Post on 01-May-2018
INSIDER THREAT BREACH
CASE STUDYAny Questions?
20/10/2017 Public 1
Case Study + Process + Don’t be a victim
What is an insider threat?
“An insider threat is a malicious threat to an organisation that comes from
people within the organisation, such as employees, former employees,
contractors or business associates, who have inside information concerning the
organisation's security practices, data and computer systems.”
Source: Wikipedia
20/10/2017 Public 2
Do we have any examples of this type of attack?
In • 1995 rogue trader Nick Leeson lost £800m and destroyed Barings Bank whilst working as chief trader for Barings Futures in Singapore
In • 2008 the French bank Societe Generale revealed that rogue trader Jerome Kerviel had lost the bank £7bn
In • 2011 Swiss bank UBS uncovered unauthorised trading by a member of staff, Kweku Adoboli, producing losses of some £1.5bn. Additionally, confidence in the bank’s reputation was clearly harmed, with an immediate 7% fall in its share value
In • 2013 Edward Snowdon leaked CIA and NSA classified information
In • 2016 Mossack Fonseca saw a disgruntled ex-employee expose the tax affairs and other dealings (legitimate or otherwise) of a considerable number of high profile individuals, criminals, terrorists and the like
20/10/2017 Public 3
The specifics of this case
• Trusted 3rd party development contractor
• Long standing partner with a working contract for 6 years plus
• The 3rd parties employee was in long term employment with the contractor for 8 years plus
• No previous issues with the employee, no behavioural problems, no previous disciplinary matters, he was a trusted employee
• It later transpired that the employee had developed a gambling addiction and was burdened with debt – that motivated him to perpetrate the attack in an attempt to raise cash
• Because trust had been established over a period of years, the 3rd party contractor and its employees were not considered as a potential risk by the client organisation!
20/10/2017 Public 5
The attack• 60 servers and over 4,000 end points within the environment (35 were Win2k, but that’s another story!)
• Attacker set up a phishing server (web/mail) via Google
• Attacker accessed the environment via a legitimate route
• He ran a number of SQL queries against the databases until he was able to extract the customer data that he needed to launch the phishing attack
• He created a number of test files (text and csv) to store the extracted data, and then pulled it back to the jump server and then back to his laptop
• 28mb of customer data was extracted from the network, which comprised of 135,412 customer records, including 1,719 primary account numbers (credit card numbers)
• Attacker used that data to launch a phishing attack on the customers contained within the stolen data
• 30 unique customers accessed the phishing site, 6 uploaded personal information to the phishing server
• Only came to light when an astute customer flagged the phishing email as suspicious to the company
20/10/2017 Public 7
Points to prove
• A credible suspect was identified, but we needed to prove the following:
• Identify the smart phone
• Link the suspect to the smart phone
• Link the suspect to the laptop
• Put the suspect at or near the keyboard at the times of the attack
• Link the suspect to the phishing server
20/10/2017 Public 10
The techie stuff that we did• Pulled as many logs as we could identify whilst forensic imaging was under way – all remote
• The client’s legal team worked with Google to obtain a copy of the phishing server – proved critical in proving the case
• From the above we identified the IP address relating to the smart phone – Austrian telecoms provider
• Tracked the use of that IP address to a single user account (the suspect)
• Identified a number of SQL queries used by the attacker to obtain the customer data from the databases
• Identified a number of filename references (not the files themselves) that were used to extract the data from the network to the attackers laptop – in registry entries and in volatile memory images
• Linked the phone to the owner of the user account in question – his own phone (we never got possession of the phone itself)
• With the assistance of German law enforcement, call data and cell site analysis was conducted to put him in or close to his workplace at the time of the attack
• Workplace CCTV and door entry systems analysed to place him in the workplace. The CCTV proved negative – the door entry systems placed him in the office where his desk was at the time of the attack.
20/10/2017 Public 11
The outcome
What happened to the suspect? The final kicker
• We also found evidence of a “pass the
hash” attack within their environment
during the course of this investigation.
• This was not related to the insider
threat attack
• Upon further investigation we found an
external intrusion and another major
breach of their network as well!
