Insider Threats: Dealing with the Attacks That Can Cause the Greatest Harm

forensics i'm usually the guy brought in to break all the things uh i'm pretty good at that i love everything from social engineering to you know getting into different kind of networks so i've actually done a lot of cases and i'm going to talk about one of my cases that i've worked with law enforcement and stuff over the years uh and with insider threats uh you get can you got my twitter handle right there if you have any questions or want to email me you can email me as well and we can always chat so i always like talking about the threat landscape a little bit um i wish we had bulb blart to uh help us when we

need help but you know the threat landscape out there is you know crazy so when we see stuff like this right so here's a hotel i was given a talk a couple years ago and they the manager made a point to me when i checked in and saying hey you have a card and be sure to use that card to get to your floor i was like oh okay they got decent security and i get into the elevator and guess what i see i see a permanent card attached to the elevator door here and of course being who i am i definitely had to try it and of course i could get to any floor that

i want it uh being a magnetic card gonna be really easy to clone um i actually didn't have a cloner that day but if i did it would have been really really easy to to clone that for sure um you definitely don't want to uh this is the insider blocking their boss from seeing what they want to do for sure um i know we've all heard of byod this is byofs this is bring your own fire extinguisher uh probably don't want to be in this building uh when this goes off for sure and how did the the guy putting the railing there actually say you know what this is a good idea let's block this door probably

probably not good uh this is your hopefully there's no one from cisco but this is your network protected by cisco uh just kidding uh so you know we've heard of you know people propping open doors and stuff and people that'll walk in a perfect example right there and then we have you know of course people leave their codes out there for everybody to get to which is really really tough to see and oh and just a quick one this one was uh the one on the right was taken at a security conference a couple years ago uh if you can believe that um definitely uh watch out for where you charge your cell phone um and and who's

actually providing that electricity or electrons going through that you never know who the insider is so what does wikipedia say what is the insider threat right it is that malicious threat to any organization it could be employees foreign employees contractors business associates uh you know contractors that are out you know working and they've got higher access than everybody else right they can just walk through the front door which is kind of crazy one of the things i like to say you know if you ever get a chance to read the art of war read the art of war there's a lot of stuff in there that you can use and day-to-day you know cyber hygiene cyber

security and i like this one particular quote right if you know your enemy and yourself you need not fear the result of 100 battles but if you know yourself but not the enemy for every victory gain will also suffer a defeat and i think that second sentence is so true right you've got to know who the enemy is whether it's a nation-state attack it's an insider threat it's it could be you know what about hardware failing you know i mean that's it could be a threat as well so i think it's it's a very good saying uh in relation to cyber security so what does hollywood say about uh threats so i'll give everybody a second to look at

this picture but it's you know what was this guy doing you know what kind of insider threat was he he was doing ip theft for sure he was trying to steal the dyno dna so to speak i don't know if you watch this i know a lot of people watch this in the u.s for sure and again thanks for everybody for having me today in beautiful vancouver i wish i was there i'm actually at a race track called limerock park if you want to google that in lakeview connecticut today so in mr robot he was trying to do sabotage right he was trying to walk knock out the building so they couldn't restore all the data the financial data

then we got this guy so what do we think this guy was doing this guy was trying to do fraud he was actually trying to do the superman three fraud by every transaction siphoning off like hundreds of a penny and if they did it multiple transactions well of course they messed up and it was subtracting like dollars at a time of every transaction then we got this guy so what do you think this guy was doing well this is ed snowden so this is actually from the movie at snowden so was this guy doing espionage against the the us government or was he a whistleblower showing what was being done uh it is very controversial even to

this day for sure uh to even think about that so and i'll talk about a case that was similar um in a commercial space anyways where you know was it a whistleblower wasn't it a whistleblower so i've got this picture this is a tweet from a couple years ago and i always find it interesting because i do a lot of like hardware hacks and own stuff and research on reverse engineering of different kinds of hardware and it was interesting when i saw this is because this was a daughter board this was in a cisco switch that they sold several hundred of them but if you look closely at it that is a cyber espionage device

and that device was actually talking back to china for different things right and they could look for anything that implant so i always ask you especially if i'm there live is how many people have actually taken apart their equipment before they put it online and very few people do that right i mean i know i do uh when i get new equipment i'm going to pull it apart i want to see is there some kind of implant this implant was easy to find for sure but there's definitely other implants that are going to be very extremely difficult to find now you couldn't protect yourself against this if this was in your network it's game over so you have to be very

vigilant around supply chain and other things and where you're getting equipment so some of the stuff that's in the news of course this is an insider deaf data theft during remote work of course that huge during uh these last couple years for sure then you've got this one this in particular insider was sentence sentence for sabotaging ppe shipments it's like it's not just cyber it's across the board where else are these insiders messing with their stuff so this is a real bad one this is all about banking so this is in may of last year almost a year ago so the cipher was looking for insiders at bank of america chase bank wells fargo they were trying to get access to

