Data Breach Countermeasures: Actionable Actions From Actual Cases - John Grim

all right folks so we're about to begin here our first talk today on this track is going to be by John Grimm John is the primary author of the rise in insider threat report he has over 16 years of experience investigating data breaches cyber security incidents within the government and civilian security sectors John is also also manages a highly technical investigative response team and they investigate data breaches and advises on containment eradication and remediation for customers will wide so without further ado let John kind of get set up here and we'll start the timer in a moment thank you good morning Pittsburgh and Friends of Pittsburgh can you hear me in the back is everybody

good okay let me try speaking a little bit louder can you hear me now okay so it's my pleasure to present this year at besides I was here last year had a lot of fun presenting last year on a topic and this year was fortunate enough to be accepted once again to come back here and speak to a wonderful Pittsburgh black-and-gold audience so without further ado let me go ahead and introduce myself I come from a background with the US Army doing cyber counterintelligence and I was able to move into the corporate world in 2009 and use those same skill sets to support our customers our Verizon customers external to us in terms of data breaches

most of the time I'm in react mode but for instance today I'm actually in a position where I'm in proact mode so what I wanted to do is take this opportunity today to share with you some of the things that I've learned out in the field some of the things our team has collectively learned in the field and highlight five specific different types of incidents that we've had give you some direct countermeasures that you can use for mitigation and prevention as well as detection and response so I'm actually on a team called the V track team it's the Verizon threat research advisory Center formerly known as the risk team we have a global presence we

have teams in amia teams in a pack and here in teams here in this hemisphere in North America we have the capability to do forensic investigations everything from file analysis memory forensics endpoint forensics network forensics full packet captures net flow analysis recovering data from damaged devices mobile device forensics and we also have a cyber or threat intelligence element that we can bring to bear with our investigations as was indicated earlier we I put together with a team of our folks the insider threat report also a data breach digest in years past but more specifically today I wanted to hire highlight the data breach investigations report how many folks are familiar with the DB IR in the audience okay good good

portion the audience usually years ago when I would present the DB IR most folks didn't know about the DB IR they only heard Verizon and heard Verizon Wireless or maybe FiOS but it's been something that we've been briefing putting together for the 12th year now our actual data set goes back to 2004 so within our data set there's been 86 different countries covered this year we've had 73 different contributors we're looking at just under 42,000 incidents and just over 2000 data breaches so when I use the term incident please that is anything including denial of service attacks ransomware outbreaks and as well as data breaches when I use the term data breach just as a little note

here that is anything where a successful threat actor has actually exfiltrated data or compromised data from an environment so one of the things here and setting up for these five different incidents that we've seen in the past that I'll cover here in a second here I wanted to kind of show you what we're dealing with when it comes to data breaches in terms of timelines when it comes to the threat actor in initially reaching the environment and exfil training data it's happening pretty quickly we're talking minutes and hours however when it comes to detecting and containing the data breach detecting in particular it may take months or even years we've had cases where we found

that the threat actor has actually been in the environment for several months and even a few years okay one of the things - I wanted to kind of show you is when we look at the data set all 73 different contributors and those contributors 66 of them are beyond Verizon their law enforcement their cert folks there are other similar organizations to Verizon who do data breach investigations when we look at those data sets and we look back in time especially starting in 2014 and we do our analysis we've seen consistently over the years nine different incident patterns okay nine different patterns when it comes to cybersecurity incidents and the same nine patterns when it comes

to data breaches okay and you can see on the slide up here on the left hand side is those nine incident patterns on the right hand side is those same nine incident patterns when it comes to data breaches so what's going on here well what we're seeing in gets compared to the previous DBA are in the year prior to this that insider and privilege misuse in terms of incidents has moved up to the number one type of incident pattern or we're seeing okay we're also seeing web app attacks moving up the stack when it comes to data breaches as you can see over on the right hand side privilege misuse or insight and privilege misuse has moved

from fifth to third and we can see also that point-of-sale environment has dropped down to the bottom of the stack and then finally we can also see that crime wear has moved up to this up to spaces on the stack so what is this telling us well this is telling us that the threat actors especially with the PCI environment are moving from the payment card skimmers the point-of-sale terminals into card-not-present environments into the cloud okay we're seeing insider and privilege misuse becoming more and more prevalent I'm going to show you a little bit more in terms of insider statistics that we have we're seeing the threat actors adjusting to where the data is moving to we're seeing the threat actors