20/10/2017 Public 12
Steps to successful incident management
20/10/2017 Public 14
Ideally you only need this
Preparation
Detection Analysis
Containment Eradication
Recovery Review
Customer
Customer
Customer
Customer
Customer
Customer
Preparation• Identification and classification of critical data
• Risk assessing the IT & Business environment
• Creation of breach identification values (what actually is a breach)
• Determining “normal” behaviour
• Implementation of monitoring tools IDS/NOC/SOC/FIM/SIEM
• Creation of an Incident Response Plan
• Testing the Incident Response Plan
• Staff training as First Responders
• Prepare a media strategy
• Designate an Incident Response Team
20/10/2017 Public 15
Detection
Identifying • “abnormal” behaviour
Monitoring network traffic•
Monitoring specific file access•
Monitoring email messages•
Identifying known malware•
Identifying compromised data•
Identifying unexpected devices•
Usage of monitoring tools IDS/FIM/SIEM/DLP•
20/10/2017 Public 16
Analysis• Determining the type of breach
• Identifying scale of breach/compromised data
• Determine ingress and egress points
• Determining malware actions
• Identifying attack signatures
• Identifying known vulnerabilities
• Identifying new vulnerabilities
• Identifying affected 3rd parties
• Identify the attack vector (internal or external)
• Forensic imaging of affected devices
• Forensic analysis of affected devices and/or logs
20/10/2017 Public 17
Containment & Eradication
Containment
• Preventing further spread of the compromise
• Blocking unauthorised access
• Disabling access to affected devices
• Usage of disaster recovery site
• Notification to affected 3rd parties
• Notification to media
Eradication
• Removal of any identified malware
• Removal of any unauthorised devices/accounts
• Securing ingress and egress points
• Fixing exploited vulnerabilities
• Verification of removal
20/10/2017 Public 18
Recovery
• Restoration of modified data
• Rebuilding of affected devices
• Restoring system access
• Testing of recovered data/devices
• Implementation of most recent patches
• Forensic recovery of missing/corrupted data
20/10/2017 Public 19
Review
• Does the breach need to be reported (GDPR / PCI-DSS)
• Does law enforcement need to be informed
• Documenting the breach and any affected data
• Identifying business impact
• Reviewing policies and procedures
• Agreeing future preventative measures
• Verifying preventative measures are implemented correctly
• Updating documentation
20/10/2017 Public 20
Invest in the basics - 1
Map business processes and flows of data through the organisation (you will have to do this •for POPI / GDPR / PCI)
Classify information based on criticality and sensitivity•
Design systems and solutions to protect the most sensitive data, and ensure segmentation •works as designed
Record all of your assets so IT and the business can produce a protection strategy•
Use technology that you know how to use and IT teams can support and secure•
Monitor networks, systems and applications regularly and have incident response procedures •and contracts in place
Patch everything • – all critical patches should be applied within 30 days
20/10/2017 Public 22
Invest in the basics - 2
• Assess vulnerabilities regularly and close the gaps within 30 days
• Use benchmarks and secure devices, using good working practices
• Control access using least privilege, and need to know
• Assess / audit your 3rd parties, understand their 3rd parties so you know
where your data is
• Educate, use sanctions and compensate with technology to ensure you are
not wholly reliant upon your users
20/10/2017 Public 23
Steve Marshall –Chief Operating OfficerProfessional
Experience
Steve is a world class consultant and business executive that has focused on high profile projects for the government and leading commercial organisations. Steve specialisesin business consulting, payments, compliance, breach clean-up, enterprise architecture validation, assurance, corporate/information security, security restructures and risk insector leading organisations across many business verticals and markets. A balance of technical excellence and keen business acumen enables Steve to provide cost effectiverobust strategies for business.
Steve’s early career focused on system and network administration / engineering / security on high throughput transactional platforms, video content delivery, high profilewebsites and hosting infrastructure. Steve then moved into management and senior management within several system integrators and consulting companies. Havingdeveloped several practices in the UK and worked for many companies and organisations Steve setup PTP Consulting now Risk-X with his team to provide leading audit,advisory, assurance and digital forensics globally.
To date Steve has also been involved in :
• High profile security consulting for government organisations
• Headed up and consulted on numerous global retailers payments and PCI DSS compliance programmes
• Provided compliance strategy to global telecommunication, retail, transit, banking and UK building societies
• Provided architecture validation and security consulting to many enterprise customers
• Provided threat analysis and forensic readiness consulting to many commercial organisations
• Public speaking events themed around security, compliance and IT risk management to audiences in the UK and internationally
Industry Sector
Experience
• Financial Services
• Retail
• Media / Leisure / Entertainment
• Telecoms / ISP / Hosting
• Government / Public Sector
• Energy and Utilities
• Transit
• BPO’s / Call Centres / Outsourcers
• Gambling and Gaming
Qualifications • BSc (Hons)
• Payment Card Industry Qualified Security Assessor (QSA)
• Payment Card Industry Forensic Investigator (PFIcore)
• IBITG Certified ISO/IEC 27001 Lead Auditor
• PECB Certified ISO/IEC 27001 Lead Implementer
• (ISC)2 System Security Certified Professional (SSCP)
20/10/2017 Public 25
About us
• Risk-X is a global provider of Audit, Advisory, Digital Forensics, Incident Response andAssurance services. We were formed by a team originally from the roots of majorcorporate consulting. Becoming disillusioned with the corporate consulting world thatwas not acting in the best interests of customers or their end consumers, we formedRisk-X. We knew that we could do better, and we have (just ask our customers).
• Over the last five years we have bolstered our expertise from specialists gained fromlaw enforcement, military services, niche service providers and the best from the bigfour consulting houses. This, led from the same management and investment team,has seen sustained growth and the addition of allied services. We are well financed,motivated, hungry for your business and seek to delight in every engagement.
• When it comes to security and specialist resources, we have real world experienceacross all market sectors and verticals. We only take on work we know we cancomplete in line with your requirements, and only charge for what we do. We support‘plain English’ and do not hide behind fancy lawyers, so engaging with us is easy andsimple.
• Steve Marshall
• Chief Operating Officer
• steve.marshall@risk-x.co.uk
• +44 7770 352438
• +27800990116 = Incident Response Toll Free
• +27800990155 = General Enquiries Toll Free
20/10/2017 Public 26