Next in our series on Insider Threat, we'll discuss the technical tools organizations can use to mitigate risk, as well as begin an investigation. This article details the most effective insider threat mitigation techniques and digital forensics resources that are accessible to small and mid-sized companies without a lot of technical knowledge. We can break these down into four categories: The Basics, Monitoring, Advanced Strategies, and Digital Forensics.
The Basics
At a minimum, every company should be able to implement the basic mitigation techniques of hardening systems and limiting administrative rights. Adding two-factor authentication to this strategy will significantly reduce the risk of an insider gaining access to information that shouldn't.
Harden System OS and Apps
Hardening all your OS’s and Apps is critical. Microsoft provides a Security Guidance page that provides instructions on how to apply best practices to harden your Windows OS and apps. These security best practices include disabling unnecessary services, disabling user accounts after a certain period of time, and setting minimum complexity requirements for passwords. Similar guides exist for MacOS, Linux, and other OS’s . Most businesses will also want to keep the Windows firewall active and enabled on endpoints. Close any network ports that aren’t necessary, and patch your systems as aggressively as you can. This includes both the operating system itself as well as any apps that run on the OS.
Finally, use an antivirus and/or EDR solution that provides real-time protection. This will help to protect against malware such as ransomware or other types of malicious software that could be used to breach your organization’s computer systems. And remember that what you initially think might be an “Insider Threat” is often a system that’s been compromised by malware, and now under the control of an “outsider threat”. EDR and AV help mitigate many of these issues.
Limiting Administrative Rights (Concept of Least Privilege)
Use your productivity suite consoles (Microsoft Azure, Google Suite) to apply the concept of least privilege, starting with administrative rights. Administrative accounts are necessary for IT managers to perform their roles. However, too many administrative accounts open your network up to serious security risks. You should limit the number of employees who have administrative accounts, or better yet, avoid giving administrative access to employees who don’t absolutely need it. This includes IT staff and employees who work remotely. One way to limit administrative access is to adopt a tiered approach to administration. With this approach, you can still give individuals the permissions they need, but restrict the number of individuals who have complete administrative access. One approach is to break down administrative roles into three levels. The first level includes basic functions such as installing and removing apps. The second level includes more sensitive functions, such as updating the operating system. Finally, the third level includes critical functions such as adding new user accounts and changing account passwords.
Another approach can be to use “timed” access to administrative functions. For example, users can request an hour of escalated privilege to install an app, but that privilege expires after that hour. Firecall systems can be implemented for emergency admin access to more sensitive systems.
Require Strong Passwords and MFA/2FA
We talked about passwords and MFA when discussing people and processes, but it’s so important that we’re talking about it again, especially since MFA or 2FA is a technical mitigation as well as a process mitigation. Strong passwords are the first line of defense against malicious users trying to break into your systems. However, many employees use weak or easy-to-guess passwords such as “password123” or “qwerty”. Fortunately, you can require employees to use strong passwords by configuring your systems to enforce strong passwords. This will force employees to use strong passwords, or it will prevent them from accessing the systems altogether if they don’t use strong passwords. Strong passwords should be used in conjunction with two-factor authentication (2FA). The primary benefit of 2FA is that it requires a second form of identification to log into your account. This can be something like a code generated by an application on your phone or a physical piece of hardware like a Yubikey. When you log into your account with this second form of identification, it will generate a new code every few seconds. If someone happens to have your login information, they will not be able to log into your account since they do not have this second form of identification. This greatly reduces the risk of an insider accessing someone else's account and the data to which it has access. There are many different providers and options for 2FA, and many of them are easy to set up and use.
Monitoring
Implementing a monitoring solution has traditionally required a significant amount of effort and expertise. Tasks such as baselining and activity monitoring have been out of reach for many organizations, since they usually require some sort of centralized logging or Security Event and Incident Management (SEIM) deployment, both of which require significant resources to deploy and maintain. Fletch’s People Risk and Investigation App was purposely built to replace these legacy approaches and to automate and simplify the monitoring and analysis tasks within SaaS or cloud-based authentication tools and productivity suites. However, organizations that need to protect on-prem data assets should still consider implementing the following strategies.
Install a Inventory Monitoring Tool
One of the first steps towards protecting your network against insider threats is to understand what’s currently on your network. To do this, you need to conduct a computer inventory. At a minimum, your productivity suites and active directory systems can provide the bulk of this information, and data from your vulnerability scans can flesh out much of the rest. Inventory Management systems like Snipe-IT can help organizations get started. Larger organizations might be able to leverage the inventory management built into many ticketing systems like ServiceNow. For those in need of a commercial asset management tool, a quick search for “SaaS based Inventory Management” yields a wealth of choices.
An inventory will allow you to record information about what’s on your network, including operating systems, IP addresses, hostnames, and more. This information will allow you to create a baseline of what’s currently on your network. In addition to recording data, you need to be able to monitor this information across time.
