Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Enemy Within Understanding Insider Threats.

Similar presentations


Presentation on theme: "The Enemy Within Understanding Insider Threats."— Presentation transcript:

1 The Enemy Within Understanding Insider Threats

2 Agenda A few thoughts on ransomware Examples of insider threats
Mitigating insider threats We’ll start off today with a few thoughts about ransomware. Then we’ll look at some examples of the more traditional classes of insider threats. And finally, what can we do about them.

3 About Me David Gibson VP of Strategy and Market Development @dsgibson
[GENERIC ABOUT ME SLIDE] I’m David Gibson, VP of Strategy and Market Development at Varonis. I’ve been with the company since 2006. Our software helps companies protect against insider threats and cyberattacks. (Add any other relevant / impressive details here: e.g., “I’m a CISSP.”)

4 About Me David Gibson VP of Strategy and Market Development @dsgibson
[HEALTHCARE ABOUT ME SLIDE] I’m David Gibson, VP of Strategy and Market Development at Varonis. I’ve been with the company since 2006. Our software helps companies protect against insider threats and cyberattacks. (Add any other relevant / impressive details here: e.g., “I’m a CISSP.”)

5 The Varonis Origin Story
Before we dive in, I want to share the story about how Varonis was started. Our co-founders, Yaki Faitelson and Ohad Korkus, were working for NetApp on a project in Angola, on the western coast of Africa. One of the missions was to deploy deep-sea divers and submarines to take hi-res photos of the ocean floor. They were storing these photos, which were worth MILLIONS of dollars, on their file servers. And then one day, they were gone. Everyone turned to Yaki and Ohad and said, “You guys are the storage experts, tell us what happened? Were they stolen? Accidentally deleted? Who had access?” Unfortunately there was no audit trail and no easy way to determine what had happened. Luckily they were able to recover the files, but this near disaster prompted Yaki and Ohad to found Varonis to help organizations manage and protect their valuable information.

6 $17,000 40 BTC On the 5th of Feb in 2016, the Hollywood Presbyterian Medical Center made an alarming discovery. They'd been infected with malware. Their files were encrypted with AES encryption in such a way that the hospital simply couldn't read them. Now think about what it means for a hospital to be infected with malware that makes it impossible for them to read files. For example, they had to divert emergency patients because they didn't have the ability to process them. It also impacted their ability to run their normal day-to-day patient care programs. And then think about all the impact it would've had on the back office. So everything that happens behind the scenes of the hospital in order to keep it ticking along. Seeing a hospital infected with ransomware makes you understand just how vicious this class of malware really is. Here's an organization designed to help people stay healthy, in some cases stay alive, and their ability to do that was severely impacted when they got hit. They had to revert to pen and paper in place of automated systems. So think about what it means for an organization like a hospital, to have to revert to the practices of a couple of decades ago just to look after their patients. In the case of the Hollywood Presbyterian, the ransomware was demanding payment of 40 bitcoins. Now to put that in today's money, that's about $17,000 and that probably sounds like a lot of money. It is a lot of money, $17,000 just to undo the impact of one piece of software. But then again, you think about a hospital and you think about that $17,000 and it makes you wonder…

7 But what’s a hospital’s data actually worth?
What are their services worth? …what is their data actually worth? $17,000 for an entire hospital doesn't actually seem like so much and then you ask the question, what are their services worth? Because it's not just a question of the data itself, but once this incident was taking place there were all sorts of services that they couldn't provide. In many cases, commercial services they couldn't provide. And when you actually start to think about that $17,000 in context, the alarming thing is it's actually a bargain and this is what makes ransomware so effective. It makes good economic sense to pay it and that's just what they ultimately did. They paid the ransomware. After the 10 days, after paying that ransom they restored their services and they moved on.

8 This is the hospital’s schedule of costs
This is the hospital’s schedule of costs. It dates back to 2012 so assume by the time they were hit with the ransomware, it could well be somewhat higher. But this gives us a good indication of the sorts of money a hospital of that scale is dealing with. Now, in particular, I'd like to draw out one figure in here. And it's this one, CT scans. Their charges for CT scans in 2012 were $41,500,000. That's $113,000 a day. They just paid a $17,000 ransom. And if they were running that CT scan service 24/7 that's only a few hours of actually running the service. So when you put that in perspective and you ask that question again is $17000 good value? Well yes, it's enormously good value, particularly when you consider it took them 10 days to pay this. That's over a million dollars' worth of revenue from their CT scan service. Particularly for organizations where they have large revenues, the ROI of paying ransoms is extremely good. And that is a very alarming fact because the last thing any of us want to think about is actually paying the criminals who have locked our files. Now obviously when we look at organizations like this, they're big numbers they make headlines. But ransomware is usually indiscriminate. It doesn't care if you a hospital or a bank or a freelancer and it’s affecting us at scale. And again, think about the scale of this. In fact, we have a pretty good idea of the scale. Let me show you.

