Insider Threat is an overarching problem.
Because there is no single tool could comprehensively cover Insider Threat.
Insider Threat Detection needs building blocks of multiple different components such as:
- Data/Visibility
- Technologies
- Collaborative efforts of all the functions
- Understanding of the organization and culture
- Knowledge of organizational processes
- Legal*
In this Insider Threat Series, we won’t talk about all the preventative controls to tackle this problem such as Governance, User Training & Education, Enterprise Security, Security Architecture Policies. But rather, we will look at this from the Blue Team’s perspective- we always assume that Insider Threat is already here and performing malicious activities.
So what could Blue Teams do to improve detection capabilities?
The Recipe
First of all, we need visibility from different systems and components:
These are essential data that could contribute to the detection of insider threats. This does not mean an exhaustive list of all the data sources that have the potentiality in enhancing detection.
Breaking down the recipe
Let’s go over the list of the data their potential use-cases:
Category 1 – Intels & Context of the user
HR Datasets: datasets like workday provide details about Resignation Date, Termination Date, Department
Active Directory: provides the groups of which the user is in, for example ADMIN OU vs User OU
Identity & Asset Management inventory: from the sources cloud service providers
Manual Reports: there should be a safe venue to input concerns about disgruntled employees
OSINT: Open-sourced intelligence – there will be an in-depth guide for this – this is the area where Legality comes in as a concern – tread carefully
Category 2 – Essential Telemetry
Endpoint Data: data from XDR, EDR are must-haves for Insider Threat, especially in Zero Trust architecture
Network Data: extremely important data source to detect exfiltration, C&C attempts
Infrastructure Data: servers, systems, databases – self-explanatory here
Category 3 – Cloud Service Providers (CSPs) – The Wild West
More Zero Trust adoption -> More usage of Clouds -> More attack surface and immature practices
Public Clouds are the areas where even the most well-established organizations struggle with protecting.
One of biggest concerns is the cost. At one organization, it costs 8 million a month just to ingest in VPC Flow Logs. It costs 20 million to enable AWS Guard Duty. Would it make sense in terms of business values to spend this much if the cost of an incident is a fraction of the expenses. I will leave this debate for later. For now, let’s get back on the goal here.
At minimum, organizations would at least need the Control Plane level logs from these CSPs. That would be the following:
- Cloudtrail for AWS
- Stackdriver for GCP
- Activity for Azure
- ActionTrail for Alibaba
Category 4 – Application logs
Not too many organizations pay attention to applications but Data Loss Prevention solutions that could cover some of the popular applications such as PaloAlto Networks SaaS Security could provide DLP solutions for Slack, GSuite, Amazon S3, etc.
Category 5 – “It depends” telemetry
This is a gray area when “it depends”. Every organization is different and the person who strives to provide security to the organization must understand what is needed to protect the crown jewels. It could be just as simple as “Detect any exfiltration pathways from this particular segment or servers” or it could be as complicated as “Alert on the anomalies of all the usage of the group in Accounting”.
Depending on the use-case, the telemetry requirements will be different.
Wrap up
I don’t like long blog post. This post should give you an idea of the essential toolkit to enhance detection capabilities for Insider Threats.
In this next blog post, we will be provided example use-case for each categories mentioned above. Stay tuned