using different techniques to get to what they're looking for and I'll talk about motivations as well in a second so in terms of the five patterns that I wanted to cover today the first one is going to be web app attacks the second is going to be the insider and privilege misuse the third is going to be cyber espionage the fourth is going to be crime wear and the fifth is going to be point-of-sale I felt those were the most interesting when it comes to data breaches the other categories that are listed up there have to do with miscellaneous errors have to do with lost assets and those really aren't as interesting because typically there's

not really a malicious threat actor that's involved so in terms of threat actors when we first started looking at datasets we looked at the threat actors and their access to the environment and as you can see going back in time this actually goes back to 2011 it actually goes further back in time and it's pretty consistent you see the external threat actor is essentially three out of four in terms of the threat actors about 75% of the time insider threat actors are about twenty five percent of the time or one out of four times and then there's a small amount of partner actors which are kind of combination between external and insider threat actors as I

mentioned a little bit ago the insider threat has actually ticked up over the previous year and you can see actually that the insider threat is 34 percent of the threat actors that we're looking at another way to look at threat actors is their motivation okay and as you can see on this chart on the right-hand side for 2011 on Financial is the number one threat motivator and this is actually prior to 2011 we're just showing you 2011 on the second motivation for threat actor and by far a distant second is espionage okay so for financial we're talking PCI we're talking fraud anything where a threat actor can directly make a profit off of or make money off of or sell it

and make money on the dark web for example for espionage this is something where the threat actor is specifically targeting a certain type of data maybe it's just a single file maybe it's for an advantage when it comes to the corporate world they're stealing somebody else's proprietary information or maybe it's nation state or state affiliated when it comes to stealing secrets from computer systems and then the third motivation up there is kind of a catch-all it's other we also call it fig it's fear ideology grudge as well as fun so these are motivations for example hacktivism it's really big back in 2012 you can see the little uptick there in the in the green for 2012 it could also

be somebody who's an insider threat they've got a grudge against their employer and that's their motivation maybe they're stealing data or they're destroying data so the very first incident type or data breach site that I want to talk about is crime where so you're probably wondering why don't you're calling this malware well with those incident patterns that I showed you previously the nine patterns if the data breach falls into one of those other patterns and it includes malware that malware is associated with that pattern so if it's a ram scraper scraping pci data it's gonna be under POS intrusion okay so crime wear is kind of everything but malware that fits in those other categories probably the best

example of crime where is ransomware okay ransomware is malicious software it's something that doesn't fit into the other patterns it's actually something that can occur across all different industries I'm going to show you some slides specific to certain industries with some of these these incident patterns and I'm going to talk about but just keep in mind ransomware is indiscriminate it can it can target any industry as you can see on the left hand side we've got ransomware second only to command and control crime where on the right hand side when it comes to data breaches Ranson ransomware is at the bottom and that's because that is actually not being accessible train somewhere it's being encrypted in place or typically

not being exfiltrated so when we look at our data set we can see that ransomware is 24 percent of the crime where the malware it's number two as I mentioned in the stack right there with the incidence if you've if you're familiar with crypto money malware or crypto jacking I do have some stats up here it doesn't even make our top ten list it's two percent of the actual malware that we're seeing out there we do see crippling jacking within our cases but by far it's really not the most prevalent type of malware or crime where that we're seeing so this very first situation is ransomware or crypto malware and this is a typical situation

that we see with our cases you're probably wondering well what can forensics do when it comes to investigating ransomware in the old days there was a possibility we could do memory forensics and maybe find the key to decrypt the malware modern crypto malware ransomware that's not the case so the threat actors have taken countermeasures or steps to prevent that from happening we can come in and advise the customer on what they can do to react to ransomware a situation we can forensically look at logs look at systems and determine patient zero or the initial infiltration vector this particular situation involved key business critical apps being offline it was impacting the victim organizations daily operations their network shares

with file extensions have been changed and ransomware nodes were found so typically organizations recognize a ransomware attack either seeing the pop up ransomware notes and notifying their IT or IT security helpdesk or calling the ITN IT security helpdesk that they cannot access the files anymore they've got these weird extensions and when they open up the files it's all gobbledygook okay so both of these things were happening for this organization so in part of the incident response the the organization had backup so they were reviewing those backups for availability and the time to restore files were being restored from the backups those files that hadn't been included in the backups were being collected from individual systems right

