Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights...
Transcript of Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights...
![Page 1: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/1.jpg)
© 2016 Imperva, Inc. All rights reserved.
Insiders:
The Threat is Already WithinShiri Margel & Itsik Mantin
June 2016
![Page 2: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/2.jpg)
© 2016 Imperva, Inc. All rights reserved.
About us
• Shiri Margel
• Data Security Research Team Leader
• M. Sc. in Applied Math and Computer Science
from the Weizmann Institute
• Itsik Mantin
• Director of Security Research
• M. Sc. in Applied Math and Computer Science
from the Weizmann Institute
![Page 3: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/3.jpg)
© 2016 Imperva, Inc. All rights reserved.
Agenda
• Introduction
• Behavioral Analysis
• Deception
• Summary
![Page 4: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/4.jpg)
People are the
WEAK LINK
![Page 5: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/5.jpg)
MaliciousCarelessCompromised
![Page 6: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/6.jpg)
© 2016 Imperva, Inc. All rights reserved.
• Acquire small amount of sensitive information over a long period of time
• Noticed after damaging events
• Almost impossible to prevent
The Nature of Insider Breach
Verizon DBIR 2016
Early Detection
![Page 7: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/7.jpg)
© 2016 Imperva, Inc. All rights reserved.
Our Research
• Behavioral Analysis
• Deception
![Page 8: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/8.jpg)
© 2016 Imperva, Inc. All rights reserved.
Our Research
• Behavioral Analysis
• Deception
![Page 9: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/9.jpg)
© 2016 Imperva, Inc. All rights reserved.
The Data
Cloud Applications
Databases
File Server
DatabaseSensors
FileSensors
The Perimeter
Cloud AppSensors
![Page 10: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/10.jpg)
© 2016 Imperva, Inc. All rights reserved.
Our Research – Behavioral Analysis
• Collect live production data from several customers of Imperva
• Full database and file server audit trail - SecureSphere audit logs
• Machine learning algorithms identify “Actors”
and “Good Behavior” in order to identify
“Meaningful Anomalies”
![Page 11: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/11.jpg)
© 2016 Imperva, Inc. All rights reserved.
Actors
![Page 12: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/12.jpg)
© 2016 Imperva, Inc. All rights reserved.
Good Behavior
![Page 13: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/13.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis Findings
• Malicious Insider
• Negligent Insider
• Compromised Insider
![Page 14: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/14.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis Findings
• Malicious Insider• Hoarding IP before leaving the company
• A DBA accessed financial information
• Negligent Insider
• Compromised Insider
![Page 15: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/15.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• A Technical Writing employee copied > 100,000 files
• Employee was authorized to access data
• Operation took 3 weeks
• Each copy contained a few thousand files
• Some copies - in the middle of the night and/or on the weekend
![Page 16: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/16.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• The employee / department
never copied this amount of files
• The employee never worked on
weekends / middle of the night
Week
days
Weekend
![Page 17: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/17.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis finds the IP Hoarder
• The employee / department
never copied this amount of files
• The employee never worked on
weekends / middle of the night
Week
days
Weekend
Employee was authorized
to access data
![Page 18: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/18.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis finds the IP Hoarder
Organization Feedback:
• The employee was planning to leave the organization shortly after the incident
took place
![Page 19: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/19.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis Findings
• Malicious Insider• Hoarding IP before leaving the company
• A DBA accessed financial information
• Negligent Insider
• Compromised Insider
![Page 20: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/20.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis flags DBA abusing privileges
Application DatabaseClients
Applicative
Tables
DBA
![Page 21: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/21.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis flags DBA abusing privileges
• A DBA from IT retrieved and modified multiple records from PeopleSoft
application tables on a specific day
• Didn’t access these tables through the PeopleSoft interface
bypassed PeopleSoft logging and retrieval limitations
Application DatabaseClients
Applicative
Tables
DBA
![Page 22: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/22.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis flags DBA abusing privileges
• Retrieved many records
Compared to himself -
Compared to other users -
![Page 23: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/23.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis flags DBA abusing privileges
• Modified several thousands of records in one table
• The tables contained sensitive financial information
![Page 24: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/24.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis flags DBA abusing privileges
• Modified several thousands of records in one table
• The tables contained sensitive financial information
Should a DBA access financial information ???
![Page 25: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/25.jpg)
© 2016 Imperva, Inc. All rights reserved.
