loo ooking g into ma o malicious i insider ers
play

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC - PowerPoint PPT Presentation

Nov 29, 2023 •35 likes •335 views

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

  1. Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna

  2. Agenda • Background – Previous work – Information leakage by malicious insider • Our Research • How to prevent 2

  3. Insider Threat • Definition by CERT/CC insider threat study • A current or former employee, contractor , or business partner who • Has or had authorized access to an organization’s network, system, or data and • Intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems 3

  4. WHY INSIDER THREAT? 4

  5. More insiders are arrested • How unauthorized access happens? How do attackers obtain credentials? (N=1740) NPA, FY2008, Act on the Prohibition of Unauthorized Computer Access 5

  6. OUR RESEARCH 6

  7. • Motivation • Project members • National Police Agency (NPA, prefectural police department) • Department of Criminology and Behavioral Science, National Research Institute of Police Science • JPCERT/CC • Survey 30 cases/criminals who 1. Fit the malicious Insider definition by CERT/CC 2. Were arrested and prosecuted for Cybercrime related law from 2007 to Jun, 2009 7

  8. 1, visit local police office 2, fill in survey form with reffering police investigative report 3, Sanitize to secure anonymity 4, Correlation analysis by 24 variables 8

  9. 24 variables: Case • The case is  By a repeat offender  caused financial damage  computer which company provided was used  access from outside  Delete/modify logs of activity  use his/her own account to login 9

  10. 24 variables: Surrounding • Company/Organization  Has insecure account management (like easily guessable user name)  Does not have any physical monitoring (video monitor, guards) 10

  11. 24 variables: Criminals • Criminal is  Is a lone criminal  Has no job at the time  Is in dire financial circumstances  Is under strong pressure 11

  12. 24 variables: Relationship • Criminal is  a former employee of the company/organization  Has been terminated in the past  caused any trouble in the past  Is in charge of system management  Is a web admin  Is in charge of accounting or finance 12

  13. 24 variables: Motives • Criminals motivation is  To make money  To get information , then to make money by selling those  Sabotage  Personal satisfaction 13

  14. Correlation Map 14

  15. FINDINGS 15

  16. IT sabotage (10) (0) (1) (0) Theft of Fraud Information (3) (9) (15) 16

  17. HAVE A LOOK AT 30 INSIDERS 17

  18. WHO? (Gender, work history) Type Fraud(9) IT Sabotage(10) Information Theft - Information Theft - Money(7) Satisfaction (8) Gender Male(6) Female(3) Male(9) Female(1) Male(7) Male(8) ・ hopping part time ・ job change 7 ・ job change ・ job change 4 work history job times 3times(3) times ・ job change 5times ・ job change 4 ・ job change 2times ・ job change ・ job change ・ job change times 3times(2) 3times(2 ) ・ job change 3 ・ job change 2times 1times(2) ・ job change 1 ・ no job ・ job change times(3) ・ job change 2 time(fired by ex- 1time(3) company ) ・ no job times(3) ・ job change 1 times ・ no job ( own his start-up ・ unknown and shut it down ) ・ no job(3) • Frequent job change can be seen all categories 18

  19. WHO? (Personality) Fraud(9) IT Sabotage(10) Information Theft - Information Theft - Money(7) Satisfaction (8) ・ Humble, sociable ・ clumsy at office, can ・ good guy, a bit of a ・ easily offended, ・ wear torn jeans, not not communicate scatterbrain hold by his own idea ・ polite, perfect ・ Sociable, sometimes like a business man with others ・ patient and quiet. ・ very active for any young gentleman acts paranoid for ・ always ・ stiff and proper, business and solid minor problem ・ very childish exhibitionistic. person can't refuse when ・ unknown ・ quiet ・ popular among someone asks ・ not very good at ・ act in a childish project team communication manner members ・ habitually lying ・ unknown • Less conversation, less communication 19

  20. WHO? (Criminal record, Education) Type Fraud(9) IT Sabotage(10) Information Theft Information Theft - Money(7) - Satisfaction (8) ・ No(5) ・ No(6) ・ No(6) ・ No(6) Criminal record ・ professional ・ twice for theft ・ assault ・ twice for theft embezzlement of lost or mislaid of lost or mislaid and stealing property property ・ stealing ・ once for theft ・ assault ・ assault of lost or mislaid ・ trademark law property ・ shoplifting, violation stealing ・ False entry (2) ・ False entry (3) ・ False entry (1) False entry in resume • Over 80 percent are first-time criminals ・ some lie on a resume, especially their educational background 20