for you know those few days that were in between backup and actual use of the files and apps were being reinstalled however the organization was still missing a chunk of their files right they were encrypted the ransomware had already taken place so in doing an investigation and coming in to assist that the response efforts the network shares the files within those shares they were last modified by a certain network admin account so that looked like that possibly could have been patient zero in terms of the user account so immediately admin rights for that network admin account or actually the entire account was was disabled logs were collected and the laptop was fluent forensic we imaged

so it turns out and doing the investigation that that actual user account that Network admin account had received an attachment with ransomware and the ransomware exploited in this particular case on patched application vulnerability so the organization had found patient zero the initial account they were looking across their network for any other indicators are compromised in rolling the incident down to getting back to business as usual they still didn't have access to certain files so they considered paying the ransom it was actually pretty inexpensive to pay it ultimately in the end they decided to do without those files not pay the ransom because there was no guarantee that the actual key was actually going to be

provided and would be able to decrypt those files so what were some of the key takeaways here for counter measures in terms of detection and response when it comes to these crypto malware situations you want to block your access to any command and control servers that have been identified you want to recall any known phishing emails from mailboxes and that includes not just looking in the inbox but looking to see if any users had potentially filed them in another folder or if maybe they were scooped up by by you as as spam email so you want to completely eradicate those from anybody potentially clicking on them you want to deploy global policy objects to block

executable files and disable macros and you want to train and sensitize users to report phishing and suspicious system activity when it comes to mitigation and prevention you want to keep host-based and enterprise antivirus solutions updated and you want to patch your operating system and your third-party applications and then finally you want to also deploy a fin situation in terms of mitigation and prevention and test and validate data backup processes to make sure you can restore in a timely manner and you've got as much coverage as possible with those files from the backups so the next it's kind of hard to see the next incident pattern on the cover is web application attacks so these web application attacks are

something that we see sometimes it's involving hacktivism where somebody's actually hacked a web site or maybe it's somebody that's actually exploiting sequel using a sequel injection attack or doing something that involves those web applications so when we look at the data set for the Dvir we can see that in terms of hacking action and vectors and varieties and breaches the compromise of web-based email accounts using stolen credentials that 98% is rising ok so web app web based emails are considered a web app attack here and you can see that on the left-hand side and also in combination the use of stolen credentials so this is really prevalent in the finance and insurance industry not only is the now service and the use

of stolen credentials on bank banking applications very common but the compromise of those email accounts become evident when those once those attacks are filtered

so this particular situation is a webapp attack with a careless worker so the organization was looking to hire top talent and they were looking to go beyond just collecting resumes of folks that were interested in the job so they went ahead and came up with this great idea to hack the host a hackathon event okay to generate interest to get really quality candidates applying the problem was they came up with this at the last minute they tacked they tasked our IT team to come up with a web application that folks could log into a portal that they could upload their information fill out additional information on the page so this was an enormous success the

organization wasn't able to identify all kinds of top candidates right and they were all excited and ready to send out notification messages to those folks to pull them in for another round of interviews unfortunately while this was happening and they were reveling in their success they noticed significant traffic accessing their web app server there were several antivirus alerts that were being triggered so initially the organization was thinking well did one of these candidates so they hacking us are they doing something with this web app so the initial investigation had determined that an attacker was exploiting a remote code exploit web server vulnerability and there was no web app firewall that was installed as well so in the rush to put this

hackathon together they didn't do proper code review they didn't put proper security protocols in place to make sure it was secured and what ended up happening is an outside entity a threat actor came in leveraged web cells for remote web shells for remote access prior to the AV alerts and compromised the data that was uploaded by these candidates so it turns out that the organization not only was set to notify candidates that they were accepted or potentially being accepted for the next round of interviews but they were also having to notify the same candidates that their PII was compromised by this attacker so this was a situation of a careless worker somebody who didn't have

the time and didn't spend the time to put security protocols in place and it led to a data breach so we often see this a lot of times where there's an insider threat somebody who's skirting IT security or cutting corners and it leads to an external entity coming in and breaching the organization so some of the detection and response countermeasures assemble an incident specific incident response team in this particular case somebody who come in and handle webapp attacks engage a digital forensics firm to come in and do a deeper dive analysis into the evidence that's available collect and preserve evidence and use evidence handling procedures because you never know if it may go to trial there may be prosecution

