Building Incident Response Scenarios For Insider Threats
Gartner Security & Risk Management 17 July 2019 / Madison, WI Building Incident Response Scenarios for Insider Threats Brian Reed @breed0 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
We Are Told the Insider Threat Looks Like This 1 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
In reality It’s the Good Natured yet Error Prone 2 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
And for Nine Companies It’s a 100M Loss U.S. Securities and Exchange Commission Securities Exchange Act of 1934 Release No. 84429/October 16, 2018 Nine companies combined for 100M loss 3 All companies lost 1M Two of nine lost 30M 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Because of Insider Threats and Impersonators Fake Executives 4 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Fake Vendors
Key Issues 1. How do we define an insider threat? 2. How do we start to build incident response scenarios for insider threats? 3. What are recognized practices for incident scenario development? 5 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues 1. How do we define an insider threat? 2. How do we start to build incident response scenarios for insider threats? 3. What are recognized practices for incident scenario development? 6 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Many Types of Insider Threats Disgruntled Employee Determined Saboteur 7 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. GoodNatured Bozo
Insider Threats Are a Part of Working Life There is always the trade-off with collaboration and information sharing that some will misuse their privileges. Often many organizations do not account for temporary or role-based privilege escalation, and do not follow well-defined plans to reduce or remove access. This can help foster an environment where the barrier of success for a motivated insider is low. 8 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Cost of Insider Threats ObserveIT 2018 Cost of Insider Threats: 159 Global Organizations surveyed Insider Threats caused by: Negligence (64%); 3.81M USD Criminal insider (23%); 2.99M USD Credential Theft (13%): 1.96M USD Average of 73 days to contain an incident 9 16% contained in 30 days 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Insider Incidents Are Based Upon Abuse of Role Payroll fraud by HR admin. Supplierinvoice fraud Expenses fraud — collusion by employee and supervisor IP exfiltration Customertargeted fraud Not Always Hacking! 10 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
We Depend Upon Event Detection Capabilities 11 Network and OS anomalies ERP application misuse Messaging subsystem injections Abnormal access requests Abnormal data consumption Abnormal data movement 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
There Are a Variety of Insider Threat Personas 12 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Employees Jumping Ship Looking for or Just Accepted a New Job Warning Signs: Frequent absences, unexplained disappearances or unexpected medical appointments. Workers who accept a new job are the most likely to give data to a competitor, especially in positions such as sales, product development and business intelligence. Behavioral Clues: Dissatisfaction with current position Negative attitude Trash talking about company goings-on 13 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Unhappy Camper Poor Performance Review, Passed Over for Promotion or Placed on Performance Improvement Warning Signs: Employee may be consistently out sick the day after receiving news of poor performance or reprimand. Employee keeps score and shows a propensity toward revenge or vindictive behavior. Behavioral Clues: Negative affect “Out-to-get-me” attitude Quick to point the finger and shift blame Poisons the well 14 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Spendthrift Experiences Acute or Chronic Financial Problems Warning Signs: Employee talks excessively about money and how much everything costs. Always seems to be in a financial jam, may get calls from collection agencies at work or talk about taking a second job or freelancing. Behavioral Clues: Admission of financial problems Talking about new sources of income Lifestyle does not match income level Borrowing money from coworkers 15 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Charmer Poor Performance Review, Passed Over for Promotion or Placed on Performance Improvement Warning Signs: Often a fast talker who brags about gaming the system at work and in personal life. No qualms about breaking the rules or cutting corners to get ahead. Behavioral Clues: Inappropriately charming, fast talker Tendency to take things just too far Willing to break the rules to get ahead Always on the lookout for a new angle 16 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Uploader Saves All Work to a Personal Cloud Account, Regardless of Company Policy Warning Signs: Whether deliberate or unintentional, the uploader saves everything to a personal cloud account He or she refuses to use company sanctioned network drives or cloud stores Behavioral Clues: Lacks trust in corporate systems and software Virtually no files saved to computer or personal network storage Hesitant to share work 17 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Ex Romantically Involved With a Co-Worker and Has Experienced Difficulties (or the End) Warning Signs: Constantly obsesses about a co-worker in a former relationship. May attempt to access business accounts or personal files of the former paramour, often triggering multiple failed password attempts. Behavioral Clues: Stalker-like behavior Propensity toward revenge or vindictive behavior Rage-filled commentary e.g., “they’ll be sorry” 18 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Lone Worker Role Requires Working Solo Often in a Remote Location Warning Signs: Failure to check in to home base. Inaccessible via normal contact methods (email, mobile phone) Failure to make scheduled appointments Behavioral Clues: None. Because the role requires lone working, we need to take proactive steps rather than waiting for a crisis situation 19 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues 1. How do we define an insider threat? 2. How do we start to build incident response scenarios for insider threats? 3. What are recognized practices for incident scenario development? 20 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Look at Your Own Past Incidents Can you relate to any of these personas? Have you had personas like these (or others) be the cause of security incidents (or a full blown crisis)? Are you taking lessons learned from the past, making them candidate improvements for your future IR preparations? Have you ever run a table-top exercise to simulate an insider threat (data exfiltration, whistleblower, IP theft, extortion/blackmail)? 21 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Where to Start? Governance and Strategy Investigation and Mitigation Background Investigation Insider Threat Management Ecosystem User Activity Monitoring Awareness and Training Asset Management 22 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