  21. When? and Where? • When – Fraud: during business hours – IT sabotage: one to six month after resignation/termination, most of those failed to get a new job. Night Time – Insiders start with trivial activities, then escalate • Where – Fraud, Information Theft: in office – IT sabotage: from home 21

  22. WHY? (direct motivation) Fraud(9) IT Sabotage(10) Information Theft - Information Theft - Money(7) Satisfaction (8) ・ get money to pay off ・ betrayed the ・ can not find new job ・ sudden random debts (3) expectations of being and want to make thought while ・ frustration at long a full time worker money, even if only a drinking ・ want to harass(5) ・ want to understand hours, aim to get little ・ get fired despite of ・ want to make back at management the situation he used ・ feel less secure since his outstanding money by selling to work in ・ he has pending spouse doesn’t work performance personal information ・ get money to pay off ・ company contact (2) lawsuit with the ・ get info in order to debts him as a last resort. company. And he ・ feels it’s such a please his boss checks if there are waste letting points any other trouble to expire • Money , ★恨み , 人間関係、ストレス • More likely to occur when they failed to get new job. 22

  23. How they get into the system? Fraud(9) IT Sabotage(10) Information Theft - Information Theft - Money(7) Satisfaction (8) ・ during his/her regular ・ login to Web server ・ Modify mail server ・ make secret back door duty (4) with ex-coworker’s settings to forward all on a server that ・ studying similar account e-mail to his private enables him to connect abstraction cases (2) account. Even after his from home. reported in a ・ login to Web server termination. ・ Modify mail server newspaper. with one’s own ・ He/She is the admin settings to forward all ・ start it as a trial with superuser account (2) for a server that e-mail to his home. curiosity ・ login to other server contain sensitive ・ login to mail server ・ stole password using with one’s own personal information (2) with his boss’s ID. key logger. Someone superuser account (2) Successfully guess ・ ther here’s e’s p pol olitics cs among g ・ login PC with one’s taught him how to use staff. ff. Then hen he he ins nstalls password. it own account key ey log ogger er to o PC’s ’s of of ・ login to server with his op hi oppos osition. on. co-worker’s account (using guessing) More than half of 30 cases are preventable by disabling 23 user account(s) right after termination.

  24. Victims • We could not find elements that victims have in common • IT Sabotage: Small company, one single system administrator, selfish owner • Pay less or no attention to security 24

  25. Escalation curve Modify config to Login and forward read all email other’s outside Login to email mail server “DROP DATABASE” Modify a few records and logs Login to database and patch 25

  26. HOW TO PREVENT 26

  27. Considerations • Pre-employment period – Check resume for certain points (job hopper? degree certificate) – Sign NDA • During employment – Closer communication (company news letter, baseball tournament, other social events) – Check for visible sign (how they dress, work attitude) • Periodical audits, transfer as necessary • Try not to create too much dependency on one individual • Pair programming • Upon termination • Suspend account immediately • Change passwords as necessary 27

  28. Challenges for the future • Technical details were not be clear from police investigative reports • Need more case studies – No politically motivated cases • Signs of insider threat, preventive measure could be different by country, culture and IT skill. – Global companies need measures for each area 28

  29. Special Thanks To: • SYAKAI ANZEN KENKYU ZAIDAN – http://www.syaanken.or.jp/02_goannai/0 8_cyber/cyber_f.htm (JAPANESE) • National Police Agency 29

  30. Thank you. 30

Recommend

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim, Simon Rehwald, Antoine Scemama, Florian Andres, Alexander Pretschner Technische Universitt Mnchen Department of Informatics Chair of Software

512 views • 24 slides
Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the

OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the

OUTLINE NE The 'Self' lf' as 'Insider der' in in Resear arch ch Wh What are the the ben benef efits of of the the 'in 'insider'? What are the Wh the chal allen enges es? The risks of of my my 'in 'insider' sta

199 views • 7 slides
A white noise approach to optimal insider control of systems with delay Olfa Draouil Joint work

A white noise approach to optimal insider control of systems with delay Olfa Draouil Joint work

The Donsker delta functional Optimal insider Control problem for SDDE Transforming the insider control problem to a related parameterized non-insider problem Maximum principle theorems Applications A white noise approach to optimal insider

554 views • 40 slides
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

347 views • 33 slides
CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

638 views • 16 slides
OOKING U P C HR HRISTMA ISTMAS www.visitkirksville.com/cooking-up-christmas/ Coo ooking king

OOKING U P C HR HRISTMA ISTMAS www.visitkirksville.com/cooking-up-christmas/ Coo ooking king

