account details for many of your customers have been leaked on the dark web and that you have additional emails and missed calls from members of the Department of Homeland Security. You rush to work, talking to members of your team during the entire commute.
How could a hacker have gotten in? You immediately enact your incident response plan, with a focus on finding out where the attack originated from and how it can be contained. Days go by and you've spent long days and longer nights looking through logs before discovering that everything points to a single workstation - yours. You suddenly remember a vendor invoice attachment from the week before that wouldn't open, even after saving it to your desktop. The cause of those late nights, endless stress, and the loss of your company's reputation, was one seemingly insignificant moment of inattention.
We've heard about similar situations and some of us have even experienced it ourselves. What could have been done differently? How can your organization ensure that something like this doesn't happen? Insider threat is something that many organizations are worried about today. Studies have shown that it is the cause for the majority of security breaches and according to several surveys, business and IT executives count it among their top concerns.
Insider threat protection consists of three primary pillars - technology, policy, training, and culture. Keep reading to learn more about how to improve these pillars and help to keep the ceiling from falling in on you.
The first pillar in insider threat protection is technology. There are several existing and emerging technical controls and tools specifically aimed at addressing insider threat concerns. The most common technical solutions mentioned today are for monitoring user behavior and creating actionable security intelligence. These can be categorized in two different ways. Some solutions simply record user actions through logs to make it easier to audit them, while others analyze the data to establish baseline behavior models and notify the security department when behavior becomes anomalous. Finally, some user monitoring solutions also record screenshots or video of user workstations, keystrokes, and mouse clicks in an attempt to make it easier to view user behavior both in real-time and in the course of incident response. These solutions do well for detecting and responding to malicious insiders.
Another type of technical solution is those that provide isolation in some way. They create sandbox environments where user actions cannot have a negative impact on the system they are using or other network devices. I covered one of those in a guest interview on the podcast recently, but I am going to try to keep this as vendor agnostic as possible. The idea is that when users click on links or open attachments, as well as when they just browse the web in the course of their job, they operate in a completely isolated environment that either simply separates their session from the workstation they are working on or the solution takes the website and translates it to a version that essentially makes any malicious code or scripts ineffective. A longtime existing and ever-growing concern is that advertisements on legitimate websites have the ability to compromise systems or even scam users into thinking they have malware on their workstations and trick them into paying for unneeded products and services.
A more costly solution that addresses phishing campaigns is to automatically append text to links in emails or subject lines for messages coming from external sources. This can be accomplished through both home-grown and commercial solutions and applied to the email server. If a user can see that an email came from outside the organization, they might be more aware of potential phishing. If they are forced to copy and paste a URL into their browser because links have been disabled through appended text, they could more readily notice that something in the path is suspicious. The drawback from these solutions when compared to commercial isolation methodologies is that by themselves they do not protect users from malicious email attachments, other than a potential notification that it came from an external source.
Finally, traditional security controls that are part of typical security hygiene or best practices can go a long way in protecting against insider threat. Role-based access controls can help to reduce a malicious insider's ability to compromise production systems or exfiltrate sensitive data. Logs associated with user accounts can be gathered, then sent to a Security Incident and Event Management solution to allow administrators to have a better idea of what is happening in their systems. Events like security group changes and failed logins can be good indicators of abnormal or malicious activity. Identity management solutions or methodologies can be used to ensure that users are authorized to access data and applications, while also preventing former employees from being able to gain access after they have left.
So what did you think? This is just the first of a four part series, and next week I'll be going over insider threat policy and how to implement it in a way to get the most bang for your buck.
The first article this week comes from Sara Barker at Security Brief Asia and is titled Korean insurance provider detects insider threat through AI
As the title said, a Korean insurance provider, KB Life Insurance, recently invested in an artificial intelligence solution from Darktrace to boost their security posture because they were worried about third party vendors. They also wanted protection against insider threat, ransomware, and zero-days.