someone who could basically authorize transactions they were they could hack into the banks they were trying to send transactions across them and then they would say okay if we're going to deal with amounts over 200 000 to several million and they would give whoever they could get a figure eight figures out weekly comp weekly eight seven to eight figures a week uh that they could run through there uh crazy crazy time and they were going to get a uh definitely a cut right 40 to 50 percent so whoever could do that was going to make a ton of money and definitely going to go to jail for a very long time so here's one this is a former i.t admin

i like this guy he really was innovative this is a couple several years ago uh he not only did he leave a back door but he accessed his company's network over 700 times in one year which i find you know kind of amusing because i mean that's averaging he was connecting and doing something on their network 2.3 times a day every day for a year i guess he didn't take off for christmas in new year's or his birthday he kept working and they didn't discover him until a year into it which is kind of crazy here's another one this is a road i.t this is back in 2018. if you ever get a chance to read this story it's pretty

interesting and i like to say going off the rails because it had to deal with canadian train switches and he was shutting them down he did get a year and a day behind bars for that as well here's a story about a terminated employee what he did was hack his way back in and he faced and this is again this is all the way back in 2009 uh he actually compromised over a thousand servers uh across that network so you have to be vigilant across you know logins data transfers you know it's a lot to watch and we'll talk more about that in just a little bit so what about this this is the easy stuff

right this is at an insider job at a medical clinic they were actually taking their phone and just screenshotting uh their little ipads and their computers because they they weren't allowed to print they weren't allowed to do just certain things on those computers and then this person was selling that data very hard to catch i mean they had they actually caught up through security cameras um so this is always bad right this is a couple years ago this particular company's employee sold customer info to tech support scammers so we've all seen those tech support scammers but now if they've got more inside information man it makes their credible more credible right when they call you say

hey i'm with such and such and we notice that you own such and such product they can get more specific in their phishing attempts to try to scam you and get into your computer uh dlp the three-letter word uh it's tough dlp is very tough to get built correctly i would say across i haven't seen a really great install of dlp because there's just so many ways to get around it you can see this particular company was suing these four former employees for stealing company data and they didn't catch them with their dlp they actually caught caught them after the fact because it was a several sales people that was stealing customer information to go to a new

company now here's an interesting one this is when the fbi arrested a nsa contractor for leaking secrets to uh the media well yeah she's all sitting here looking actually getting ready to smile hey i'm having a great day but they actually caught her because she couldn't send the information and she couldn't put it on a usb drive so what she would do is print it and actually walk it out the front door to give it to the media well once they were on to her they actually did the drop they grabbed the paper from her and what most people don't know for a long long time now laser printers and stuff will print micro dots uh in very very small

sections so you could actually take a piece of paper and if you have a really really good microscope you can actually find this stuff and it's got the serial number of the printer if it's got a date and time it's got several metadata and that's how they tracked her down because they could track exactly what printer it was that she was printing from so another one and of course you got steve harvey looking like what happened so this is a rogue system admin they shut down and deletes core files on the day he was fired so what do you do with that do you you know if you've got a rogue admin or someone that's disgruntled employee you

know how do we prepare for that do we have good backups do we do we have a process in place say okay you know what a week before you leave or two weeks we're gonna shut your access off um you know i know it's hard to believe someone just walks in walks out but it's definitely you've got to have some policies and procedures and be able to look at some of that stuff so a little case that i worked on several years ago this particular insider this was at a we'll call them a chemical company so they had and this was multiple players multiple insider threats it all started with one of their sales people leaving

and wanted to go work for the competitor and they these two competitors only sell the same stuff you know so it's very guarded secret of how they produce their you know chemicals and whatnot and what was interesting though is i was at this site doing a security audit actually doing some pin testing for them and the i.t director came up to me and says hey uh you know we have we have an issue that we want you to look at and i said well that's interesting i've got an issue i need to talk to you about and so he's proceeded to tell me it's like hey we had an employee or somebody from the outside send an email inside

our company with our employee list they actually knew our group names and they sent all the salary information spreadsheets of every what everyone was making and bonuses and everything to everybody in the company so it really caused a stir uh at the same time on one of my laptops because like when i do pin testing i actually carry two laptops one i actually set up is quote a honeypot just in case see what's happening on the network and it kept getting scanned and plus my main computer kept getting scanned so we start tracing it and we were in the it department uh and it was actually somebody that was just two cubicles over because we traced the wire