9 I am seeing around 4,000 new infections per hour, or approximately 100,000 new infections per day.
– Kevin Beaumont, Malware Analyst This is a quote by Kevin Beaumont who’s done a lot of great work analyzing malware, particularly the Locky variant. This is a stunning figure. 4,000 infections an hour. 100,000 new infections per day. If you do the math, you only need a very small percentage of victims to pay to be making Donald Trump money. It’s no wonder ransomware is becoming so popular amongst cybercriminals. It’s easy to deliver and the price the victim is willing to pay to recover usually outstrips what the criminal could get by selling the files on the darkweb.

10 Google Trends: Ransomware
If you take a look at Google Trends, there was a huge spike in searches for “ransomware” in February of 2016 when Locky went wild and there really hasn’t been a significant drop off since.

11 And because ransomware is delivered so indiscriminately, we see all sorts of organizations being impacted by it. This is just a small selection of headlines which give you a sense of how many difference classes of organizations are hit with ransomware. The effort of delivering ransomware to a church, a school, or a police department isn’t that different, which means it can end up anywhere. --- Notes: Horry County school district (South Carolina, US) This is the Community of Christ Church in HILLSBORO, Ore Swansea is in Massachusetts  Even the police are paying ransoms! When the cops start paying the bad guys, you know we’ve got a serious problem on our hands. There’s been other hospitals impacted too, it’s not just HPMC It’s important to remember that this is often indiscriminate; they may not have set out to compromise a church, but the nature of how malware is distributed means it can often end up anywhere. Let’s have a look at some of those delivery channels…

12 Why is Ransomware so dangerous when it becomes an insider?
An interesting thing about ransomware is that once it’s is successfully delivered, it behaves like an insider threat. You click on an attachment or visit a malicious website in a vulnerable web browser and the ransomware executes under your user account with your access rights, effectively making it a particularly noisy class of insider threat.

13 Insiders have a lot of access
62% of end users say they have access to company data they probably shouldn’t see 29% of IT respondents say their companies fully enforce a strict least privilege model And ransomware is so dangerous because insiders have access to lots and lots of data. We sponsored a study by the Ponemon Institute—once in 2015 and again in The most recent study showed that: 62% of end users say they have access to more data than they need That’s not surprising considering only: 29% of IT respondents say they fully enforce a strict least privilege model You can read the rest of the stats in the study—just Google “varonis ponemon”—you can see that people have access to all sorts of sensitive information. So when ransomware hits, it’s going to scour their local hard drive encrypting whatever it can and then it’ll start hitting any of the network drives and file shares—so if they have access to too much information, the company is has a massive unnecessary risk they stretches far beyond a single endpoint.

14 Very few watch what insiders are doing
35% of organizations have no searchable records of file system activity 38% do not monitor any file and activity. To make matters worse, very few organizations are watching what insiders are doing with data. 35% of organizations have no searchable record of file system activity. And 38% don’t monitor any file or activity whatsoever. So imagine a bank vault that any employee could walk into and start grabbing fistfuls of money without any cameras or ledgers to record what was being taken out—what would happen? There’s massive risk when you don’t restrict access and you don’t monitor activity.

15 But what changed? But what changed?
We’ve been living without deep visibility and auditing for years--since Windows NT 4 took over in 1996 and we lost Novell Netware and its great auditing and permissions views. Most organizations don’t have a good handle where there sensitive data lives or who has access to it. And the concept of ransomware has been around for years, but only recently exploded.

16 Bitcoin: Anonymously monetizing malware at scale
While phishing has made delivery easier than ever and ubiquitous Internet connectivity has played a role, the biggest change has been Bitcoin. Bitcoin gives you the ability to anonymously monetize malware at scale. By using Bitcoin, any attacker from anywhere in the world can make truckloads of cash by exploiting a vulnerability that almost every organization in the world has.

17 The canary in the coal mine: Malware Molly
We created a character to personify this epidemic. She’s one of four insiders that I’m going to introduce you to. Molly is someone who works at your company. She opens a malicious attachment or installs a vulnerable browser plugin and becomes infected with malware. And from there, the data she has access to is at risk. The takeaway here is that with a hundreds of thousand infections per day, it’s clear that anyone with just a little skill can penetrate your network, anyone already inside can steal or destroy lots of data, and you probably won’t know about it unless they want you to.