the threat actor may be identified prepare public relations responses especially with these types of events where external entity PII may have been compromised or even employees have been compromised in terms of their PII you want to make sure that you have the proper response and you have that prepared ahead of time just in case you have to use it if you already have templates created it's just a matter of taking those template templates and modifying them to the particular incident at hand in terms of mitigation prevention follow secure software development life cycle conduct your wallet web app vulnerability scans and pen tests establish a patch management program and use enterprise and host based antivirus solutions including in

special situations like this hackathon event and finally install web app firewalls file integrity monitoring and intrusion detection solutions and lastly segment your network in your data so this was a particular situation that was a great idea but there was a proper planning put in place and there was a proper security put in place to prevent a disaster that occurred such as this so the third type of incident that I want to talk about is point-of-sale intrusions now point-of-sale intrusions are still happening out there Chip and PIN is still being implemented here in North America it's been in Europe for a number of years we do still see point-of-sale intrusions of all involving the terminal we do still see skimming

but what we're seeing more and more is the threat actors are moving to where it's easier to get the data card not present in the cloud ecommerce environments okay but I wanted to kind of show it highlight the point-of-sale intrusions because they still are something that we see quite common in terms of our data breach investigations so as you can imagine a combination and food services and then I'll talk about retail are the two big industries where this is a problem so a hundred percent of the point-of-sale breaches in this industry were discovered by external methods so think about that the victim organizations are not discovering it it's somebody else that's telling them that they've been breached and probably

the best example of that is fraud detection or common point-of-purchase analysis where there's fraud that's pointing back to a certain merchant okay and that's an indication that that merchant has been compromised so the payment card folks are contacting that customer and letting them know hey you need to have a forensic investigation you need to have somebody who's qsa qualified to come in and do an investigation of your network okay so that's one of the ways that organizations are being notified another is a customer who's notifying the organization that hey I didn't make these charges on my credit card this wasn't me you know I think your website's been compromised or it might be law enforcement who's letting the

customer know that hey we've got an investigation going on your IP addresses or yours you know something pointing to your organization is letting it's indicating to us that they're part of a data breach that we're investigating so you may want to go ahead and have somebody come in and investigate so for retail as I mentioned point-of-sale compromised and gas pump skimmers continues to decline it's because the EMV implementation here in North America the number of payment card web app compromises is close to exceeding the number of physical terminal compromises and payment card related breaches so think about that on the right hand side you can see how this is this is becoming the case where card

not is actually about to exceed point-of-sale card-present breaches so this particular situation is the point-of-sale intrusion the faux pas this involved common point of purchase analysis fraud analysis acquiring Bank suspected a PCI breach of this particular victim organization millions and millions of dollars of fraudulent transactions that occurred worldwide okay so this is a big breach so evidence included transaction flow so when we come in and do the investigation or asking for whatever is available to give us insight in terms of the flow of the transactions if we can get ahold of the CPB analysis any third party access logs point-of-sale system images business unit systems and third party servers were also in scope for this particular

investigation the problem with this situation was there was some counter forensics or anti forensics going on in terms of self inflicted ones where the organization had already started to react to the situation and forensic artifacts were actually lost systems were rebooted if you if you do forensic investigations you know that you're going to lose a lot of volatile data that may not be recoverable when the system starts up again you're going to lose other artifacts that could be key to the system so when we come in and we do these investigations we want to make sure we grab a memory dump at a live system image as soon as possible unfortunately a lot of the systems had

been restarted they had also executed antivirus scans which is great for response but it also potentially changes data in terms of forensic investigation and analysis in particular could be quarantine or deleting the malware it's also going to be changing timestamps of all the files that the a/v touches so in doing the response effort you're actually kind of stepping on the crime scene passwords were also changed and there were also accounts that were deleted and logs were also deleted or they weren't stopped from rolling over okay so there was a lot of evidence that actually wasn't there anymore however the investigation found that the point-of-sale servers had unrestricted Internet ingress okay so that's that's not a good thing there was unknown