down to the wire and they were scanning our boxes trying to look for vulnerabilities it's like what are they trying to do and so when i approached the i.t director about this and he goes man that's funny but i don't believe it's that guy well i don't know why he would do it he's probably just goofing around or something it's probably not real it's like okay so we proceeded to investigate the case and of course the scans got more and more frequent on the boxes and during our investigation i learned that there was a laptop from the sales person that we wanted to do forensics on and so forth like that but i had a sneaky suspicions about this

particular insider and uh it admin so we actually set up a little sting their main office is 20 minutes away from their the plant that we were at and so we said hey can you please come to the main the hq pick up this laptop and bring it back so you can re-image it what he didn't know is that we had already forensically taken a copy of the hard drive we took the original hard drive out cloned it to a just another hard drive put it back in the machine and we had a private eye along with one of our other guys follow this guy out and it took them over 45 minutes to make

that 20 minute drive well i got a call later that day as soon as the guy showed up uh from rpi and stuff and it says hey you'll never believe this i have pictures of this guy in a parking lot with his laptop open and he's wiping out files and we saw all the evidence because we could compare the two hard drives and that's what he was doing he was actually covering for the sales guy so fortunately we caught this guy we got the sales guy we actually worked with the other company and they said hey we don't want anything any part of this and we'll help you in the investigation well turns out both people were caught

and it was not a good situation for anybody and actually they went to jail for several years for stealing information especially you know formulas and sales information everything else uh bad bad stuff so here's my wtf moment for the day so of course you've heard this story about anthony ledowski uh he was trying to uh steal uh trade secrets from wamo and give them to uber which the guy smiling on the left uh which is the old ceo of uber which is travis um and it's interesting you know i currently work at uh company vmware and our software actually was the one that was used in this it was when i was with carbon black they bought carbon

black and we could tell exactly how many files were they files and what specific usb drive they they stole to store all these files and that's when so when google testified in court they testified said yep this is the software we use this is how we found out and you know and all that kind of stuff so fast forward a little bit uh so he did plea finally plead guilty to stealing google tran uh trade secrets and and as of a year and a half ago so to get 30 months uh in prison for it so not a good thing here's my honorable mention today for insider threat so this u.s employee he actually outsourced his job

to china but he did it in an interesting way so when they worked remotely they had to have rsa tokens so they you know it changes the number six digit number every minute and what he would do is he'd get that and fedex it to somebody in china and they would vpn and what he would do he would set their watch cat videos on youtube look at ebay read it and everything else and this other guy did his job and he would just pay this guy to do his job uh and he got away with it for quite some time just crazy crazy stuff out there for sure um i love this one this is my best one

for sure uh this man hacks the jail computer network to get his uh try to get his friend released early uh when i uh made some inquiries into this one i said why didn't y'all just let him uh come pick up the guy instead of arresting him so they went out and arrested him uh this engineer that did this they arrested him at his house but i was like man i would have let him come to the prison like pick up his friend that way you can get both of them and just put them both in prison so yeah funny funny times so some of the stats out there that you may or may not know so insider

threats pose one of the biggest security risks out there so over 91 percent of i.t and security professionals feel they're vulnerable and i always ask i was like why do you feel vulnerable it's like and usually it's the visibility we don't have visibility into whatever this threat could be whether they're stealing data they have the wrong access you know and i'm all about you know you've got to have that visibility you've got to have that audit capability to be able to look at not only who's logging in so you're you can catch more than just quote insiders right but as people are trying to you know whatever whatever attacker it is whether it's a nation state or whatever it's going to

be doing um you know lateral movement across the network and you can catch them for sure so you know core 42 is a couple years old i haven't seen a new new one list for this but you know over almost 70 percent of security leaders say dlp cannot stop inside a threat and they're true you know i know in my pen testing days i've beaten like lots and lots of dlp uh either trying to get credit cards past it or just get gobs of data past elps for one way or another it can happen encryption is usually the number one answer to get around those unfortunately because you'd have to be able to decrypt it uh on the fly to look

for that stuff so the other thing is you know also over 60 involve employees planning to leave you know just if you're going to leave just leave you know don't uh try to mess with the employer it's just crazy just ask him for trouble um so that was one of the biggest thing where they saw you know everything from stealing sensitive data that was the number one thing to getting privileges that they shouldn't uh to getting data and even sabotage down to five percent of that that we're doing that we're trying to sabotage and that that's that's what most people think oh it's an insider threat they're gonna sabotage me but it's the data theft that you really have to think

about it's like what is my ip right what am i keeping what's valuable for my company you know if we're selling widgets it could be the design of that widget it could be the process of the molds to make it everything else you have to keep and track of so what are some of the things that we're missing right everything from insufficient data protection strategies and solutions definitely the biggest one is increasing number of devices with access sensitive data as we've seen over the last couple years that you've got this strain on you know sock teams around the world going man everybody's remote i've got no data island it's it's getting hit from 500 different

