combating the insider threat at the fbi
play

Combating the Insider Threat at the FBI: Real World Lessons Learned - PowerPoint PPT Presentation

Sep 21, 2023 •488 likes •931 views

FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and Introduction The views expressed in this presentation are those of the

  1. FEDERAL BUREAU OF INVESTIGATION “Fidelity, Bravery, and Integrity” Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy

  2. Disclaimer and Introduction The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of the Department of Justice, the Federal Bureau of Investigation, or the U.S. Government, nor does it represent an endorsement of any kind. 2

  3. The 5 Lessons 1 Insider threats are not hackers Insider threat is not a technical or “cyber security” issue 2 alone 3 A good insider threat program should focus on deterrence, not detection 4 Avoid the data overload problem 1 Use behavioral analytics 3

  4. Our IA Program & Evolution Threat focus : Insider Threat focus : Threat focus : APT Protection: + DLP, Computer intrusion Protection: + DRM, Personnel Protection: N/W Internal N/W, host data, data object perimeter, firewalls, A/V, OS, application interaction, non-N/W IDS, proxies, A/V, logs, email, net flow data DHCP, DNS Detection Detection Detection technique: technique: + N/W technique: + data signature based anomaly mining, behavioral 4

  5. The Approach Known Bad Assumed Good vs. ► Test: 65 espionage cases and the activities of over 200 non-model employees ► Control: The rest of the user population 5

  6. Lesson #1 : The Misunderstood Threat ► NOT hackers ► People who joined organizations with no malicious intent ► Most tools and techniques are designed with the hacker in mind + VS. 6

  7. Not The “Knuckle Head” Problem ► We lose most battles 2 feet from the computer screen ► 24% of incidents, 35% of our time ► The “knuckle head” problem ► Policy violations, data loss, lost equipment, etc. ► Address with user training campaigns & positive social engineering ► 7% drop incidents since last year 7

  8. The Most Common Threat of Them All!?!? Not So Fast.. 8

  9. Joe Says... ► Insider threat is not the most numerous type of threat ► 1900+ reported incidents in the last 10 years ► ~ 19% of incidents involve malicious insider threat actors ► Insider threats are the most costly and damaging ► Average cost $412K per incident ► Average victim loss: ~$15M / year ► Multiple incidents exceed $1 Billion Sources : Ponemon Data Breach Reports: ‘08, ‘09, ‘10, ’ 11; IDC 2008; FBI / CSI Reports: ‘06, ‘07, ’08’, ‘09, ‘10/’11; Verizon Business Data Breach Reports: ‘09, ‘10, ‘11, ’12, ’ 13; CSO Magazine / CERT Survey: ‘10, ’ 11; Carnegie Mellon CERT 2011 IP Loss Report; Cisco Risk Report ‘08 9

  10. FBI Case Statistics IEA 1996 - Present ► Data from convictions under the Industrial Espionage Act (IEA) Title18 U.S.C., Section 1831 ► Average loss per case: $472M 10

  11. Solution: Define the Insider ► Authorized people using their trusted access to do unauthorized things ► Boils down to actors with some level of legitimate access , and with some level of organizational trust ► Misunderstanding example: The APT is not an insider threat because they steal credentials. 11

  12. The Threat Tree Threats Environmental Human Internal External Non- Malicious Non- malicious Malicious malicious I/T Fraud / CERT Threat Models Espionage IP Theft Sabotage abuse 12

  13. Sysadmins: Evil? Not S o Fast… 13

  14. Joe Says…  1.5% of espionage cases reviewed involved the use of system admin privileges  .8% of internal FBI incidents involved system admin cases  CMU Cert show different statistics for IT sabotage:  90% of IT saboteurs were system admins  http://www.cert.org/blogs/insider_ threat/2010/09/insider_threat_dee p_dive_it_sabotage.html 14

  15. The Intrusion Kill Chain ► The Intrusion Kill Chain is excellent for attacks, but doesn’t exactly work for insider threats Reference: Intelligence-Driven Computer Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain. E.M. Hutchings, M.J. Cloppert, et. al. 15

