Final Project - OutlineTeam Don’t Click That

Team Don’t Click That

Brendan Jones - Cyber Threat Analyst

Britney DeSouza - Compliance Analyst

Sam Nicastro - Behavioral Analyst

Emma Halvorson-Phelan - Behavioral Analyst

Peter Macias - IT Risk Analyst

Alfredo Ortiz - IT Risk Analyst

Keith Heesemann - Information Security Officer

Alyssa Carter - Information Security Officer

What Happened?

IT Sabotage

Goliath National Bank (GNB) employed a contractor as a nighttime security guard who was heavily involved on the dark web and led a hacker-for-hire group. He used his security key to obtain physical access to the server closet that housed the e-trading system. He rendered the GNB network infrastructure unstable, eventually leading to a four hour outage across the GNB.

How was the attack discovered?

The four hour outage that was caused by the injection of malware was a clear indicator that something not right.

IT staff discovered the malware after the outage and determined that the attack was conducted by an employee with access to the server closet

What made the attack possible?

Goliath Banking lacked the proper security measures appropriate. They failed to follow any sort of guideline in their security infrastructure and were thus deemed an easy target.

● Failed to implement any security guidelines (NIST)

● Ignorant of security risk

● No background checks

Identify

Risk Identification

Possessed legitimate privileged access to Goliath Banking’s networks.

Abused privileges

Illegally distributed trading algorithms on the dark web.

Risk Assessment

What are the appropriate assessment points?

● Type of data obtained● Data’s role in Goliath Banking● Severity of situation

○ Impacts of the data circulating on the dark web

○ Vulnerabilities ○ Critical assets i.e. server closet

■ Threats

Protect

How can this attack be prevented?

●Trust Programs

●Interactive training programs

●Exercising the “Active Bystander” Technique

●Employees are capable of detecting common insider threats

●Internal and External access is monitored

●Data Loss Protection○ Redundancy

●Modifying the Hiring process

●A good model for Employee Departure

Safeguards

Technical

Monitor Employee Behavior

Limit Access

Data & System Integrity

Detection Software

Administrative

Separation of Duties

Policies and Enforcement

Communication

Established Hierarchy

Hiring Process

Background ChecksPrevious Experience

Affiliated Groups

Social media analysis

Periodic Psych EvaluationsBaseline and Continuous

Understanding Employee goals

Interview ProcessCandidate Behavior

Communicating

Encourage an NDA if sensitive IP is at risk

Employee Departure

Severing Access Both physical and virtual

Monitoring System access2 - 4 weeks post departure

Permissions changedPasswords, keys, etc.

Employees should be screened

Employees should be treated respectfully

Discourage disgruntlement

Detect

Detection

● Baseline assessments for employee activities - set a standard for what is normal activity and unusual.

● Monitoring Internal and External access in real time.○ Using Risk Fabric and similar software

● Keep track of audit logs on employee's badge access and network usage

● Track employee web content to see if there is any risky usage● Have up-to-date virus/anti-virus scanners

○ Hitman pro, Kaspersky, Malwarebytes, etc.

● Usage of sophisticated monitoring software, that has a red-flag system.

Technical Infrastructure

Insider Threat Personnel

● A dedicated branch/team/employee for monitoring/investigating● Allocating Resources to relevant areas.● Monitoring systems - Specific employees have access to monitoring software 24/7,

in order to address attacks or unusual behavior after work hours.● False-positives - dealing with erroneous reports and non malicious behavior. This is

closely tied to developing a “normal” behavior baseline.● Developed systems in place to allow any employees to report suspicious activity.

Detecting Threatening Behavior

●Suspicious results from Psychological Testing

○ Implicit Attitudes

○ Physiological Anxiety measurements

●Aggressive Personalities○ Usually associated with past drug abuse

○ Typically unapproachable

●Abnormal Workplace behaviors○ Unnecessary work tasks being attempted/completed

○ Displays secretive personality

●Accessing confidential information at unreasonable hours

Human Factor Statistics

Verizon’s “2015 Data Breach Investigations Report”70% of cyber attacks involve a secondary victim, adding

complexity to the sabotage.

59% of employees steal proprietary corporate data when they quit or are fired

50% of the worst breaches in the last year were caused by inadvertent human error, rising from 31%.

Only 64% of organizations adopt cyber risk assurance is information/cyber security risk assessment (most common method)

Response

Response Planning

● The Form of Attack○ Inside Job○ Social Engineering○ Exploitation

Malware○ Blackmail/

Extortion

More often than not a cyber attack will fall into one or more common scenarios. As the cyber security response team, it is effective to be prepared for these scenarios in advance.

Investigation Procedures

In the case of Goliath Banking’s recent attack, it would fall under an inside job along with exploitation malware as it was an insider that exposed IT systems to malware that lead to the network being disabled.

○ Who is the Subject and what position?

○ Their Technical Background?

○ What Digital Devices typically used?

○ What are the Company policies regarding remote access?

○ Which Data systems were accessed?

○ Were commonly accessed systems audited?

Mitigation

● Severing access to the system if necessary, depending on the size of the incident.

○ Limited access during investigation stages● Removing certifications of Individuals involved ● Contacting the appropriate authorities.● Issuing the proper punishment.

○ Taking legal action○ Terminating employee’s

● Following up on non malicious actors and ensuring they do not act incorrectly again.

Communications

● Internal- Inform the workers that are affected by the threat- Minimize exaggerations to prevent unreasonably high anxiety levels for workers. - - - Train workers to view this stressor as a challenge, not a threat.

● External- Only use when necessary, outsiders do not need to know the organization’s procedures and IP

-“Keep it in-house”-For example; use law enforcement only when needed.

Recovery

Recovery

“Develop and implement the appropriate activities and maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event”

Most vital step in overall process of combating an insider threat

Recovery Plan

Isolate and Restore

Public Relations

Internal Communications

Regulatory Reporting

Recovery Plan

Isolate and Restore Can take between 1-7 days

Detect and quarantine affected systems within the GNB server closet

Physically and virtually replace affected hardware and software

Incident EvaluationCreate incident response team

Senior management

Preserve evidence

Discuss severity and causes

Conducting interviews

Releases to press

Evaluating improvements and future prevention tactics

Recovery Plan

Internal CommunicationsLess than 1 day

Communicate recovery activities internally

Provide adequate information of new prevention procedures

Regulatory Reporting New York State Law

Immediately after isolation (1 day)

Must notify all NY residents affected

Government agencies notified through attorney general website

Recovery Plan

Public Relations Done alongside recovery process

Internal and External Public Relations (PR) teams for immediate response public

Offer only necessary and prevalent information

Credit monitoring for all impacted parties

Social media updates

What we learned?

- We learned that threats are imminent but with the proper procedures in place, we can mitigate the costs and damages.

- Handling/having access to data should be treated with the highest security and be scrutinized

- Anyone can be an insider threat.

- Cybersecurity attacks are always going to be a problem.

- Insider threat programs should be robust enough to provide clear instructions for companies to follow

Team Don’t Click That

Contact us:1-518-555-5555Don’t@ClickThat.com