remote logins there was a backdoor rat Ram scraping going on there was a network sniffer and there were a hundred thousand clear text transaction log entries on a third party server so there was plaintext payment card information there was various different types of malware there were various different indications that the threat actors had been all over that environment so recovery included rebuilding the systems restricting the remote access with source address filtering requiring multi-factor authentication that wasn't in place for the remote logins in reviewing the third-party service provider service controls okay so in terms of more specific countermeasures when it came to the detection and response this organization didn't have a specific IR playbook for the PCI environment so when

we do our assessments for instant response capabilities more and more common is not just to have an IR plan but also have run books or PlayBook specific to specific incidents that you may have in your organization so this this particular organization didn't have everything they needed at their fingertips to be able to respond to a PCI breach also for detection responses educate responders on effective and a timely response right make sure that to the extent possible they're preserving data and not rebooting systems or overwriting logs conduct proactive Network and endpoint threat based honey or endpoint base threat hunting I should say exercises to detect undetected threats okay so instead of waiting for someone to contact you and let you know

you've been breached go ahead and do threat hunting activities in your enterprise environment to see if the defense is that you have in place miss something okay we get called in quite often to do retail health checks where we come in and we're looking for or open text or clear text payment card data we're looking for malware that hasn't been detected we're looking for other indications that a data breach is ongoing it's just that nobody knows about it we review network and application logs one of the things if you're a fan of the DVI are over the years logs logs logs will tell you a lot but you have to look at your logs right

they shouldn't be just there for the investigators they should be there for the cyber security folks to look at at a periodic basis as part of your monitoring efforts define what suspicious or anomalous and then look for it don't just have the logs there and nobody touch them and also make sure you have logs because we do see situations where there aren't enough logs or the logs are rolling over the breach has occurred a couple months prior and we only have you know three days worth of logs for mitigation and prevention implement system hardening baselines conduct vulnerability scans quarterly and pen tests annually one of the things that helps out in terms of forensics is getting a forensic image of

the baseline the baseline builds for the systems because then we can compare and contrast it with any of the suspected or the compromised systems to see what the anomalies are what the the differences are so we can narrow down so then malware as soon as possible and implement multi-factor authentication for non console system access for that remote access in particular use that second factor of authentication and then finally assess your third party don't forget about the third party in their access to your environment don't just cover down on on your environment and your folks but also make sure the third party is properly secured and following protocols to get that access the environment okay this next one is cyber

espionage is just the fourth one so this one's this topic is very interesting to me it's very hard to detect cyber espionage it's very hard to investigate it because the threat actors have a specific intent they're looking at specific data and they're also looking at not being detected or even investigated so they're gonna be covering their tracks and taking steps to make sure that their tracks are as few as possible so one of the industries it's really big with cyber-espionage is manufacturing there's a lot of financially motivated breaches with financing but espionage is still big it's a strong motivator because that's where system designs are that's where all of the secrets are as the manufacturers are developing new

models or new devices for production most breaches involve phishing and stolen credentials in most breaches with a web app as a vector also featured a mail server as an affected asset so you can see here web applications and the stolen credentials for manufacturing or at the top of the list public administration is also big with cyber espionage it's rampant in the public sector this is government ok state-affiliated threat actors are targeting government secrets classified information sensitive information and that accounts for 75% of all breaches involving external actors it's the cyber espionage there's been an uptick since last year and you can see that 168 percent so this particular situation is the inside agent so we often see data

breaches involving an insider threat where there's organization changes going on and I have another situation to talk about for the next scenario the NEX incidents specific to the insider threat this is also an insider threat but this involves an external threat as well so this organization was announcing unilateral pay cuts across the board this included everybody including the janitorial staff so a threat actor that was monitoring the situation actually came up with with with an idea to get into the environment it was using a physical means so they identified a janitor approached the janitor and said hey we'll offset your pay cut if you take this USB device and plug it into some systems and one night nobody will

know nobody's around and and will pay you for doing that so the janitor agreed so malware alert soon went off in the environment indicating that some external entity was actually invite touching these systems okay so the organization was like what's going on here they started looking through the domain logs for indicators of compromise and several systems were being accessed by an administrator account so they were befuddled they didn't understand how the threat actors got into the environment and it turns out as the investigation progressed and as we looked at the evidence sources we did some temporal analysis comparison and we saw that as antivirus alerts were going off right before that USB devices were being it