C OOKING OOKING U P C HR HRISTMA ISTMAS www.visitkirksville.com/cooking-up-christmas/ Coo ooking king Up p Chr hris istmas tmas Spo ponso nsors rs Kirksville Chamber of Commerce Kirksville Tourism Christs Family Church

745 views • 19 slides
CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a

CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a

Revamping of SEBI Regulations : A move towards ensuring lucidity in the Regime NEW INSIDER TRADING REGULATIONS: AIMED TO CRACK WHIPS ON WILFUL DEFAULTERS What is Insider Trading? Insider Trading is trading/ dealing of a companys stock by an

941 views • 56 slides
Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an

Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an

Insider Threats Maria Thompson State Chief Information Risk Officer February 1, 2018 Who is an insider? Who is an insider? Carnegie Mellon CERT definition of insider: Someone who has authorized access to an organizations facilities,

217 views • 21 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a

Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a

Special Derivatives Insider Trading Considerations and Risk Reduction Techniques During a Pandemic Clifford Chance US LLP May 21, 2020 Overview Increased Potential for Insider Trading Liability U.S. Enforcement Fundamentals Insider

245 views • 22 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Counterintelligence & Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence & Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence & Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations & Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
INSIDER SUMMIT 2019 Insights at the Insider Summit Thinking and dreaming about TBM!

INSIDER SUMMIT 2019 Insights at the Insider Summit Thinking and dreaming about TBM!

INSIDER SUMMIT 2019 Insights at the Insider Summit Thinking and dreaming about TBM! Every company is a technology company Speed is the new currency and data is the new oil! We must increase our clock speed! Cloud is not a

357 views • 24 slides
F orwa rd L ooking Sta te me nt Ce rta in o f the sta te me nts ma de in this Pre se nta tio

F orwa rd L ooking Sta te me nt Ce rta in o f the sta te me nts ma de in this Pre se nta tio

F orwa rd L ooking Sta te me nt Ce rta in o f the sta te me nts ma de in this Pre se nta tio n ma y c o nta in fo rwa rd-lo o king sta te me nts o r info rma tio n within the me a ning o f the U nite d Sta te s Priva te Se c uritie s L

465 views • 5 slides
Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

<Your Name> Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ What is an Insider

256 views • 21 slides
Characterizing Social Insider Attacks on Facebook Wali Ahmed Usmani, Diogo Marques, Ivan

Characterizing Social Insider Attacks on Facebook Wali Ahmed Usmani, Diogo Marques, Ivan

Characterizing Social Insider Attacks on Facebook Wali Ahmed Usmani, Diogo Marques, Ivan Beschastnikh, Konstantin Beznosov, Tiago Guerreiro and Lus Carrio Social insider attacks on Facebook Social insider: perpetrator is someone

428 views • 25 slides
A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

#RSAC SESSION ID: HUM-R02 A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director Technical Solutions Team Lead CERT National Insider Threat Center CERT National Insider Threat Center Software

784 views • 35 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Insider Fraud Laura Hutton SAS detecting the invisible The new fraud landscape & the rise

Insider Fraud Laura Hutton SAS detecting the invisible The new fraud landscape & the rise

Insider Fraud Laura Hutton SAS detecting the invisible The new fraud landscape & the rise of the insider How to rob a bank How to detect fraudulent staff Fraud is a global problem Typical organisations lose 5% of revenues Source:

503 views • 34 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
I N V E S TO R P R E S E NTATION A U G U S T 2 0 1 7 N YS E : CIO F ORWARD -L OOKING S

I N V E S TO R P R E S E NTATION A U G U S T 2 0 1 7 N YS E : CIO F ORWARD -L OOKING S

I N V E S TO R P R E S E NTATION A U G U S T 2 0 1 7 N YS E : CIO F ORWARD -L OOKING S TATEMENTS This presentation contains certain forward -looking statements within the meaning of the Private Securities Litigation Reform Act of 1995,

341 views • 21 slides
I N V E S TO R P R E S E NTATION A U G U S T 2 0 1 8 N YS E : CIO F ORWARD -L OOKING S

I N V E S TO R P R E S E NTATION A U G U S T 2 0 1 8 N YS E : CIO F ORWARD -L OOKING S

I N V E S TO R P R E S E NTATION A U G U S T 2 0 1 8 N YS E : CIO F ORWARD -L OOKING S TATEMENTS This presentation contains certain forward -looking statements within the meaning of the Private Securities Litigation Reform Act of 1995,

878 views • 21 slides

More recommend