directions that's kind of crazy right you've got everything from the mobile side right lots of mobile stuff you've got a lot of machines that are behind a wireless network that's at home with a home router with no security on it you wouldn't believe how many homes have default password for the routers you've seen the attacks against d-link linksys and so forth that it was default password they never changed it i think cable companies are some of the worst where they don't do a good job of hey you might need to reset that password you know and that's what should do so if you're starting to look at some of the new things that software should be changing that

password as soon as you get it um i know it might not be super convenient but it has to be done so we can get this stuff updated and stop stop some of these attacks for sure so i've seen like i know like at my house i run like five different networks and one of them is a honeypot and i'm looking at i'm looking at sideband off of my internet connection where okay what attacks are coming at me so i can either make sure my networks are protected i've got some air gap stuff from my lab and so forth but it's amazing you just the scans every single day that i'm getting hit by i'm still seeing internal blue out there

uh believe it or not um and lots of the ransomware lots of different you know looking for you know different ports 135 139 445 looking for those ports uh i've seen quite a few dns hijack attempts too lately because i also spoof a dns server trying to pull dns records out then you've got you know more employees more contractors partners accessing it you know if we look at the attack against target several years ago it was the partner that got breached first and then they use that vpn connection to get back to the main network again the network wasn't segregated they got into one part of the network which got them right into the pos

systems crazy definitely we're seeing this increasing use of cloud apps and infrastructure how is that being tested how is it being verified that hey i know who did it when they did it and possibly why they did it of trying to get access to data that's that's huge that i'm seeing a lot of different companies out there that hey we've got this great app but okay what are you doing with my data is it segregated from everyone else's on your cloud platform or not uh is it encrypted do i own the encryption key do you own the encryption key can i pin test it these are some of the questions you should be asking um

your providers if you're going to some of these cloud instances to see about that we've seen a lot of attacks recently on especially apis and docker containers especially uh any of the container stuff because we know it goes up and down and they have to attack fast get in get out as quickly as possible because we know uh that dockers can just be wiped out restarted and they've lost their connection so we're seeing a lot of that and that's one of the things that keeps me up at night if so to speak is the use of apis and how unsecure a lot of them are they're like there's no visibility into oh well we have it open but you know there's no

auth we just give our api out for people to use it's like you've got to have some type of off and some r back in there for sure so some food for thought for today and again if there's any questions please feel free put your poster questions in there they'll stop me and i can answer the questions live for you i'd be happy to do that as well i definitely love being live um you know we've looked at some regulations and i really liked the gdpr actually because as you can see from this several years ago is actually they saw a huge decrease in um insider threats um you know so it fell by over eight

percent uh in the past 12 months in the uk while the us grew 8 percent that they've seen on the insider threat perspective so it's interesting how do we get that perspective here in the us and and get some of these controls in place to where we can alleviate not probably not 100 for sure because there's always a will there's a way right uh to get better visibility get some better push some things in process where i'm not changing my security posture except making it better right but not messing with my processes and my business as well so definitely some good news this is a good one this was going to be a huge insider threat case so a couple bad guys

basically talked to a tesla employee and they said hey we'll pay you i believe it was 500 000 to insert this thumb drive into the tesla network right at the gigafactory uh thank goodness the employee says nope um yeah or he didn't really say much what he did is contact security they got with the fbi they set up a sting and then they were able to catch these guys crazy stuff i mean that's a whole lot of money just to insert a thumb drive um i worked a case several years ago as well it was an insurance case and i got called by an entrance company at a bank and they didn't understand they're in a

high-rise building and they were losing servers and switches and routers and different hardware that was just walking away and they could never pin it on anybody they kept thinking it was the it team but they never did anything with it it actually turned out to be a third party and i actually pretended to be part of the cleaning crew for about two weeks until we could finally we finally caught who was doing it they were actually because the cleaning crew had access to every single room with their car key access they could just swipe it and they would clean out the trash cans in the server room which i can guarantee you now there's no trash

and no one's allowed in the server room but they would actually take something out of the box put it in their trash can and wheel it right out the front door and go into like the service elevator well back in those highways there was no cameras or anything so the bank couldn't figure out who was stealing it um so luckily they did catch the lady that was doing it um and she turned evidence to cyber gang that was actually doing the thefts uh with her and they paid her basically 500 every time she walked out of the building with a piece of hardware so crazy stuff so some of the stuff that you should be

reading and i'm kind of looking at this this one is put on by the national counterintelligence security center i've got the link at the bottom and again my slides will be available so if you can't write this down fast enough you can look for this insider threat mitigation for u.s critical infrastructure entities it's a good it's actually a good reading for looking at some of the mitigation you can do against not just critical infrastructure but your own entities i mean definitely if you have critical infrastructure i think everyone has some type of critical infrastructure that they've got to keep up so that's really good it just got published last october so it's at the dni.gov so you can look

