315-James Meyer James Bothe Planning For Insider Incident PDF

Planning for an Insider Incident
Jim Bothe, Director of Operations

Jim Meyer, Managing Director
Introductions
Jim Bothe Jim.Bothe@CoordinatedResponse.COM
Jim Meyer Jim.Meyer@CoordinatedResponse.COM
Coordinated Response
A cybersecurity incident response planning
and consulting firm
www.CoordinatedResponse.com
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Insider Threats / Insider Incidents
But, these are just the obvious
Guide for Insider Threats

Common Sense Guide to Mitigating Insider Threats,
4th Edition, SEI, December 2012, Retrieved 11/2013:
http://www.sei.cmu.edu/reports/12tr012.pdf
Authored by the CERT Insider Threat Center.
Recognizes the importance of an extended team.

Reflects the range of insider behavior.
Identifies 19 practices for dealing with insider threats
Most are not related to incident management, but some are!
The authors of the Guide:

Employed the 2011 Cybersecurity Watch Survey; and
Analyzed the CERT Insider Threat Data Base.
Insider Threat Potential Impact

50% likelihood of an insider incident in the next 12 months
Setting aside the miscellaneous
cases and recognizing the cases
involving two connected outcomes
in this diagram. Factor this into
your risk and impact
assessment.
The Guide makes the point that
fraud is greatest in finance, followed
by Government and Healthcare. The
IT Sector leads the IP theft category.
Figure 1, Common Sense Guide, page 5.
Over 300 cases studied

Common Sense Guide

The guide identifies 19 practices. For each practice the guide
provides:
Protective measures,
Challenges associated with the practice,
A case study reflecting the practice,
Quick wins and high-impact solutions:
One set for all organization and
a second set for large organizations;
With checklists; and
Mapping to standards NIST, CERT, ISO.
Practices for Dealing with

Insider Threat
1.
2.
3.
4.
5.
6.
Consider threats from insiders and business partners in

enterprise-wide risk assessments.
Clearly document and consistently enforce policies and
controls.
Incorporate insider threat into periodic security training
for all employees.
Beginning with hiring process, monitor and respond to
suspicious or disruptive behavior.
Anticipate and manage negative issues in the work
environment.
Know your assets.
Practices in
bold support
response
planning.
Practices, continued
7.
Implement strict password and account management policies

and practices.
8. Enforce separation of duties and least privilege.
9. Define explicit security agreements for any cloud services,
especially access restrictions and monitoring capabilities.
10. Institute stringent access controls and monitoring
policies on privileged users.
11. Institutionalize system change controls.
12. Use a log correlation or security information and event
monitoring (SIEM) system to log, monitor, and audit employee
actions.
Practices, continued
13. Monitor and control remote access from all end points,
including mobile devices.
14. Develop a comprehensive
employee termination procedure.
15. Implement secure backup and recovery processes.
16. Develop a formalized insider threat program.
17. Establish a baseline of normal network behavior.
18. Be especially vigilant regarding social media.
19. Close the doors to unauthorized data exfiltration.
A Range of Insiders
The traditional threat posed by current or former employees;

Collusion with outsiders; e.g., employees recruited or coerced
by competitors or organized crime;
Business partners;
Mergers and acquisitions;
Cultural issues national or corporate; and
Insider with alliance to a nation state, may be coerced.
Risk transfers between partners and even clients.
Identify partners and contractors; examine risks.
Large or small, organizations have

a 50/50 chance of an insider
incident in any year. What are the
implications for your organization?
CERT Insider Attack Data Base

Over 700 cases across all sectors,
often with significant damage. Examples include:
Low-tech attacks, such as modifying or stealing confidential or
sensitive information for personal gain;
Theft of trade secrets or customer information
used for business advantage or
given to a foreign government or organization; and
Technically sophisticated crimes that sabotage the

organizations data, systems, or network
Attack Data Base, continued

Analysis of 371 (just over half) adjudicated cases where the insider
was found guilty provided the following patterns:
IT sabotage use of IT resulting in organizational harm;
Fraud
unauthorized data modification, deletion, or addition for personal
gain; or
theft of information leading to identity theft;
Intellectual property (IP) theft often with outsider involvement;

and
Miscellaneous.
The Extended Response Team

Insider threats are influenced by a combination of technical,
behavioral, and organizational issues and must be
addressed by policies, procedures, and technologies.
As a result, a wide range organizational staff is involved in

addressing insider threats (in both the incident plan and
response):
Senior Management
Human Resources
Legal Counsel
Physical Security
Information Technology
Information Security
Data Owners
Practice 1 Consider Insider Threat