Establish a Baseline
Before you can begin to defend against insider threats, you first need to understand what you’re defending against. One of the best ways to do this is by establishing a baseline for normal computer activity. You don’t need to know how to monitor every aspect of computer activity. Instead, all you need to do is record the things that are happening on all the computers on your network. The items to record include client IP addresses, user accounts, operating system version, date/time of activity, the specific application that the computer is running, and the computer’s hostname or IP address. By recording this information, you’ll create a baseline of what’s normal for computers on your network. This will allow you to spot anomalies that may indicate a malicious attack. Free tools like OpenSCAP can help you get started.
Network Monitoring
Network monitoring allows you to track connections to your network and also monitor traffic on your network for signs of malicious activity. There are free offerings by LibreNMS and Cacti. Network monitoring can be helpful for tracking incoming and outgoing connections, detecting threat indicators, and finding anomalous uploads or downloads. This data can be helpful for protecting your network not only against insider threats, but against threats such as ransomware, botnets, and other malicious activity. For example, network monitoring can help you to detect when a computer attempts to connect to your network, whether it’s an internal computer or a computer that’s located off-site. Network monitoring can also help you to identify whether a computer is trying to exfiltrate data. One of the biggest hurdles you’ll have to negotiate is differentiating between user-initiated network traffic and background network traffic.
Activity Auditing
Auditing is the process of recording computer activity on a regular basis. This data can be helpful for identifying attempts to breach your network and also for pinpointing where vulnerabilities exist within your systems. Auditing can be done on all systems, but it’s best applied to sensitive systems such as those that handle customer data. The admin consoles offered by Google, Microsoft, and Octa can give you some visibility, but are difficult to use at large scale. Open Source logging tools like Graylog or Elk offer some “free” solutions, but will require significant infrastructure and expertise to deploy. Separating user-initiated activities from system activity will be a challenge here as well.
Advanced Strategies
These strategies typically require advanced tools and expertise. Smaller organizations with extremely valuable data may need to contract these strategies to third-party services and contractors. This will typically fall into the realm of top classified data, or Intellectual Property (IP) valued in the billions. Darknet Monitoring as well as Watch-and-Listen Tools are often deployed at organizations that need these extreme levels of monitoring. But these are typically perceived as “Big Brother” tactics, and would be overkill for less sensitive data and environments.
Darknet Monitoring for Finding Covert Channels and Trying to Move Data Out of Organization
A darknet is a network of computers that are hidden from the regular internet. These computers are typically used for nefarious purposes such as distributing malware and sharing illegal or stolen materials. Depending on your business, you may be able to use darknet monitoring to find out if one of your employees is trying to move or sell data out of your organization. If you’re trying to find out if an employee is trying to transfer data to an external source, a deep dive into the darknet may expose those efforts. Many third-party services offer Darknet Monitoring for organizations that don’t have the resources to do it themselves; a quick google search will reveal dozens of them for hire.
Monitor User Behavior with Watch-and-Listen Tools
Watch-and-listen tools can be used to monitor employee behavior. With these tools, you can set up alerts that notify you when a specific term or activity occurs. This allows you to monitor specific activities, keywords, or key employees. There are several different tools that you can use for watch-and-listen. They include: - Call recording tools: Recording incoming and outgoing calls can help you to identify problematic employee behavior. - Network monitoring: Network monitoring tools can help you to track activity on your networks. - Voice recognition: You can use voice recognition to transcribe recorded audio and search for specific terms within the audio. - Video and screen capture: You can use video and screen capture to record employee computer activity. - Keyword triggers: Keyword triggers can be used to send alerts when specific terms or phrases are used during communication. - Behavioral analysis: behavioral analysis tools can help you to identify abnormal behavior on your networks. The best rated Watch-and_Listen tools are easily found online; usually at a hefty price.
Digital Forensics Tools
At some point, an organization may need to perform some form of digital forensics as part of an investigation, either because they need a legally admissible forensic image that they plan to take to court, or because they are not able to definitively determine if a real insider risk exists. Organizations without this expertise internally will typically contract these tasks out to a third-party for the actual forensics work.
Even so, every organization should have someone on staff who knows how to do one of the most basic tasks of an investigation -- making a forensic image of a suspected system's disk and memory. These images can then be handed off to an expert for in-depth analysis.
A number of free tools exist to help with this task, and while many of them run on a Linux distribution, they can be used on to image a wide range of systems, including Windows, Linux, MacOS, iOS, Android, and others. The SANS Institute has created the "SANS Investigative Forensic Toolkit (SIFT)" It is an Ubuntu-based Live CD that has an exhaustive collection of tools; more than you'll probably need if you don't have your own in-house DFIR team. There may be a small learning curve for those not familiar with Linux, but there are plenty of YouTube videos that can walk anyone with a technical acumen through the process of creating a forensic image.
Security teams looking to dive deeper into forensics will find that the CD has an abundance of other forensics tools. Other free forensic tool sets include Autopsy, Volatility, CAINE, DEFT, Kali Linux and Crowdstrike Crowdresponse. Encase is one of the better known commercial tools, and can be deployed enterprise wide, if needed.
Conclusion
Insider threats are a common concern for all businesses, regardless of size or industry. In the past, most of the technical mitigations and responses were only available to teams that could afford in-house or third-party expertise. Fletch's People Risk & Investigation app has made Insider Risk detection and investigation accessible to any organization, not just those with deep pockets.