up insider threat mitigation for that another one is the insider threats and commercial espionage for economic and national security impacts this is from the insa and this is for their insider threat subcommittee as well so this one was published last year may i believe oh five yeah so another good one to read also it can give you some of those steps and some of the things you need to be watching out for uh for sure when dealing with uh insider threads so i know my talk is kind of quick but before i get give you dave's top ten um i'll tell you one more insider threat story here so several years ago his work got a call from

one of my business partners and he goes hey i've got a customer in such and such city that said they think they're being bugged and they think they have someone that's you know basically breached their network can read all their emails and everything they think all their communications are affected as well so it's like okay okay i'll talk to the guy so um didn't have a phone number but the guy called me from a burner phone and it was the cio and so we met the guy actually he wanted to meet at like one o'clock in the morning at basically an empty parking lot uh of course i brought uh some uh some bodyguard for that

because we trusted the guy but you know you just never know right after you know we definitely did our due diligence before we had this you know meeting super nice guy explained to he's like you know dave we think all my columns are being or compromised that's the only reason he wanted to meet to where it wasn't at the office or anything like that and what was interesting though is so we formulated a plan they thought they knew who was doing it uh it was an insider it was a the network administrator the main guy and he had been there for almost 10 years and so we set up a sting we actually would sit there we got at his computer

we put spyware keylogger and screen grab software on his machine and tied it directly to the cio's machine so the cio could see what's happening with no one else not even us so we actually installed it at like three o'clock in the morning and then we walked out but we also you know had to reboot his computer we covered our tracks and thinking what this guy was doing based on some other factors we actually turned off all the computers in front of his office and rebooted all of them simulate a power failure basically he came in the very next day got on his computer the very first thing he did he logged in and he went directly to his

app logs his windows logs he looked at the system log he looked at the login log and the application log he wanted to see if anything was installed or anything that was it logged luckily for him he didn't find anything because otherwise this would have been a short trip uh we cleared our track so he couldn't see anything and you know did some other file date modifications as well and then he proceeded to get out and then we didn't see anything then he went out to look at the commuters in front of them and he noticed oh looks like it was a power power failure so he came and sat back down then the next thing he did he spent the

next 30 minutes reading everyone's email and he opened up the email of the top 40 people in the company everybody from the attorneys to the cio to the ceo uh and accounting he had a he had literally 40 people that he was going through the emails and he what he was doing is taking those and copying them and sticking them on thumb drive uh as soon as that happened the seat in the cio saw that he called us and says hey i think we got this guy so we you know left the hotel rushed back over there and they already pulled him out they had him downstairs waiting for law enforcement to show up so they could he could get arrested law

enforcement showed up they had their case put together with the company attorney and this guy definitely did not want to say a word and i was just curious so i asked him it's like hey can i spend a couple minutes with him i'd like to see if he'll talk to me and tell tell me what what the deal was um so i did i got to talk to him for a few minutes and it was interesting he actually told me what was going on he was actually selling these emails to competitors people that were getting acquired so this one particular company as a financial company was acquiring other little financial companies and he was selling it so they could get

raise their bids basically so they can try to get more money and he did this for over a year now he sold information to a little over a dozen different companies how much do you think he made out of this uh we're talking about a multi-billion dollar financial company that was acquiring others uh believe it or not he only made about fifty thousand dollars uh out of this uh the transactions were not very big uh and all that kind of stuff uh it was a real shame because you know talking to the cio he was super nice guy he'd go to all the barbecues and all that kind of stuff but he just he threw his life away so

yeah he ended up getting sent to jail for almost nine years uh on that so not not good times for that for that guy for sure so i know i've brought up a couple cases where i've had some rogue admins and stuff like that pretty rare most of my cases don't deal on that side they deal on the other side where it's usually just regular employees that are you know either getting privilege escalation or uh you know stealing data they shouldn't get so that's what we normally see or it's the sabotage

hey david sorry to interrupt you it looks like um there was a hiccup in the system and you got muted is there any chance you can just verify that you can unmute yourself

how about now can you hear me now yeah i think with some insider threat here we must have accidentally just uh got somebody meeting me okay yeah there was a hiccup i just saw that the live broadcast stopped for a moment and then all of a sudden you were muted you're good to go you might mean to back up i think it was around nine that you went out uh my apologies for for that no problem no problem thanks for catching that i swear i didn't touch the uh the keyboard my hands are here uh like vegas hands uh so we'll go through this real quick so again always treat your network as hostile always assume breached uh

definitely no one's immune to malware we've seen that we've seen all the crazy malwares my key thing here is have that post breach strategy ready so i've seen plenty of customers that don't have uh that strategy ready so they're scrambling at the last minute have that tested saying okay guys we're going to simulate a breach today we've lost such and such data what do we do uh do we you know get the help desk do we get the users do we get uh the attorneys involved what what all where's our backups all that kind of stuff uh definitely don't forget about the insider threat i know this is a family show so i'll repeat one more time we'll come back to