18 Ransomware is the only threat that wants you to know it’s there
Think about it: ransomware is the only threat that wants you to know it’s there. It’s actually doing us a favor. It’s the canary in the coal mine. Because once we get hit with ransomware it forces us to prepare for other insider threats that are much worse. And I’m not trying to minimize the impact of ransomware: it’s terrible and catastrophic, but it’s the only insider threat that pops up a message saying “hey, I got you!”—the other insider threats are much more insidious.

19 Let’s Meet The Other Insider Threats

20 Disgruntled Dan This is Dan – your typical disgruntled employee. Maybe he’s had poor performance reviews or is just generally unhappy with his job. What’s Dan going to do 2 weeks before he hands in his resignation? Grab every file he’s ever worked on? Delete important documents out of spite? Will his access be revoked immediately or will he still have access for a few weeks before IT catches up with HR? Let’s look at a real world example.

21 This is Greg Chung. He worked at Boeing for 30 years.
During that period, he stole $2B worth of sensitive documents and sold them to China. When the FBI finally caught up with him, they found 250k of sensitive aerospace documents buried underneath his home. Later sentenced to 16 years in prison, so it didn’t really work out for him. But he was able to steal and exfiltrate data undetected for 30 years. Image credit: FBI

22 Image credit: Praxis Films / Laura Poitras
Anyone recognize this fellow? Snowden is probably one of the most famous insiders. He perpetrated one of the biggest data breaches ever. He wasn’t an employee of the NSA. He was a contractor for Booz-Allen Hamilton that used his credentials and did some social engineering to leak an enormous amount of government secrets. Which leads us to our next insider, Abusive Admin Andy. Image credit: Praxis Films / Laura Poitras Image credit: FBI

23 Abusive Admin Andy Andy’s an employee with elevated privileges. He understands the network. He knows who the executives are. He knows where the bodies are buried. Sysadmins have a lot of access and power, but it’s important that your admins use their power for good rather than evil.

24 As he was getting near retirement, the system administrator received an offer to sell corporate data, which would have allowed him to purchase the house of his dreams and retire as he always wanted. This sysadmin had a dream of retiring to a seaside town abroad. Unfortunately his financial situation wasn’t going to let him fulfil that dream. So, using his elevated access, he began to gather up sensitive corporate data. When he received an offer to buy that data, he just couldn’t refuse. Obviously he was caught, so he didn’t get that beach house he always wanted. But this is a good example of an abusive admin motivated by greed.

25 They was firing me. I just beat them to it
They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team. One admin at Citibank thoughts he was going to be fired after a bad performance review, so he decided to maliciously changing a router configuration, taking down 90% of the firm’s network. He sent a text message to his colleague with this quote. It’s staggering how much havoc one angry sysadmin can cause. So whereas the previous example was an instance of greed, this abusive admin wanted revenge. There are plenty of unique motivations for disgruntled employees and abusive admins, these are just a few.

26 Hijacked Hillary This leads us to our last insider and probably the scariest: Hijacked Hilary. Her identity is hijacked by another human, typically an outsider. She’s similar to Malware Molly in that one of the most common ways to hijack an account is via malware. This threat is often a state actor or someone involved in corporate espionage and tends to be much more targeted and stealthier than ransomware.

27 This was what greeted Sony Pictures employees when they arrived at work on November 24, 2014
This was malware running inside the organisation Later on, “The Guardians of Peace” claimed that they had infiltrated the network an entire year earlier Imagine that – for the previous year, the external threat actor had been able to move laterally within the networks just as though they were an insider An actual insider somewhere had been a proxy for the attackers, now believed to have been the Democratic Republic of North Korea By having access to internal information, they caused some serious damage…

28 “The service I examined for this post currently is renting access to nearly 17,000 computers worldwide” Did you know you can rent time on internal servers of Fortune 500 companies? Yup. Security journalist Brian Krebs reported that you can visit this site and order time on one of Cisco’s Windows servers for $4.55. Cisco confirmed that this was indeed a real server inside their network. According to Cisco it was a “bad lab machine” running RDP with the username and password: cisco / cisco There are over 17,000 computers worldwide that you can rent. You don’t even have to do your own hacking if you have more money than time.

29 What data is most vulnerable to insider threats?

30 Data volume is set to grow 800% over the next 5 years and 80% of it will reside as unstructured data. — Gartner, 2015 Does anyone not have a problem with data growth? This seems to be the defining problem of our time. This is a Gartner stat which estimates data growth at a rate of 800% by 2020. And most of it is unstructured data—documents, spreadsheets, s, images, videos. As opposed to more structured data that’s tucked away in a database. So many of the mega breaches we hear about involve unstructured data.