In Enterprise-wide Risk Assessment
The Guide recommends the following quick wins:
NDAs, background checks, control printing of sensitive
documents, avoid direct connections to trusted business
partners.
But, while these are quick wins, they are controls that mitigate
risk.
Also consider:
In the risk assessment, evaluate known assets, access
authorities, redundancies, checks and balances,
separation of duties.
Practice 1, continued
The Guide acknowledges contractors as a potential source of an
insider threat. To that end:
Consider contractual language for contractors that specifies
their responsibilities for security;
As with employees, have a comprehensive contract termination

procedure; and
Consider contract termination as an incident, begin monitoring,

look for residual activities.
Practice 2 Enforcement of
Policies and Controls
Secure senior management support.
Brief employees, contractors, and trusted business partners;
require signed acceptable-use policies initially and annually.
Provide consistent enforcement.
Also consider:
Policies and senior management support are key to an effective
incident response program.
Consistent execution of Incident Response procedures is also
important.
Practice 3 Address Insider Threat

in Awareness Training
Employees are a major source of identifying pre-cursors by

reporting suspected events.
Awareness training prepares employees to recognize improper
activities.
Detect and report disruptive behavior.
Monitor adherence to organizational policies.
Employees need to know when, where, and how to report

possible insider incidents.
Practice 6 Know Your Assets

Inventory all data types that are processed: medical, personal, inventory,
supplier, etc.
Inventory devices including network devices, mobile devices, credentials.
Identify geography: single location, multiple, foreign, cloud.
Also consider:
This knowledge is essential to a meaningful risk assessment.
Include senior management and data owners for proper understanding.
Practice 10 Implement Monitoring

Policies for Privileged Users
Why Monitor Employee Activity?

Reactive investigation strategy
Proactive protection strategy
What is Right for Your Organization?

Where to start
Determine your goals - review your Acceptable Use Policy
Consider involving your employees
Decide whether to implement active, passive, or both types of monitoring
Decide what to monitor and what data to retain
Decide how to handle escalation and review
Convene key stakeholders
Senior Management, Human Resources, Legal, Information Technology
Reference: SpectorSoft, Implementing an Employee Monitoring Program.

Retrieved 09/16/2015 from: http://www.spectorsoft.com/resources/.
What are the Goals for User Monitoring?

Detect Insider Threat / Deter Insider Threat
Inadvertent versus Malicious Breach
Resources for this discussion
ACFE Association of Certified Fraud Examiners
The CERT.ORG website
Action Item: Review Your Acceptable Use Policy.

Reference 2 Federal laws
Electronic Communications Privacy Act of 1986 (ECPA)
Computer Fraud and Abuse Act
Disclose Means of Monitoring? Involve Your Employees?

Monitoring: Active? Passive? Or Both?
Active monitoring or employee surveillance records all or select data on
digital activity; then the data is analyzed and reports or alerts are generated.
Passive monitoring the data is collected, but not reviewed without cause.
Investigatory Cause, like Probable Cause in the criminal justice world,

exists where there is reason to suspect activities detrimental to the
organization.
Role based cause connected users with elevated privilege.
Conditional cause cause associated with a particular condition, for
example, an employee leaving the company has less loyalty.
Involve legal, especially, if international locations are involved.
Practice 14 Comprehensive
Employee Termination Process
Develop an enterprise-wide checklist to use at the time of separation.
Establish a procedure for tracking all accounts assigned to each
employee.
Notify all employees of the departing employees separation.
Also consider:
An incident may provide important documentation to support employee
termination. Identify needs and methods in the Incident Response Plan.
Treat terminations as a precursor to an indicator.
Practice 16 Develop a
Formalized Insider Threat Program
Ensure that legal counsel determines the legal framework the team
will work in.
Establish policies and procedures for addressing insider threats
that include HR, Legal, Security, management, and IA.
Establish the expertise to conduct a legal, objective, and thorough
inquiry using either employees or contractors or both.
Also consider:
Implement insider threat detection rules into SIEM systems.
Employ user activity monitoring technology, especially for
privileged users.
Incident Response
Planning
Insider or Not
CERT/CC Incident Management
Defining Incident Management Processes for CSIRTS: A Work in Process, CMU/SEI, 2004.
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7153
Incident Response & Management
Everyone Agrees an Incident Response Plan is critical.