number two know your network and i say that because i worked a case with the city government several years ago that when we got in and i started asking my general three questions you know i ask where the dns logs where's your backups and where's the bathroom uh but on that case i also asked what's the network look like where's your ingress and egross points and they actually brought me a map that was like six years old that was not even valid wasn't even current nothing so we actually had to go through and find all the stuff for them and that put us behind a couple days for sure so uh back to log everything and i don't

mean every single packet but the metadata so we know your dhcp we know your dns request and have that unfiltered data i'm a strong believer in the 30 60 90 a day rule so have all that metadata for 30 days chop off a piece for 60 days so you keep part of it for 60 and then so forth to 90. it's really important it's all about that visibility because you're not going to catch nation nation-state attackers versus insiders versus anything else if you don't have that visibility definitely train your security staff doing events like b-sides which is awesome definitely go to those you get great uh word of mouth you get great training you get great content hopefully everyone's

enjoyed this content today uh number three security awareness for everyone and i don't mean that click click click you know hey hr yep i'm quote certified uh for that but real security awareness and uh one of my friends i know did a great one for a a bank they were doing and they actually they walked in with a bunch of balloons and a cake and went to one of the floors as a big high-rise like 12 stories and found this lady and and everyone thought oh it's you know so-and-so's birthday it wasn't her birthday what she had done is reported a fishing attempt that turned out to be real it was a real phishing attempt

to try to steal money from the bank and she reported it and so that was part of the security awareness was you know hey here's a cake here's some balloons and everyone noticed really really quick so the day before that happened they were only getting like 40 you know of you know thousands employees only like 40 phishing emails sent to it department uh very few after that day they got over 400 a month it was just like boom boom boom boom and they were much much better their their chances of getting hit by some of these fishing went way way down hey dave got a question for you from from an anonymous user he wanted to know

if you have evidence that an organization you've done business with has had your data stolen or leaked and you identify the individual what is a good route to pursue them uh the best route is called law enforcement is number one so save whatever evidence you have uh and that way they can make a case because unfortunately if you give it all to the company they might wash it under you know the sink and say oh well okay yeah we paid that guy off to get rid of him so we won't leak our data uh my my thing is bring in law enforcement um whether it's you know the cyber task force or whatnot uh to do that that's

definitely going to be the best and and make sure you uh unless they tell you otherwise keep a copy of what evidence you have as well thanks great great question great question awesome so we're uh and still please ask any questions you want uh definitely number two is patch patch patch um again and then always refer back to number seven you should be laughing right now that's my programming joke for the day is so i've got you in this infinite loop so know your network log everything train your staff and secure awareness for sure and number one i'm sorry ryan reynolds was not here today you've got dave baucar i do really really appreciate it uh for being here today

uh if you have any more questions please i know we've got about 12 minutes or so so please let me know i'll stay on stay on for a few minutes and answer any and all questions again thanks to the whole great b-side staff for having me out today

it's been an awesome talk david i gotta tell you it's just great stuff to think about you know insiders are always the they say the biggest weakness in security but they can also be your biggest asset if you were to look at it from the other side of it what would you think are the top three things you give your top ten if you had to think about this from an organization a security person has to come back to work and say listen we need to start doing these other things is it really about making sure you're able to monitor them is it the ability of educating them what would you feel would be the first

thing you would want them to do uh yeah and i don't want to put that false narrative out there you know a lot of people go oh well security teams watching everything we do you can watch a lot of stuff with metadata without infringing on anyone's privacy or you know trying to quote spy on them so my biggest thing is get visibility have that metadata so i can see what applications are running what data is going around my network that kind of stuff uh but the other thing is and you said you hit the nail right on the on the hammer there was uh that security awareness and that training of my users so they understand the importance of hey

we have valuable data we don't want it to leave you like your job everyone that's it's everyone in is in this together how do we protect that data and that's big so i've seen lots in the last couple years where companies that have taken that approach have been way more successful because now it's not like you've got someone tattling on someone else but if they see some wrongdoing man they're going to be quick to point it out and says hey i think joe is stealing you know whatever and sally and giving it to sally who's selling it somebody else or you know what not because it's good for everyone because if someone destroys the company guess

what everyone loses right i think mubix kind of covered it really well in his keynote when it was talking about one of the things is while we can try to put you know security dna in the organization not everyone are security people you can't expect them to be that in a lot of cases when we look at the lateral movements and and and how it's happening inside the organization there are fundamental security principles that are typically at play here like least privileged not being applied the secretary doesn't need access to the database server why why are we applying that we can go and say it's the secretary's fault for plugging in that usb key but the reality is is the best