  16. The Insider Threat Cyber “Kill Chain” - Recruitment or - Hiding Recruitment / cohesion communications with - Going from “good” to Tipping point external parties bad - Find the data / target Operational Security - Vague searching - Less time the more Search / Recon - Asking coworkers to knowledgeable the find data for them threat - Use of crypto - Grab the data Acquisition / - Renaming file - Data hording extensions Collection - Off hour transfers - Game over! - Spreading data Exfiltration / - Egress via printing, downloads over multiple Action DVDs / CDs, USBs, sessions network transfer, emails 16

  17. Beware the Silver Bullet ► Many want you to believe insider threats are hackers in order to sell you things ► IDS, Firewalls, AV, etc. do not work ► No rules are being broken! ► Question vendor claims ► Some great capabilities, but no “out of the box” solutions ► Data loss prevention, digital rights management, and IP theft protection products are maturing Click Here to Catch Spy 17

  18. Lesson # 2: This is Not a Simple Cyber Security Problem ► We trust the threat ► Insider threat programs are not just policy compliance shops ► 90% of problems are not technical ► Programs do not just bolt into Security Operations Centers ► Dedicated staff with clear objectives are a must 18

  19. Solution: The Multidisciplinary Approach Identify: Goal: Deter CI / Intel Cyber Detect Disrupt Personnel Security Focus: People Enemy Data 19

  20. Do You Know Your People? Work schedule Serial #: 1234567 Badge# 2345 A A A A A 703-555-1212 A IP Addrs: 1.1.1.1 A A Works for Business Patterns of activity Jdoe@ic.fbi.gov Development 20

  21. The Whole Person Approach Contextual Psychosocial Cyber 21

  22. Know Your Enemy ► Who would be targeting your organization? ► Who would they target inside your organization? ► Who are the high risk individuals in your organization? 22

  23. Know Your Data ► What are the crown jewels of your organization? ► What data / people would the enemy want to target? ► Action: ► Identify sensitive data ► Rate top 5 most important systems in terms of sensitive data 23

  24. The Value Proposition of Insider Threat and Data Protection Programs It’s complex It’s expensive It may take years to achieve tangible results However… ► This is about survival in a hostile market place ► If your data is secure you can penetrate risky markets ► Your enemy is your business partner, are you designed that way? 24

  25. Lesson #3: Focus on Deterrence Not Detection ► Make environment where being an insider is not easy ► Deploy data-centric, not system-centric security ► Crowd-source security ► Use positive social engineering Risk Averse Risk Takers 25

  26. Solution: Crowdsource Security! ► Aren’t security subject matter experts the best to make decisions? ► Nope! ► British scientist who wanted to show empirically that educated people are superior ► Asked “commoners” to guess the weight of an ox at a fair ► Results: ► No single villager correct, but average < 2 lbs. off Francis Galton (1822-1911) ► No single SME correct, average SME > 6 lbs off 26

  27. Crowdsourcing Security at the FBI ► 13,900 people come to work armed everyday ► Our people are trusted to enforce the law and keep the country safe VS. If we can train them to use guns, we can train them to use data 27

  28. Solution: Positive Social Engineering Users will make good decisions given timely guidance Risk reduction with no impact to workflow, etc. 28

  29. Positive Social Engineering: RESULTS! Source: Internal FBI Computer Security Logs 29

  30. Lesson #4: The Data Overload Problem Data Growth (TB) 2500 2048 2000 1500 Data Growth 1000 500 160 50 0 10 0.5 1 6 D+1 yr D+2 yr D+3 yr D+4 yr D+5 yr D+6 yr D+7 yr Individual Audits Critical App Logs Host Monitoring N/W Monitoring 30

  31. FEDERAL BUREAU OF INVESTIGATION “Fidelity, Bravery, and Integrity” Every time Someone says “BYOD”, god kills a kitten

  32. Solution: Focus on Two Sources ► You don ’ t need everything ► HR data: ► To “know your people” ► Workplace/personnel issues ► System logs tracking data egress and ingress: ► Printing, USB, CD/DVD, etc. 32

  33. Lesson #5: Detection of Insiders = Kinda Hard ► Prediction of rare events (i.e. insider threats) may not be possible ► Don’t waste time and money on the impossible ► Look for red flag indicators as they happen 33