31 – Jeff Wagner, OPM’s Director of Security Operations
The attackers primarily focused on utilizing SMB commands to map network file shares of OPM users who had administrator access or were knowledgeable of OPM’s PIPS system. The attacker would create a shopping list of the available documents contained on the network file shares. – Jeff Wagner, OPM’s Director of Security Operations The investigation of the breach at the US Office of Personnel Management If you remember the big breach at the US Office of Personnel Management, they lost 21.5 million security clearance background files and 5.6 million fingerprints from their PIPs mainframe. It had information about government employees and their families. Things like medical records, addresses, travel history, psychiatric evaluations, and more. It was all stolen by Chinese hackers. The way the hackers were able to get to that PIPs mainframe system, which is considered OPM’s crown jewels, was by infiltrating plain old SMB file shares and creating a shopping list of documents that described how the PIPs system was architected and effectively how to gain access. The file share breach was disclosed in 2014, but the investigation found traces of hacker activity dating back to July of 2012.

32 What about s? Executive s is one of the most valuable sources of critical information. We all know what happened to The Sony pictures chair Amy Pascal after their massive breach. Even someone who didn’t even work for Sony, producer Scott Rudin, was impacted because now everyone can read his s to Sony employees on Wikileaks and see what he thinks about President Obama and Angelina Jolie. And I’m not sure about this, but I THINK I recall something about servers during this last election. Has anyone heard about that?

33 What can you do? So what can we do about it?

34 Source: Verizon 2016 Data Breach Investigations Report
Discovery Timeline We have to get better at detecting insider threats. This comes from the 2016 Verizon DBIR and it shows how long it takes, on average, to detect a data breach. Both seconds and minutes down to zero. It’s such a rare occurrence for businesses to be able to detect threats in real-time. A total of about 10% of breaches are detected within hours or days. Where we start to see the larger volume is within weeks. About 21%. But the bulk of data breaches are discovered within months or years. So about 70% of insider threats take months AT BEST to detect. Which is quite worrying because insiders can do lots and lots of damage within mere minutes. And when you start measuring in years, as in the Sony pictures attack, then you’re talking about series long-term damage. Source: Verizon 2016 Data Breach Investigations Report

35 Detect Prevent sustain
insider threats by analyzing data, account activity, and user behavior. disaster by locking down sensitive and stale data, reducing broad access, and simplifying permissions. a secure state by automating authorizations, migrations, & disposition. So how to we get better? This is a methodology Varonis has come up with. It’s technology agnostic, but it’s a good approach to detect suspicious behavior faster and get a handle on where you’re sensitive information lives and how to protect it from insider threats. The first phase is all about detection. You can make lots of progress here pretty quickly just by instrumenting your environment better. Once you have a clearer picture of the current state of your environment, you start to uncover your biggest risks--thousands of patient records open to everyone in the company, overly delegated executive mailboxes, or ransomware activity on your file shares. This insight usually leads into a longer-term preventative project to implement a least privilege model, get business users to recertify access, and get rid of stale data—things like that. You also want to take steps to sustain your secure state, otherwise by the time you’re done with your preventative projects the stuff that you cleaned up will be chaotic again. So sustaining a least privilege model in a scalable way is the third stage.

36 DETECT The first task is to map your environment.
Map directory services, permissions, file systems Discover sensitive and stale data Automatically identify administrators, service accounts, and executives Audit all file system and activity Baseline what normal behavior looks like Detect suspicious behavior Crypto intrusion and other malware infections Privilege escalations Abnormal access to sensitive data Prioritize where sensitive data is overexposed and at-risk The first task is to map your environment. This involves gathering all the users and groups from Active Directory as well as local server accounts and correlating them with the permissions metadata on each platform you want to monitor. One big misconception is that Active Directory tells you what people can access throughout your environment. That’s actually not true. In order to figure that out you need to map the individual file shares, folders, SharePoint sites, and mailboxes and their access control lists BACK to the groups in Active Directory. This map lets you pinpoint a user or group and immediately understand what they can access. It also lets you pinpoint a dataset and quickly understand who has access and how (through global groups, inheritance, etc). --- Next it is important to scan for sensitive information and identify where it lives. There are two ways to do this: you can have an automated process that scans files and looks for things like patient records, bank statements, etc. or you can have humans flag files at the time of creation. We’ve found that if you have to pick one, automation is typically more effective than humans. Both methods together seem to work extraordinarily well. You can combine your classification results with the permissions information in the previous step to produce a report that tells you where you have high concentrations of sensitive data that is ALSO OVEREXPOSED. This added context helps you prioritize your remediation efforts based on actual risk. Often times DLP products show you where the sensitive data lives, but doesn’t give you a clear path to fixing it. It’s due to lack of context. Profiling who the admins, executives, and service accounts are and how they use data is critical to detecting threats. And to do that you need an audit trail of activity—knowing who’s opening, moving, modifying, deleting files ; who’s sending s to whom, reading the CEO’s inbox and marking messages unread. Then you can baseline how each person uses data and then detect meaningful deviations from what is normal. When you enable user behavior analytics on your file systems, you can detect things like privilege escalation, ransomware, disgruntled employees start accessing data in ways that are atypical for them.