National Institute of Standards and Technology (NIST)
Special Publication SP 800-53 Rev 4: identifies Incident
Response (IR) as 1 of the 18 families of information security
controls:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
The Internal Standards Organization defines ISO 27035:2011

as the standard for Information Security Incident Management:
http://www.iso.org/iso/catalogue_detail?csnumber=44379.
The Center for Internet Security identifies Incident Response

(IR) as 1 of 20 Critical Security Controls:
https://www.cisecurity.org/critical-controls.cfm
NIST Identifies 10
Incident Response Controls
An Incident Response Plan

(according to NIST SP 800-53r4):
Is a roadmap for implementing incident response capability;
Describes the structure and organization of the incident response capability;
Provides a high-level approach for how the incident response capability fits into
the overall organization;
Meets the unique requirements of the organization, which relate to mission, size,
structure, and functions;
Defines reportable incidents;
Provides metrics for measuring the incident response capability within the
organization;
Defines the resources and management support needed to effectively
maintain and mature an incident response capability; and
Is reviewed and approved at an appropriate level.
Regulatory Compliance
What kind of data do you have?
Personally Identifiable Information (PII)
Payment Card Industry (PCI) Data Security Standards (DSS)
Health Insurance Portability and Accountability Act (HIPAA)
Intellectual Property (IP)
Financial Fraud
Other?
There are two critical incidents data loss and denial of service.
Malware is malware unless it leads to 1 of these 2 outcomes.
A Thought on Reputation,
Risk, and Impact
Target / Home Depot / JP Morgan
PCI v PII v Health Information
Chelsea (aka Bradley) Manning / Edward Snowden
Reputational under impact its the biggie

Anthem you cant move if its employer provided
Target & Home Depot move to Walmart and Lowes
Beware of Disgruntled Employees
Employee disgruntlement is a recurring factor in insider compromises.

This often involves insider IT sabotage.
In each case, the insiders disgruntlement was caused by unmet
expectations, including
insufficient salary increase or bonus,

limitations on use of company resources,
diminished authority or responsibilities,
perception of unfair work requirements,
feeling of being treated poorly by co-workers.
Consider any of these as an incident

that needs authorized, appropriate monitoring.
A Disgruntled Employee
Ex-Intel employee pleads guilty to theft charges.
Engineer downloads design and manufacturing

documents in his final days with Intel.
He already had new employment with AMD;

AMD had no involvement in this criminal activity.
Intel valued the trade secrets at $200M to $400M.
The engineer faces up to 20 years in prison.
Reuters, 04/06/2012, Retrieved, 11/14/13:

http://www.reuters.com/article/2012/04/06/us-intel-theft-idUSBRE8350LQ20120406
The Response Management

Framework
A comprehensive approach starts with a proven framework:

Incident Categories and Types the scope of responsibility
Incident Response Team Core and extended members
Incident Impact, Incident Priority areas, measures, level of
response
Actions pre-defined, managed, and defensible with logical execution
Response Management Framework

Incident Categories & Types
Anticipate Action!
Align Investment!
Monitor Trends!
Compromised Asset
External / Internet
Malware
Loss of Equipment
Internal / Personnel
Response Team Services

Incident Categories & Types
Compromised Asset
Loss of Equipment
Data Breach / Compromised Data

Fraudulent Activity
Compromised System
Loss of Laptop, Tablet, Phone

Loss of Credential (Badge, etc.)
External / Internet
Internal / Personnel
Improper Email Usage

Improper Internet Usage
System or Network Misuse
Denial of Service
Network Probing / Logical Attack
E-mail Spamming / Phishing
Threat Intelligence
Malware
Services
Destructive Malware
Ransom Ware
Other Malware
Other incidents not categorized above

Other services as required, e.g., legal
support

Incident Response Team
EXTENDED TEAM
Timely notifications!
Proper Escalation!
Metrics & Management.
Enterprise Governance.
OUTSIDE
RESOURCES
The Extended Team

for Planning and Response
Insider threats are influenced by a combination of technical, behavioral,
and organizational issues and must be addressed by policies,
procedures, and technologies.
As a result, a wide range organizational staff is involved in addressing insider threats (in
both the incident plan and response):
Management,
Human Resources (HR),
Legal Counsel,
Physical Security,
Information Technology (IT) & Software Engineers,
Information Assurance (IA), and
Data Owners.
IR-4(7) Incident Handling, Insider Threat, Intra-Organization

Coordination
Legal Plays a Special Role
A strong partner and advocate for cybersecurity practices.
Helps assure actions are reasonable and defensible.
Specifically, guide the investigative process.
Protects sensitive conversations.
This is extra important internationally.

