Common security tools already used by many businesses can be effective means for finding corporate data thievesand saboteurs, according to researchers at Carnegie Mellon’s Software Engineering Institute.
“It’s telling them something new to look for using an existing tool. It’s a matter of helping them tune their perspective,” says Michael Hanley, a member of the technical staff at the institute’s Computer Emergency Response Team (CERT).
With a goal of producing better insider-threat assessments, intrusion-detection systems, e-mail server analysis, application server log analysis and NetFlow analysis can sharpen efforts to find those responsible for theft and corruption of corporate data and planting malware that can harm network infrastructure, he says.
For instance, analysis of data gathered by these tools can filter suspicious activity such as use of VPNs to move high volumes of data out of the network after hours. If a network analyst noticed such behavior it could be flagged as a possible indicator of malicious behavior, he says.
But businesses need to enlist representatives from across departments — IT, IS, human resources, finances — to identify those behaviors that might indicate someone is acting as a malicious insider.
Analysts familiar with tools already in use are then brought into play to determine what types of relevant information they can contribute. “It’s telling them something new to look for using an existing tool. It’s a matter of helping them tune their perspective,” Hanley says. If these analysts are made aware of what suspicious behavior looks like, they can set controls to recognize these indicators
For instance it’s not odd for system administrators to download and upload code all day or for scientists to copy data to thumb drives or send information to collaborators. But that same activity in combination with being performed after hours by someone who has given notice may raise it to a level of suspicion.
If human resources identifies a person who has downloaded hacker tools to his desktop, an IDS could be configured to send an alert when that person sends information outside the corporate networks, says Dawn Capelli, a senior member of technical staff at Carnegie Mellon’s Software Engineering Institute.
In another case, an employee might give notice of leaving for another job. Tying LDAP information about when access privileges for that person would be revoked to monitoring of e-mail activity could yield evidence of sending out sensitive data via e-mail, Capelli says. In that case blacklists of the addresses to which the employee can send e-mails could be set up, she says.
Much insider misbehavior happens during the last 30 days before a person leaves a company, Capellis says. Log analysis tools can be turned on these employees to look for red flags such as e-mails with attachments sent to competitors, foreign countries and free e-mail accounts.
There are different types of threats including sabotage in which network administrators may attack after they have been fired using tools they set up before they left. “You can’t look at everything everyone does,” she says.
Businesses could use change-control tools see whether operating-system-level scripts have been placed on machines these employees have had access to, she says. The code may be planted on machines where the software is in maintenance mode and so is less closely watched.
For administrators, investigators should look at accounts they have created to see whether they are legitimate.
Non-IT staffers on their way out the door also need to be watched. Engineers, programmers, scientists and sales people are likely to take with them things they created and feel are their own, Capelli says. “They don’t take elaborate methods to cover up what they’ve been doing,” she says
They may just carry out this intellectual property on their laptops or on thumb drives. In the case of laptops, software agents that phone home with information about whether they have been downloading to removable drives, burning to CDs or copying entire drives. Businesses need policies in place to guard against this activity and it needs to be consistently enforced.
CERT has developed an open source tool called System for Internet-Level Knowledge (SiLK) that helps analyze NetFlow data to find behavioral indicators among the wealth of NetFlow data collected, Hanley says.
CERT is also working on a new study about what insiders do vs. what outsiders do once they have gotten inside. Getting in from the outside may require more sophistication so what the attackers do once they’re inside may also be more sophisticated than what an insider does.