introducing to each of the systems so there was a correlation there with time so this switched from not just a logical breach but also a physical security breach okay so by doing the time line analysis the time frame was in the middle of the night there was very few people in the organization's building and so there was a short list of folks to interview so it turns out the the janitor went ahead and confessed to what what he had done he was promptly shown to the door and his employment was terminated so this was a situation involving an insider threat introducing a physical device in person to the environment and an external threat leveraging that access that that janitor

had and that financial situation the janitor had to get logical access into the environment in Kaza data breach so what were some of the countermeasures so in terms of mitigation prevention establish a host base USB device access and antivirus policy so block those USB ports or if you're going to have USB access limited number of devices that are accepted to be plugged in and make sure your antivirus are scanning USB devices as well if you're going to have that as part of your policy disable your USB device autorun functionality so that it's not Auto running when you plug it into the system and limit your local account admin usage now there's plenty of other countermeasures that can put

input in place here including including physical security controls monitoring folks and all that but essentially the biggest problem here was introducing the USB device to the system by somebody who doesn't even have logical access to the system they only had physical access now this I actually have two scenarios for this I couldn't decide which one to include so I do have enough time to cover both of them so this is insider and privilege misuse both of these scenarios were taken from an insider threat report that we did earlier this year and within that report we highlighted five different types of insider threats okay one type of insider threat was disgruntled employees right there causing damage or they're stealing

data okay another type of insider threat was that kind of just covered with cyber espionage somebody who's stealing data on behalf an external entity all right the third type that we've seen in our cases and insider threats who are stealing data for their own personal gain maybe they're going to a new company and they're taking customer lists with them or a sensitive information that they can use in their new job the fourth type of insider threat is threat actors who are actually actually threat actors who are causing damage to the organization because they're upset okay those insider threats are insiders who are detected rather quickly because they're causing some kind of damage to data or assets and

then the fifth is a supply chain where it's either an external entity that has accessed the environment or it's a piece of hardware that's been introduced the environment and causes problems so I'm going to focus on two of those in particular here wanted to point out for the healthcare industry this is the only industry that we see within our data set compared to all the other ones where the insider threat is a bigger threat than the external threat it's actually flip-flop with external threat and when an internal actors involved 14 times more likely to be a medical professional okay it's no not admin folks it's a nurse or a doctor okay so either they've done something wrong

by accident okay and compromised the system or they're actually doing something they shouldn't probably a good example is maybe they're looking at somebody else's patient records maybe it's an athlete and they're seeing when that athlete is gonna be back on the field and they don't have a need to that information denial service attacks are infrequent but ransomware is big for the health care industry I know we're talking insider threats but it's big and you've probably seen news accounts of different healthcare organizations being attacked by ransomware in the last year or so so this is the disgruntled employee so this also the situation also or was the circumstances involved an organization change so a manager was

disgruntled wasn't sure of his new role he knew was getting more responsibility and not anymore pay so he went ahead and decided he was gonna leave so he used his admin access to take over accounts and download confidential files at about the same time a programmer reported an application on a server having unexpected failures okay two separate incidents happening at the same time the Nexus was log entry examinations showed that the amount managers account was logging into these servers before the problem started so we have a connection between those two incidents so the manager admitted to accessing email boxes and collecting data for use in his new job he was interviewed okay we were called in to do the investigation at

that point our forensics confirmed that that had happened but as with any case you never know what else is what's the rest of the story so further analysis into the situation found that this is disgruntled employee not only was looking to take this data that he had stolen but he was leaving a nice little present behind for his employer in the form of logic bombs that were scheduled to go off at critical times trying out the year including the tax season so after he was long gone he was leaving a nice little present so look at this countermeasures for this type of insider threat the disgruntled employee maintained a need to know regarding restructuring moves only so

you know make sure that the information it released is appropriate for the people that are receiving information and that way you can keep rumors from floating and you can keep keep folks from not being disgruntled or paranoid in terms of their job implement an action plan to mitigate vindictive behavior by those affected so what happens if you have an insider threat do you have a playbook or an action plan that tells you what you need to do next because with these types of situations and a lot of times they don't involve malware it's going to involve other folks it's going to involve human resources likely it's going to likely involve a legal counsel it may even involve some other

stakeholders such as corporate communications so make sure that they understand what their roles are make sure everybody understands what each other's roles are and have that in a run book so if you have this insider threat type of situation you know how to react as part of the transition conduct a thorough asset inventory so as people are leaving the organization or moving around inventory the assets that have been assigned to them make sure you collect all the assets as they leave the organization if they have access to critical information or critical assets hold those those put those on legal hold for a number of months or six months or whatever long your policy says have