security systems that are out there and the policies and anything you can put in place are the ones that employees never see unless they do something they're not supposed to at which case that's when the security system should be kicking in education is important but we can't rely on the people to always get it right they're the biggest weakness in the organization but they can be only be our biggest assets if we're being responsible in applying everything else that's there oh for sure i mean i'll give you a prime example so i worked a lot with hospitals so uh you know hospitals especially down in hollywood los angeles have a lot of vip customers that generally do not come

under their name they're always under pseudo names and they they have certain rooms and floors where you know people they don't want this this movie star or whatever they don't want that information to get out and i've helped them put policies in place in monitoring so that way you know uh uh a floor nurse on the third floor can't see what's happening on the fourth floor so she gets on the computer saying oh i want to see i you know i know britney spears is here so and you know she goes by you know roger rabbit or something whatever name she chooses but you see what i'm saying if the software's monitoring for that it's like okay if you're a nurse on the

third floor that's the only patience that you should be accessing right if i access something else out of that i need to i need an alarm bill to go off i need to be able to see that and say you know what that nurse shouldn't be doing that and we actually caught a couple nurses in hollywood doing that that were selling information one person was in the ref records department so she had access to everything but her cousin worked up on this particular floor in this hospital and they were sending notes back and forth comparing and trying to sell that information to the tabloids uh but luckily the system we put in place which did not infringe

on anybody's job they never even knew it was there but when the time came uh they could you know they could flag it right they could flag who's accessing this quote vip's information yeah that's awesome a good time all right let me check and see if there's any last minute questions one moment so there's a question here do you have any suggestions for public templates or a source where someone can refer to to start drafting an insider threat incident playbook oh that's good um i don't have any like resource off top my head uh i'd be happy you know uh if you get my email or dm me and twitter i'd be happy to give you some stuff uh

for sure i think the biggest thing on insider playbook is the same as any malicious actor it doesn't matter it's just they've got the inside piece right the biggest thing is that uh the visibility into the metadata that i keep talking about whether it's you know if they're getting dhcp or they've got vdi how do we capture who was on that vdi session when they did it what usb drives are being used uh that kind of stuff that's going to be some of the biggest playbooks and but you need to have some criteria as well and that criteria is really going to center around okay what is our ip you've got to identify the you know

the keys to the castle so if i don't know what theirs i'm not going to know what to watch anyways i can't just watch everything all the time but i need to watch that very specific day it's like okay this data only these people should have access to it whether that's the accounting system only the accountants should have access to that that's going to be the biggest thing in quote a playbook right is to look at those kind of scenarios and say okay if x y and z happens and it shouldn't belong to that person then we need to take a look at it and then the next step is going to go okay now i can open up an

investigation you know what and if it looks if it's benign boom i throw it away and keep going but if it's not you've got to get to that point to where what is going to set off your red flags in your environment versus anybody else's to be open in those investigations that's great i i also just posted a book title for someone if you want to look it's an older book i think it's like mid 2000s called inside the security mind by kevin day where he talks about it from not only looking at building out the playbooks but understanding how to think about this what you're going to apply and how to apply it and then how to monitor and

manage that so um it's like i said it is an older book but the principles um really help in in those type of scenarios yeah so what i put on the screen is like again get these two files if you can uh leave it up on here on the screen uh i provided the link in the chat for them on the phone awesome i wasn't able to get the second one but i go oh okay so here's the second one um so this is really good stuff for to help with those kind of playbooks and stuff uh especially around this one especially around the commercial espionage uh because we've seen a lot of the quote

commercial espionage it's like how do you vet your employees how are they hired uh how many times you know has you've heard of oh this is an insider and they were selling information like the guy from you know um google try to you know grab that information from wammo and sell it to uh to uber where he was going where he was offered a job now they they were working in cahoots uh and that's the biggest thing but notice they were caught because of the monitoring software that they had was able to nail them down and say okay why would this person copying 14 000 it doesn't fit their job description for sure i actually worked a lot of insider

threat for some government agencies uh some manufacturing we'll call it that and on that i mean i got down to the point to where in between buildings i could time how long it took to walk between buildings and i know that joe couldn't be logged in at building a and then all sudden 20 seconds later log into building b because i knew it took three minutes and we just had it set up in the sim we can look at the login times between two and says okay if it falls under this threshold guess what raise a red flag start my playbook start my investigation that's awesome uh someone in one of the comments said was following up on the previous

question about bringing in law enforcement and the question is annie's asking referring back to anon's question if you bring in law enforcement before a company is aware would the company get upset or maybe it doesn't matter if they do um it all depends i've seen it both ways i've seen companies get very upset oh my god you know this person's gonna be is malicious to my company he's like no i want to protect the data right i want to if if if my data has been breached i i want to know about it uh but the the thing here that's really hurt the industry is you've had companies that have said have you know put it under the