  34. The Insider Threat Continuum ► Most people don’t evolve into true threats ► ~5% of the 65 espionage cases came in “bad” ► There are observable “red flags” we call indicators Indicators must be observable and differentiating 34

  35. The Problem with Prediction ► A rodent out-predicted our first generation systems 35

  36. The Detection Problem: A Needle in a Stack of Needles 36

  37. Solution: Use Behavioral Detection ► Behavioral based detection ► Think more like a marketer and less like an IDS analyst ► Build a baseline based on users volume, velocity, frequency, and amount based on hourly, weekly, and monthly normal patterns ► Cyber actions that differentiate possible insiders: data exfiltration volumetric anomalies 37

Recommend

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations &amp; Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

#RSAC SESSION ID: HUM-R02 A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director Technical Solutions Team Lead CERT National Insider Threat Center CERT National Insider Threat Center Software

784 views • 35 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter, SHRM-SCP Novetta Inc. Vice President, Human Resources/Employee Care Ethics/Compliance Officer Insider Threat Group Member 25+ years in Human

520 views • 16 slides
Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense Group NITSIG Board Member Insider Threat Indicator Lists Everybody loves a list If we had a single and comprehensive list of THE behavioral

323 views • 9 slides
Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA International Conference on Physical Protection, 13-17 November 2017, Vienna, Austria Overview Insider threat and the role of Nuclear Security

552 views • 15 slides
Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

&lt;Your Name&gt; Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ What is an Insider

256 views • 21 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat Overview What is a Social Scientist? Why M ethods M atter The Application of Social Science Questions? 1 Social Science Perspectives and Countering Insider Threat The

294 views • 11 slides
DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

MD InfraGard Insider Threat MD InfraGard Insider Threat Special Interest Group Special Interest Group DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special Interest Group MD InfraGard Insider Threat

689 views • 49 slides
Chemical And Biological Terrorism: Combating The Evolving Threat of Terrorism Norman J. Glover,

Chemical And Biological Terrorism: Combating The Evolving Threat of Terrorism Norman J. Glover,

CLICK TO EDIT MASTER TITLE STYLE Chemical And Biological Terrorism: Combating The Evolving Threat of Terrorism Norman J. Glover, FAEI, FASCE, FIStructE Executive Director: AEGIS Institute - New York, NY Researcher-WMD: Cranfield University,

598 views • 36 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project &amp; Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers &amp; Co- author, Know Your Enemy ! Work

677 views • 52 slides
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection &amp; Automated Response Adaptive Security Strategy for SOC Ramy AlDamati Principle CyberSecurity Solution

680 views • 31 slides
How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

Insider Threat Programs: How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme Insider Threat is NOT ONLY about protecting data on your network Risk: Tolerance/Avoidance/Acceptance

799 views • 54 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering

Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering

Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Lottery Story At a lottery agency, a manager was able to turn losing tickets into winners He would buy

309 views • 19 slides
Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security

Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security

Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security &amp; Network Research Group University of Plymouth, UK http://www.network-research-group.org/ Agenda Basic definitions. Manifestation of

1.07k views • 50 slides
OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the

OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the

OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the ben benef efits of of the the 'in 'insider'? What are the Wh the chal allen enges es? The risks of of my my 'in 'insider' sta

199 views • 7 slides
A white noise approach to optimal insider control of systems with delay Olfa Draouil Joint work

A white noise approach to optimal insider control of systems with delay Olfa Draouil Joint work

The Donsker delta functional Optimal insider Control problem for SDDE Transforming the insider control problem to a related parameterized non-insider problem Maximum principle theorems Applications A white noise approach to optimal insider

555 views • 40 slides
CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a

CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a

Revamping of SEBI Regulations : A move towards ensuring lucidity in the Regime NEW INSIDER TRADING REGULATIONS: AIMED TO CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a companys stock by an

941 views • 56 slides
Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

335 views • 30 slides
Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an

Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an

Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an insider? Who is an insider? Carnegie Mellon CERT definition of insider: Someone who has authorized access to an organizations facilities,

217 views • 21 slides
Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a

Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a

Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a Pandemic Clifford Chance US LLP May 21, 2020 Overview Increased Potential for Insider Trading Liability U.S. Enforcement Fundamentals Insider

245 views • 22 slides

More recommend