Impact Assessment &

Incident Prioritization
Impact Areas are and Impact
Measures are customer-defined.
Enterprise Governance.
An assessment is dynamic & evolves over the
incident life.
Monitor Trends!
Keep Records!
Reflect Expected Value!
ISACA Potential Impact Areas

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Incident-Management-and-Response.aspx
Risk planning and response planning are linked. The risks and
resulting impacts occur in the following areas:
Reputational Risks including public relations or legal issues
with customers.
Regulatory Risks including the inability to meet regulatory
compliance.
Operational Risks including the inability to deliver key
business capabilities.
Internal, Human Relations Risks including inability to process
payroll or violations of employee privacy.
Financial Risks including loss of physical assets or
remediation expenses.
Impact Areas & Measures
Response Team Actions
Assign incident actions

use a checklist!
Track actions!
Track handlers!
ISACA Align Incident Response

with Incident Impact
Response actions taken should be designed to mitigate the

impact of an incident with the following goals in mind:
Provide an effective means of addressing the situation in such
a way that it minimizes the impact to the enterprise.
Provide management with sufficient information to decide on
appropriate courses of action.
Maintain or restore continuity of enterprise services.
Provide a defense against subsequent attacks.
Provide additional deterrence through the use of technology,
investigation and prosecution.
Situation
Employee uses e-mail like instant messaging for
a daylong conversation with his spouse.
Employee uses e-mail to solicit candy bar sales
for his daughters marching band. Co-workers,
subordinates and suppliers are contacted.
Consistent actions are defensible actions.

Consider improper use of e-mail.
All three are policy violations.
Employee uses e-mail to organizing weekend

betting pool for college basketball. Individuals
outside the company are involved.
Situation
Outcome
Employee uses e-mail like instant messaging for Not malicious / Low impact.
a daylong conversation with his spouse.
Meet with HR. Add memo to HR records.
Employee uses e-mail to solicit candy bar sales
for her daughters marching band. Co-workers,
subordinates and suppliers are contacted.
Not malicious / Medium impact.

The solicitation might seem coercive to
employees and suppliers.
Contact employees / suppliers.
Suspend employee w/out pay.
Employee uses e-mail to organizing weekend

betting pool for college basketball. Individuals
outside the company are involved.
Not malicious / High Impact.

Legal implications for the company.
Terminate employee.
Contact authorities.
The Need for Collaboration

Legal and HR
It is vital to work with your legal and human resources departments
when investigating potential insider threats.
Establish go to contacts early in both legal and HR.
Guide through organizational hierarchy.
Identify labor contract questions.
Address privacy issues, which vary from country to country.
Interface with law enforcement, if necessary.
Handling Evidence
The evidence may be used in court, and must be appropriately
gathered and maintained:
Manage chain of custody, particularly as evidence moves from
entity to entity;
Establish a physically secure location locked safe, etc.;
Preserve system logs;
Preserve email; and
Maintain file meta-data normal Windows copy does not do
this.
AT&T Insider Incident

http://www.slate.com/blogs/future_tense/2015/04/08/fcc_fines_at_t
FCC fines AT&T for data breach.
_25_million_for_breaches_that_affected_280_000_customers.html
Talk about an Insider Incident with
adverse impact: $25 Million Fine.
Talk about enterprise risk: call center
employees in Mexico, Columbia, and the Philippines.
280,000 impacted customers from 2013-2014
Call center employees
Accessed Personally Identifiable Information (PII);

Used PII to access unlock codes on mobile handsets;
Sold unlocked handsets to mobile device traffickers.
How do you monitor this activity? How do you respond?

Data Breach & Privacy Preparation
Identify Sensitive Data.

Payment card (PCI), Health (HIPAA), personal identity information
(PII).
Proprietary data: intellectual property (IP), financial, competitive.
Recognize Statutory Compliance Framework.

Data at risk drives preparation and plan.
PCI, HIPAA, PII, IP, and financial.
Identify Third party connections.

Payment processors, insurance plus, employees, subcontractors.
Develop your plan.

Lay in provisions to execute the plan.
The Target Data Breach

Consider the Target breach. The material that follows was drawn from the
following sources:
Targets web site:

https://corporate.target.com/about/shopping-experience/payment-card-issue-faq
Forbes Magazine web site:

http://www.forbes.com/sites/sungardas/2014/01/17/five-lessons-for-every-business-from-targets-databreach/
Krebs on Security web site:

http://krebsonsecurity.com/tag/target-data-breach/
The Blaze:
http://www.theblaze.com/stories/2014/02/06/how-one-hvac-worker-may-have-caused-the-entire-targetdata-breach/
Target, continued
Detect
Targets Security Information and Event Management (SIEM) system

from FireEye provided indicators that an event was occurring.
Targets team dismissed the indicator; it was not considered an

incident.
What are your thoughts on audit and controls for this?
Later Target was alerted by an outside party, likely the U.S. Secret
Service.
Once an incident is declared simultaneously initiate