rug so to speak they didn't want to get their name out in the news they didn't want to get that but i i think it's it's got to come to a point especially now we're seeing a bunch of it uh and don't worry about hurting someone's feelings if you've gotten your data stolen um yes report it to the company report it to law enforcement because you just never know you don't want it you know swept under the rug because we've seen lots of companies do that unfortunately because they think it's going to save their reputation i think the companies that are out there in front saying hey something got messed up you know this is

what got stolen we're doing something about it thank you joe for turning this in that was awesome uh that's how they should react uh but you know you can see over the last 10 years they haven't you've had lots of companies go nope you're a whistleblower you're not a whistleblower we're going to go after you uh there was a an incident was about a year and a half ago state government uh basically a pen tester found a hole in a government website and reported it and and even though they had a quote bug mounting program they're like oh no p was a malicious person he was trying to hack us and he didn't do anything all he did was

report hey this has got a cross-site scripting issue y'all need to do something about it and fix it i mean they tried to take this guy to court they tried to get him arrested all this other stuff and they finally the government had to back off because everyone in the industry was like no this guy didn't do anything wrong he found a hole he told you about it and you didn't want to do anything about it because they look bad you know his egg in their face yeah that's awesome see if we got any more questions in the in the pool here um one was asking uh where can i get access to the slides i

think you already mentioned if they uh tweet you or ping you you'll get that out to them yeah i also have a pdf sent uh by wednesday up to b sides as well so uh we'll be able to get these i believe you're going to have it on the the site after yeah we'll be publishing it on our youtube channel so the the link to the b-sides vancouver youtube channels in the chat for anyone who wants it make sure you subscribe to that and after the event is completed and we get some down time to get this all together we'll uh publish it up on the youtube channel as well so yeah perfect yep and i'll have the pdf

ready for you excellent last chance everybody you got any final questions now's the time well while they're looking at that and sending us any more questions i just want to thank you very much that's awesome i always love hearing about the different types of threats from the insider side and you know stats be gone you know at the end of the day you can look at things i look at great examples even at state level with things like stuxnet and just the complexity of trying to get over air gap networks and trying to getting organizations and you know you sharing the one about tesla i always laugh at that one awesome that the tesla employee had the

um moral fortitude to let you know not take half a million bucks to plug in your e-stick right um and but it's coming more and more ransomware gangs are are are are sharing in the wealth with any employee that's willing to get there and when i think about things like you know like the rubber duckies and the omg cables and just how easy these payloads are getting to be able to be deployed physically in these organizations it really comes down to your people but then i get back to you know the conversation we're talking before about well why are we allowing people who don't need that kind of privilege to be able to have this stuff pivot into these

other uh areas i think mubic's point during his keynote about things like make sure every laptop or every desktop is being treated as its own container its own isolation that helps it's not going to solve everything but uh if we assume breach and assume people are going to plug in hostile um sticks uh i think we would be in a much better place as a people oh yeah for sure yeah it's it's funny everything you mentioned i have in my bag sitting next to me uh yeah i have it too right like we have a lot of tested the coffee shop and and just playing around with especially the new omg stuff it's just just phenomenal just even on

data exfiltration off of these cables so it's just amazing what can be done um when we're talking physical for this kind of stuff i mean you have to think you know that i have got so many tools and stuff or or software that i've written in scripts and whatever uh to break into networks just imagine what and i'm just a lone person the nation state stuff of course you brought up stuxnet and you know i've got it in my lab it's crazy even today that stuff is super scary uh so well you look at the payloads that are you know darren the stuff he's doing over at hack five like some of the stuff on his github repo and the way they're

now um you know providing prizes for some of the best payloads these are getting so much more sophisticated and have way more capabilities it's not just a matter of being able to type in a few keystrokes to get some interesting things we're talking about full interpreter back doors in a matter of a couple seconds and and you know state actors are going to be able to take out the next level so great to be scared but it's also the back too this is where the blue team's got to do a better job of making sure that they're going to assume that these type of things are hitting what are they doing about it yeah and and i'll definitely leave my

final two cents here is visibility visibility visibility if you don't have the visibility you're not going to catch anybody and that's what i want blue teams you know when i go and try to you know i'm on the red team and and i love being on the blue team because i love trying to throw off the red teams that are trying to attack me but it's getting that visibility that's the very first thing i talk to customers about uh our clients that i'm talking to is like guys you can throw all this technology at it but guess what if you don't have that visibility you're not going to see that threat you're just not and you're going

to lose every single time awesome well david thanks again we're coming up to our time i'm getting ready for our next session i appreciate everything that you've done great talk um i'm looking forward to seeing more from you and hopefully we'll see you next year again at b-sides in a another awesome talk about this kind of thing