37 PREVENT Lock down sensitive and stale data Fix Active Directory and file system issues Eliminate global groups Simplify permissions structure Identify Data Owners outside of IT Prune unnecessary access Data Owners perform entitlement reviews How do you take petabytes of data and get it to a less chaotic state. How do you safely move to a least privilege model so that when ransomware or another insider threat hits, damage is minimized. We usually recommend starting with the list of stale and over-exposed sensitive data discovered during the detection phase. That’s where you get the most bang for your risk-mitigation buck. A good first step is to eliminate global groups like Everyone and Authenticated Users. Before you do that, however, you have to make sure you don’t have inconsistent ACLs. If you identify and remove a global group from the very top of a folder tree, you want that change to cascade all the way down. But if you have broken inheritance, that won’t work. You’ve actually made stuff more chaotic. So finding a fixing some of the very common issues in file systems and AD, like looped nested groups and inconsistent ACLs, is a precursor to sensitive data remediation. Another important step within the prevent phase is to simplify your permissions structure. Most people use role-based access control. They have a group in AD that maps to a role. But then they put people in that group without truly knowing which data that group unlocks. They’ve got a missing link. A best practice for simplifying permissions is to apply a single-purpose group to the top of a tree—you have a read and a modify group—and let permissions flow down the tree. This minimizes uniquely permissioned data. Because every time you apply permissions, that’s a decision that needs to be reviewed periodically to ensure it’s still accurate based on the data within. Then, by looking at the actually data access logs in conjunction with AD attributes like department, managed by, etc. you can usually pinpoint data owners outside of IT and make them responsible for granting and revoking access to that data. They have far more context than IT and can make better access control decisions. Access behavior can also clue you into who has access to data that they never use, which groups they no longer need to be a part of. And you can make those changes to tighten access without anyone complaining. So, that’s the prevention stage: cleaning up access control problems, minimizing access to sensitive data, and implementing a least privilege model.

38 SUSTAIN How do we keep it that way?
Continuously monitor all user & file system activity Automatically catch and correct deviations from policy and trusted state Automate quarantining of sensitive data Automate archival or disposal of stale data Automate authorization workflows and entitlement reviews Automate revocation of access How do we keep it that way? By continuing to monitor all data access we can catch and correct deviations in access that violate a policy we setup during the prevent stage. We can automatically quarantining sensitive data if it ends up in the wrong place—like a public folder. We can automatically detect when data is not being used and archive it or dispose of it doesn’t just keep growing uncontrollably. And then most importantly let’s automate the processes through which people get access to data in the first place and automate the revocation and recertification of access. Once we’ve identified data owners, IT can get out of the way. By automating access control workflows, we don’t have people in IT whose sole job is to grant access, keep a manual log, perform revocations, etc. Not only does this eliminate operational overhead, but it’s indispensable for proving compliance.

39 Summary Ransomware is an epidemic
Its existence, persistence and “success” illustrate how soft our “insides” are Other insider threats are more dangerous Files and s are frequent targets The approach: Detect, Prevent, Sustain Ransomware should be a wakeup call. It’s an epidemic that illustrates that we need to change from a perimeter-focused, “keep everyone out” approach and admit that there are too many people on the inside with access to data they don’t need and we’re not watching them. The assets at risk tend to be unstructured data—we see this time and time again with all the biggest breaches from Sony to OPM to the DNC. It’s all about files and s. The stuff that Gartner says makes up about 80% of an organizations’ data. And lastly, use a three phase approach: detect, prevent, and sustain to protect data from the inside out to minimize the impact of insider threats and ransomware. Thank you!

40 Free Data Risk Assessment – http://bit.ly/threatcheck

41 David Gibson @dsgibson


Download ppt "The Enemy Within Understanding Insider Threats."

Similar presentations


Ads by Google