A Harmonized View of Incident Handling Incident Handling Priorities Team Planning Preparation Candidate Improvements Review Collection Postincident Activity Detection and Analysis Report Triage Containment, Eradication and Recovery Recover Assign Respond Legend: 23 Normalize and Filter Similar Tasks and Practices 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Divergent Tasks and Practices
Mitigating Insider Threats 24 Mitigate Risky Behavior Educate and Warn Take Action Mitigate People Behavior Assets Monitor Behavior Detect People Violating Policy Detect Data or Service Misuse Investigate Risky Behavior 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Know Your People Background Checks Continuously Evaluate Educate Employees and Vendors Know Your Assets Identity Critical Data and Services Assess Impact
Scenario 1: Compromised Credentials 25 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Scenario 1: Compromised Credentials Questions to Ask: How are you monitoring privileged access? What thresholds raise awareness to a potential incident? How are you monitoring failed login attempts? Do you adjust failed login thresholds differently based on higher-risk systems or users? 26 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Scenario 1: Compromised Credentials Additional Questions to Ask: Do you look at where users have logged in from geographically? Are you monitoring (or do you allow) users who share credentials? Do you track failed login attempts of disabled, non-existent and removed accounts? What is your access lockout policy? 27 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Scenario 2: The Insider Threat 28 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Scenario 2: The Insider Threat Insider Threat is multi-faceted: Abuse of access or privileged that were never revoked Also results from over-privileged users with unchecked data access The truly malicious insider threat is a minority case but does happen 29 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Scenario 3: Ransomware 30 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Scenario 3: Ransomware Is your Ransomware response different than your malware response? Are their scenarios where you might ever pay a ransom? If so, keep in mind your likelihood of being added to a "list" and hit again are much higher. If you have cyberinsurance, do not count on response assistance, and do not assume cost recovery on a claim 31 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues 1. How do we define an insider threat? 2. How do we start to build incident response scenarios for insider threats? 3. What are recognized practices for incident scenario development? 32 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Consult With Others to Profile Realistic Personas Finance Human Resources Legal Audit and Compliance Remote Business Units Other Geographies 33 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Learning From Past Incidents Ask yourself — can you turn a past incident into a scenario or tabletop exercise? Make this a checkbox on your post-incident report: 34 Candidate for scenario planning development (Y/N)? What missing defenses could have mitigated this incident? How could we decrease our time to respond, contain and remediate? 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Equip Your IR Teams Based on Experience If your IR team is unfamiliar or new to insider threats, use this as a secondary part of the main exercise (such as data exfiltration) If your team is relatively experienced with insider threats, use a complex example (such as employee under duress from extortion, blackmailed employee, corporate espionage, etc.) 35 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Data-centric Tools Can Provide Visibility CASB – monitor cloud data activity DCAP – monitoring data across multiple data types (DB, Files) and as data changes DLP – Can be useful for data visibility and monitoring UEBA – can correlate user account activity with data events 36 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Compromise Assessments Proactive assessments of specific systems or networks You might be able to use proactive hours as part of your IR retainer Many cyberinsurance carriers also offer limited assessments included with your premiums 37 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Red Team – Blue Team Exercises No, this is NOT a political debate. Comes from military origins, one team attacks (Red) and one team defends (Blue) Helps to eliminate psychological barriers such as group think, recency effect and confirmation bias Run internally or bring in a thirdparty to help coordinate 38 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Tabletop Exercises and Scenario Planning Some Ideas for Tabletop Exercises: Use an outside party to facilitate: IR Retainer, services provider Non-IT/non-InfoSec group/person Use real-world examples: Executive credentials stolen and misused Disgruntled employee/contractor/third-party Negligence and Theft scenarios – will invoke BCMP and other recovery functions 39 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommendations If you do not have an incident response plan, put one in place. Add organization-specific scenarios to your incident response plan. Monitor your risky or high-value employees (not just executives). Communicate within your organization to understand what insider threat personas potentially carry the highest amount of risk. Document and test your incident response procedures related to insider threats. 40 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommended Gartner Research Building Incident Response Scenarios for Insider Threats Brian Reed, Jonathan Care(G00380185) Market Guide for Employee Monitoring Products and Services Jonathan Care (G00353551) Market Guide for Digital Forensics and Incident Response Services Brian Reed, Toby Bussa (G00349347) Toolkit: Security Incident Response Scenario for Phishing Attacks Brian Reed, Neil Wynne (G00380176) Ignition Guide to Building an Insider Threat Management Program CEB Research (G00363867) For information, please contact your Gartner representative. 41 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
The Cost of Insider Threats ObserveIT 2018 Cost of Insider Threats: 159 Global Organizations surveyed Insider Threats caused by: Negligence (64%); 3.81M USD Criminal insider (23%); 2.99M USD Credential Theft (13%): 1.96M USD Average of 73 days to contain an incident 16% contained in 30 days
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
Incident Management Process Map 1. Incident Management Process Map 1. Incident Management Description and Goals 9. Incident Management Description and Goals 9. Description 9. Description 9. Goals 9. Goals 9. Incident Management RACI Information 10. Incident Management RACI Information 10. Incident Management Associated Artifacts Information 24
CIRT - Computer Incident Response Team IHT - Incident Handling Team IRC - Incident Response Center or Incident Response Capability . Stakeholders, roles and responsibilities (i.e. who will take part in it) Resource, financial and quality plans (i.e. how it will be achieved) .
Response Procedures and Document Incident Resolution . Using RSA Archer Incident Management, you can import your library of response procedures and use them in the context of multiple incidents. By linking an incident to one or more response procedures, you can track remediation efforts and approvals from a single management interface.