Shortly after installing the Darktrace solution, they noticed a user’s network account that was connected to a malicious website, but their legacy security tools weren’t generating alerts. They were able to respond to the incident quickly and minimize damage to the company’s network and information. This is obviously a big with for Darktrace and gives them a real-world example of their product in action.
This is obviously talking about an accidental insider, or at least that’s what it looks like. Hey, I know it seems like I’m always speaking negatively about AI, but I really don’t have anything against it. What I have an issue with is when organizations make an investment in one of these products without covering the basics first. The incident discussed in this article could have been prevented through effective awareness training, DNS blacklisting, or many other much cheaper methods.
Again, this is a great story for Darktrace, but I wish KB Life Insurance took the time to invest in their legacy security tools or configurations a bit more.
The next article comes from someone at herald.co.zw and is titled The human mind: Information security chain’s weakest link
I’ll start off this one with a direct quote from the article. “Corporates may invest in firewalls, biometrics, and other high-tech information security tools, but attackers can artlessly exploit untrained, careless, and in some cases disgruntled system users to compromise information systems intentionally or subconsciously.”
That’s what we’ve always been talking about, right? What I’d really like to get sometime on the show, and I thought this article was going to provide it when I saw the title, is the actual human psychology behind insider threat. If you know a psychologist that has done some research into anything like this, please let me know. That would be an awesome guest. The question I hope they would be able to answer is something like “what in the human mind is behind accidental, negligent, and malicious insider threats?”
I feel like this article is trying to hit that mark. They talk about tricking users through social engineering, general laziness, and other mind-focused issues in information security. Then they gave a list of ways to prevent insider threat, and they were almost all pointing toward training and policy controls. That surprised me quite a bit, since most of the writing we see about the topic site technology as the solution.
Anyway, if you get the chance, I recommend looking at some of the points in this article. I’ll leave a link to it in the show notes.
The third article comes from Oliver Bock at Onion ID (no, not The Onion) and is titled 17 Amazing Blogs on Insider Threats You Should Be Following
Once again, the title says it all. Oliver put together a pretty good list of online resources for learning about insider threat. These include several that I have used to get information for the show, as well as some others that I hadn’t seen yet. They include:
Threatpost, Digital Guardian, The Security Ledger, Network Security Blog, Onion ID, ShackF00, Naked Security, Dark Reading, ObserveIT, Security Magazine, The CERT Insider, Threat Center, FireEye, CSO Online, Threat Stack, Trail of Bits, Front Line Sentinel, and Krebs on Security.
That’s a pretty good list and there are a few that I need to check out. Am I mad that they didn’t include us? No. Not really. I mean it would have been nice, but there are so many good resources out there for people who want to learn more about the topic.
The last article this week comes from Thomas Fisher at IT Pro Portal and is titled Security reality check: The real threat is closer to home
This article essentially talks about how security programs that only focus on perimeter defenses are completely ignoring problems that come from insider threat, whether they are malicious or not. Then they give a little advice. The article said “Luckily, putting measures in place to reduce the insider threat doesn’t have to be a momentous task or investment. By having the right policies and technologies in place, the risk of internal data leakage or theft can be dramatically reduced.”
Later, they said “Education is one of the most efficient defenses against the insider threat. This is because most accidental data breaches occur due to actions by an oblivious or careless employee. With regular training on data security in place, employees are taught to be mindful when handling sensitive corporate data, and to think before they act. Regular refreshers are key to making this training effective – and employees should be updated on any new data policies or technologies before they are implemented.”
These are good tips all around, and they hit on three of the four pillars of insider threat protection, which I’m going to continue to cover for the next few weeks.
Thought of the Week Segment
Our thought of the week comes from John Mackey. He said, "If you are lucky enough to be someone’s employer, then you have a moral obligation to make sure people do look forward to coming to work in the morning."
Thank you for listening to episode 16 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or send an email to email@example.com. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show.
Thanks again and I'll see you folks next time!