those on hand for investigation if an investigation is warranted after that employee leaves detection and response work closely as I mentioned with human resources and legal throughout the investigation so this other this bonus insider thread this is the malicious insider this is somebody that is an employee that has that trust and privilege and access to assets and data in this particular situation the victim organization had an employee who was using their smartphone to take photographs and works in their workspace cubicle so basically they were bringing up the computer screen taking pictures of the data that was on it and this happened to be other customer financial data they were then uploading the data to the corporate cloud okay so the

incident responders came in started looking calling the investigators we came in the cloud drive and a review of that found hundreds of customer banking credential photos up there and the time stamps actually went back weeks and it turns out as the investigation progressed in surrounding employees and cubicles were interviewed folks had heard the actual photographs being taken right but they didn't think anything of it and they were working in a sensitive portion of the organization but nobody reported it okay during the exit briefing the employee claimed that technically wasn't a breach the photos never left corporate systems they were up in the cloud so you would think that's all that can be done well it turns out looking outside of the

enterprise environment looking at other intelligence evidence sources the clear web the dark web the deep web doing that research turned up a connection with this employee who had a boyfriend who had a criminal record okay and the criminal history involved financial fraud selling payment card skimmer data on the dark web okay so there was there a potential connection was this employee was she going to go ahead and transfer this information to her boyfriend for sale on the dark web in this particular situation the rest of the story was told outside of the enterprise environment so mitigation and Prevention so control and restricted access through the principal need to know trade secrets customer data and that sensitive proprietary

information for those restricted areas restrict cameras and smartphones disable access to activity deemed inappropriate malicious or otherwise posing a risk to the organization and in terms of detection response increased monitoring and logging of sensitive restricted areas systems and data then finally monitor user behavior on systems to include external device usage in this particular case it was uploading photos a digital camera to the cloud one last thing I wanted to kind of impart with you from the DB IR is unbroken chains and path based attacks on the left hand side you can see the number of steps in terms of a number of steps per incident and on the right hand side is the number of steps in terms of the attack success

so what this is telling us when we look at the data set is most successful attacks are short and it's likely because it's cheap for the threat actor it's easier for the threat to a threat actor and it's successful for the threat actor so by applying these countermeasures that I mentioned today you can go ahead and take steps to prevent these attacks from occurring or at the very least mitigate these attacks and force the threat actors to take more steps to get what they're after whether it be financial gain or whether it be espionage the longer their attack steps and their attack string is the more chances they're going to be detected and can be thwarted with their activities

so some takeaways keep it clean clean up human error establish an asset security baseline around internet-facing assets keep data on a need-to-know basis so only the staff that needs access to the systems to do their job should have that access be wary of inside jobs track insider behavior by monitoring and logging use two-factor authentication this limits damage can be done with loss or stolen credentials in fact use the third factor if you can patch promptly both your operating system your applications this can guard against many attacks includes ransomware maintain integrity use a fem system especially on payment sites encrypt your sensitive data be vigilant log files and change management systems can give early warning of a breach they

shouldn't be a tool that's used for investigators later on have your responders and your sock folks looking at those logs and monitoring for what's considered an anomalous and suspicious and then stay socially aware I didn't mention this too much but a lot of these data breaches that we see are preceded by a social engineer attack whether it be fishing spear fishing credential harvesting web site drive-by downloads all of those kind of things are taking advantage of the human element and getting into the environment through that human error or folks not paying attention to emails that they receive and clicking on those hyperlinks finally remember it takes a team it's not just an IT security problem when it comes to

data breaches over the years I've seen data breaches more and more complex in terms of the threat actors and what they can do but it's more and more complex in terms of stakeholders being involved it's not just the technical folks it's also HR physical security corporate communications outside council data loss perfect prevention and a list goes on and on if you're interested in more data breach reporting we do have a monthly intelligence briefing every month a third Wednesday and BrightTALK you can download the DB IR from the link above you just google search Verizon Dvir you can also download the insider threat report if you're interested in how we do the analysis for these breaches to build

the DB IR you can read about Varys in the rising community database online and finally if you have any specific questions to the DB IR itself you can reach out to our DB our team thank you very much and have a wonderful day [Applause]