Malicious Insider: Behavioral Analysis flags DBA abusing privileges
Organization Feedback:
• A DBA from IT should never be exposed to financial information
• Certainly not modify this information outside of application processes
![Page 26: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/26.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis Findings
• Malicious Insider
• Negligent Insider• Account Sharing
• Compromised Insider
![Page 27: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/27.jpg)
© 2016 Imperva, Inc. All rights reserved.
Negligent Users: Behavioral Analysis flags Account Sharing
27
• Bypass organization permissions and privileges
• Provide people with access that they are not entitled to
• Leave incorrect access trail to the data
• Sharing is not caring!
![Page 28: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/28.jpg)
© 2016 Imperva, Inc. All rights reserved.
Negligent Users: Behavioral Analysis flags Account Sharing
• A and B share privileges
• C and D use B’s account
• H uses the accounts of E, G
• J uses the accounts of G, I
• L uses the account of K
![Page 29: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/29.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis Findings
• Malicious Insider
• Negligent Insider
• Compromised Insider• Multiple failed login attempts
![Page 30: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/30.jpg)
© 2016 Imperva, Inc. All rights reserved.
Compromised Users : How failed logins are flagged as anomalous
• Baseline period
– the user always successfully
logs into DB1 using “red”
account
– never logs into DB2
• On the day of the incident
– the user tried and failed to
log into DB2 11 times using
4 different account
– Succeeded using 5th account
![Page 31: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/31.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis - Summary
![Page 32: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/32.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Analysis - Summary
• We found interesting incidents for all insiders options
• It was hard to find them without behavioral analysis methods
– Used valid privileges
– Chose “meaningful” anomalies
• Concentrated on the actors and on their access to the data
![Page 33: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/33.jpg)
© 2016 Imperva, Inc. All rights reserved.
Our Research
• Behavioral Analysis
• Deception
![Page 34: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/34.jpg)
© 2016 Imperva, Inc. All rights reserved.
Deception Why?
• Because Compromise is Inevitable– No Perimeter: BYOD, Cloud Apps, VPN
– Legitimate apps (TeamViewer, DropBox)
– Zero Days
– Social Engineering
• Find Data Breach within Compromises– Compromises happen all the time… few of them may turn into a breach!
– Response team have to prioritize
– 100 alerts << 1 alert
• Detect a breach ASAP– Reconnaissance & Lateral Movement
![Page 35: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/35.jpg)
© 2016 Imperva, Inc. All rights reserved.
Attack Cycle
Databases
Files
Web Apps
Data
Cen
ter
• Compromise
• Reconnaissance
• Lateral Movement
• Data Access
• Exfiltration
![Page 36: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/36.jpg)
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
• Point the attacker towards a Trap– Web, File, DB Server (etc)
– Local / Domain Account
– Passwords, Cookies, Authentication Tokens
• Trap Server is Real– Not a Honeypot
• Detection = Harvest + Use token– Deliberate attempt at the data center / gain more privileges
![Page 37: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/37.jpg)
© 2016 Imperva, Inc. All rights reserved.
Using Sensors for Deception
Cloud Applications
Databases
File Server
DatabaseSensors
FileSensors
The Perimeter
Cloud AppSensors
![Page 38: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/38.jpg)
© 2016 Imperva, Inc. All rights reserved.
Browser Passwords
• Where are autocomplete passwords saved?
• Are they safe?
![Page 39: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/39.jpg)
© 2016 Imperva, Inc. All rights reserved.
Browser Passwords
Return to Index
![Page 40: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/40.jpg)
© 2016 Imperva, Inc. All rights reserved.
MimiKatz
• Pulling plaintext passwords from Windows
• Relies on Wdigest interface through LSASS
• Wdigest: a DLL used to authenticate users against HTTP Digest
authentication and Simple Authentication Security Layer (SASL) exchanges.
• (un)fortunately, these require the plain-text password
![Page 41: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/41.jpg)
© 2016 Imperva, Inc. All rights reserved.
MimiKatz
Return to Index
![Page 42: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/42.jpg)
© 2016 Imperva, Inc. All rights reserved.
Compromised User Scenario
• Trojan got through to the
endpoint via phishing
• Planted credentials inside
Windows Vault, Internet
Explorer were used
• Determine the source and
scope of the attack without
tipping off the attacker
![Page 43: Insiders: The Threat is Already Within - OWASP · 2016. 6. 14. · © 2016 Imperva, Inc. All rights reserved. Insiders: The Threat is Already Within Shiri Margel & Itsik Mantin June](https://reader034.fdocuments.net/reader034/viewer/2022052105/60411d6e7d207f23f0552cf1/html5/thumbnails/43.jpg)