Analysis and Containment and Eradication.
Target Data Breach

(November/December 2013)
November 27, 2013 thru December 15, 2013 Target experienced a data
breach at some of its stores.
40 Million credit/debit card credentials were stolen.
70 Million records with name, address, email address, and phone
numbers were stolen as well.
46% drop in profits experienced that quarter.
$200 million spent by credit unions and community banks re-issuing
21.8 million credit cards half those stolen.
1 to 3 million stolen cards successfully sold on the black market.
$35.70 was the median price for a stolen card on December 19, 2013;
$18.00 was the median price on February 19, 2014.
$162 Million was the out-of-pocket cost for Target http://www.pymts.com.
US-CERT Combating
Insider Threat
A High-Level View to Help Inform Senior Management.

The US-CERT Web Site offers a 5 page paper on Combating Insider
Threat.
https://www.us-cert.gov/security-publications/Combating-Insider-Threat
This well written document summarizes the nature of the threat and an
approach to detect and deter malicious insider activity. The paper is
valuable for 2 reasons:
It is the right document from the right source to inform executive
leadership and board members on the importance of addressing
insider threats; and
It provides a great set of references good resources for informing
an effective program to address insider threat.
National Insider Threat

Special Interest Group
(NITSIG):
http://nationalinsiderthreatsig.net/
Questions, comments, discussion
ISACA
Incident Response Resources
From the ISACA Bookstore
The Computer Incident Response Planning Handbook,
by N.K. McCarthy.
https://www.isaca.org/bookstore/extras/Pages/The-Computer-Incident-Response-Planning-Handbook-review.aspx
Incident Response & Computer Forensics,

by Matthew Pepe, Jason Luttgens, Kevin Mandia.
https://www.isaca.org/bookstore/extras/Pages/The-Computer-Incident-Response-Planning-Handbook-review.aspx
Incident Impact and Response, ISACA, 2012. Retrieved 08/19/2016

from:

315-James Meyer James Bothe Planning For Insider Incident PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

315-James Meyer James Bothe Planning For Insider Incident PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Planning for an Insider Incident

Jim Bothe, Director of Operations

Jim Bothe Jim.Bothe@CoordinatedResponse.COM

Jim Meyer Jim.Meyer@CoordinatedResponse.COM

Insider Threats / Insider Incidents

But, these are just the obvious

Guide for Insider Threats

Recognizes the importance of an extended team.

The authors of the Guide:

Insider Threat Potential Impact

Figure 1, Common Sense Guide, page 5.

Over 300 cases studied

Common Sense Guide

Mapping to standards NIST, CERT, ISO.

Practices for Dealing with

Consider threats from insiders and business partners in

Implement strict password and account management policies

The traditional threat posed by current or former employees;

Large or small, organizations have

CERT Insider Attack Data Base

Technically sophisticated crimes that sabotage the

Attack Data Base, continued

Intellectual property (IP) theft often with outsider involvement;

The Extended Response Team

As a result, a wide range organizational staff is involved in

Practice 1 Consider Insider Threat

As with employees, have a comprehensive contract termination

Consider contract termination as an incident, begin monitoring,

Practice 3 Address Insider Threat

Employees are a major source of identifying pre-cursors by

Employees need to know when, where, and how to report

Practice 6 Know Your Assets

Practice 10 Implement Monitoring

Why Monitor Employee Activity?

What is Right for Your Organization?

Reference: SpectorSoft, Implementing an Employee Monitoring Program.

Practice 10, continued

What are the Goals for User Monitoring?

Action Item: Review Your Acceptable Use Policy.

Practice 10, continued

Disclose Means of Monitoring? Involve Your Employees?

Investigatory Cause, like Probable Cause in the criminal justice world,

CERT/CC Incident Management

Incident Response & Management

Everyone Agrees an Incident Response Plan is critical.

The Internal Standards Organization defines ISO 27035:2011

The Center for Internet Security identifies Incident Response

An Incident Response Plan

Target / Home Depot / JP Morgan

PCI v PII v Health Information

Chelsea (aka Bradley) Manning / Edward Snowden

Reputational under impact its the biggie

Beware of Disgruntled Employees

Employee disgruntlement is a recurring factor in insider compromises.

insufficient salary increase or bonus,

Consider any of these as an incident

Engineer downloads design and manufacturing

He already had new employment with AMD;

Intel valued the trade secrets at $200M to $400M.

The engineer faces up to 20 years in prison.

Reuters, 04/06/2012, Retrieved, 11/14/13:

The Response Management

A comprehensive approach starts with a proven framework: