Detecting the Insider Threat: It's Not Magic

all right good morning besides uh today we have an awesome speaker lined up he is uh will baggett uh he is the director of digital forensics for project safe escape he's a former cia officer and a seasoned speaker he has spoken at def con 19 spoken at numerous b-sides to include b-sides las vegas and just generally an overall awesome individual so i'm going to hand it over to will to kick things off with digital forensics and insider threat thank you for the handoff good morning everyone welcome to b-side san antonio virtual hopefully the last year we do virtual this first 25-minute talk is going to be about digital forensics the insider threat and from that the job openings are all

digital forensics insider response and then every so often you'll see insider threat this is going to cover what's the career track look like for insider threat what does the day look like what do the duties consist of if you're interested great if not you spent 25 minutes done that you didn't like the career tracking you move on no harm no foul so detecting a threat it's not really magic there's some basic principles here doug henning thank you very much wow i don't usually talk about myself so i'm a little surprised to let this in here so i worked in financial technology i went to the intelligence community for many many years i went to nato as a public speaker

training the spatial operations forces on cyber security from there when coveted hit i went to a consulting firm and began specializing on the commercial side of the insider threat and the insider threat for commercial gives you access to every pretty much everything where on the intelligence community you have a little slice of pie you look at the slice of pie you're in your stove pipe that's all you see you don't see the entire network you don't see the granular details when people log in when they badge in when they badge out where they go you don't see the full picture of their life incident response though at the high level we've got the data breaches

it's usually external i've got the picture of the dam it might be because of the leaked passwords and the github repository solarwinds1234 you've got something hitting the outside of the network perimeter causing an event to have data leak out in modern terms it takes one unexpected action to reach the firewall they needed to get data out of a secure facility on scarif the rebels used a hammerhead corvette to physically penetrate the firewall the ring uh preventing any transmission coming out from the planet so we had an external attack on the firewall data's leaked out episodes four five and six occur maybe rebels maybe mandalorian episode 789 never happened in my world the insider threat we've got data loss

enabled by employees we're not necessarily talking about a event like the colonial pipeline breach or an employee possibly clicked on a phishing email maybe they didn't update the patches that's more on the incident response for the insider threat we're talking someone just wrong maybe a snowden oh maybe in ames maybe someone like it pfizer that was working to leak the data to the chinese researchers that's been in the news and when we do penetration tests this all ties into the of insider threat to try to drive the point home a black box test they don't give us any data just go after the corporation here's the scope we're not going after aws we're not going after azure

we're only going after this slice of the network a white box attack you get the credentials you get log on validation access to the facility you're inside the network and then if you've taken your assist book or your certified i can't talk this morning certified ethical hacker these are the more damaging penetration tests because you have access which is exactly what an insider threat would have to organization the most common cause of a security incident is human behavior from that it could be someone picking up the usb drive in the parking lot someone who's been phished someone who clicks on the wrong link someone who wants to just make things easier and share the files

at home where they log on to google chat that's an entirely different piece of threat where if you log on to your google account on the corporate network all of your data that you work on is going to be retrieval through google takeout so now if you leave the corporation all that data is still available to you for nefarious purposes that would possibly harm the organization it only takes one inside threat actor to lower the defenses here from avengers in game we see nebula 2014 nebula in 2023 literally breaching the defense is letting the adversary into the network and we saw the second half of the movie where because the defenses are ordered from an insider threat

basically we have no more iron man we have captain america gone back in time we have a new captain a lot of things changed because we had an insider threat so in the cia the traditional motives for espionage were mice you see the acronym money ideology conscience or ego we updated that to be compromised or excitement some people just like the thrill of committing espionage and being cop they need that ego boost compromise could be something more like blackmail pictures of whatever event you did that you shouldn't have someone's got on tape they've got a tweet they've got a video recording from your ring doorbell if you don't do x will release y to the media and

embarrass you and ruin your career that's been the usual hallmark in the early 2000s cia updated excuse me the commercial motivations that we've seen working inside a threat money ideology career i'm unhappy at this corporation if i take the data here and move it to the next position i can become a director working over this and getting a large salary increase having more power more prestige and i'll show the previous employer that i was worthy to have this previous position external activities for insider threat we're talking possible hacktivism political means this corporation is doing x i don't agree with x i believe in why i'm going to make sure that the corporation sees why why is the

better option the cia updated the mice acronym to become rascals reciprocity authority scarcity commitment consistency career some of the seeds remain the same liking and social proof the authority is well if you can you meet someone overseas you chat them up as a case officer if you've really got the authority on this department and you're really doing this research show me what you're working on that you're so proud of because you want to validate your authority or conversely someone calls using voice spoofing some of melissa miller's deep fake technology that she spoke about the call appears coming from the ceo and it says if you don't commit to perform this wire transfer to this non-standard account immediately your

courier's in trouble it sounds like the ceo looks like the ceo you can spoof a phone number spoof card on your phone so now the employee has then transferred millions of dollars to an external account the wire transfer once it's gone it's gone you can't get the money back that would be authority scarcity this is the last opportunity there's only three seats left on this team click here to join the team [Music] this is a little bit more of a accurate picture of why someone might commit or be susceptible to social engineering one of the things i know there's a career track with kathleen one of the things we thought at nato was the social engineering as you come to

the end of your career you go to linkedin you turn on the beacon to say yes i'm interested in new opportunities recruiters come out of the world hey we know you're happy down in san antonio but we've got this six-month no-benefit opportunity for you here in ugadu but you need to move immediately and after the contract is over in six months you have no job we've all seen these weird offers but for the social engineering piece you go to this person doesn't exist dot com you go to mail.com and create a valid email address something non-standard and now you can become that corporation i can say i work for apple i can say i work for dell for hp

this person doesn't exist in a non-standard recruiter.com style email people were being approached by foreign intelligence services for hey we know you're leaving the service what systems were you working on are you familiar with what are the issues and as they begin to build a report through technical interviews there's the elicitation of what have you really done and you're unexpectedly giving away classified intelligence that you're not aware that you're leaking out the same thing could occur on the insider threat of the social engineering just like happened two days ago with slacks and we came into the slack channel for ea which is kind of funny because ea's always out for dlc packs for every game you buy but that's my personal

commentary this kind of straddles the line between insider threat in insight or incident response because they came in through the network they looked authoritative and they convinced the help desk to elevate privileges to gain access to the system it's still a modern method so we have the human factor we saw that there's a technical collection gap with the slack channel the gaps in coverage i'll touch on that in a second the human factor help desk wants to please people they have metrics they have to meet security sometimes becomes secondary not to disparage close support help desk there's a fine line between helping individuals and people who appear to be authoritative so that's kind of stroud's

line yet again the gaps in coverage we're talking about things like on the apple network if you log in with your apple id on a corporate mac if they don't have the proper hardware installed for endpoint security you can just go go to mail create a draft put a sensitive document in there and then when the network syncs now if you look on your phone under draft on your email there's the document it wasn't a blocked network but it's still a channel that people use to exfiltrate data from sensitive corporate networks it's a little bit tougher to block the insider threat team is a little bit different than dealing with the incident response team we've got human resources

as a partner security and the legal aspect legal because what we're looking at is a possible adverse action on someone's career a resume generating event as they say human resources has data that needs to be shared with the team and security because this is an internal threat sometimes we do have the physical threat one client had a subcontractor threatened to come in with covet and cough on the team that was working in the facility they did it over corporate teams over teams chat i was able to go in with oath 365 compliance pull it back together with magnet axiom and put the pieces together he logged on at home at this time contacted these people hear the chat

messages hear the threats and send the report off but we'll touch as to what that means the watch list the new hire yes it still happens where you have corporate espionage a gets hired by b but they're still employed by a to go in to see what information you can glean about the corporation what are you looking for uh what new phones is apple developing those type things if someone gives a two week notice it's fairly common to be put on advanced monitoring if you're going to leave what data are they going to collect before they leave are they going to turn in their notice and then burn two weeks of vacation are they going to go in and harvest

files for exfiltration for the new position uh if you have a performance drop a performance improvement plan which is usually key for you're on the turkey farm you're going to get let go at any moment you just don't know it what are they doing before they're being asked to leave the network uh level of access insider threat teams of course with the level of access we have have a higher degree of scrutiny who watches the watchers the sock administrators the network administrators they always get a little bit more scrutiny because of the level of access they have lifestyle concerns i'm picking on bottle up if bob shows up if he's making 40 000 a year

as a new hire as an intern and he shows up in a brand new tesla with no other means of support that's interesting how did he do that did he win the lottery is he did he strike it rich in dogecoin or is there something else going on here uh i'm in savannah right now there's a large aerospace manufacturer and they're well known for constant layoffs every two to three years for their technical community so if you believe there's going to be a layoff are people harvesting the files to move to a competitor our bonus is being slashed i eat christmas vacation are you in the jelly of the month club instead of getting enough money to pay

for the in-ground pool managed attrition if you believe you're in the lower class of performers and you're going to be let go what files are you harvesting to take with you for your new position and if human resources doesn't provide that basic excel file that you can import into slack just for the human watch list for enhanced monitoring that's a partnership that needs to be created uh one thing coming out um a got nine minutes left one thing coming out of a certified fraud examiner was a fraud triangle rationalization pressure and opportunity i'm going to be let go i've got the opportunity to get these sensitive files and i can do i've worked on this

i've got the reason i have it i deserve to take this with me i deserve to get wealthy off this instead of leaving my work behind it's very simple that people do this psychologically when they're being let go now the watchlist sources repeated access violations of digital loss or data loss protection did they try to insert usb drives are they copying and pasting sensitive data credit cards social security numbers are they asking for elevated access through the help desk previous employer with intelligence community people kept asking for restricted database access and they didn't have rights that went to security that wasn't just so you don't have rights and no thank you that was reason for concern that would

go on people's permanent records that would possibly trigger polygraphs repeated access violations you don't have access to plans and intents for b-sides 2025 but you keep trying to access this file let's see what's going on with you things such as you're trying to install slack shadow programs dropbox things beyond the corporate scope and one thing in red here is the need to know yes bob needs to know this for his job versus need to know yeah that would be neat to know the plans and intents for the next five years but you don't need to do that to the scope of your program for security data exfiltration if you picture a toddler squeezing plato is about the

best analogy there wasn't really a good gift of that on google you can only get the data out so many ways whether it's a usb sd card people block usbs but they forget to block the sd card ports the bluetooth file sharing capability on some of the macs corporate email leak is the number one way data is removed from the network and put to a private hands that part shouldn't go in printing we're not talking so much print to pdf and save on onedrive but actually printing the files at home the chat and shadow it whether it's slack blue jeans zoom the plethora of online services that are out there to share data that we've all encountered the past year

are they installing these files on their corporate machines and they shouldn't the sync services whether it's google takeout the apple file system where you can go to data i think it's retrieve my data apple.com something like that but you can get the copy of everything all of your text messages photos call logs from apple just like you can google so the sensitive document that you sent over imessage is still retrievable is that something your corporation is permitting and in the cloud storage one great thing chris vance brought up last week at techno forensic in myrtle beach are the logs monitored that's something we can't pull into axiom to see if they're uploading data briefly touch on the accidental data

exfiltration facebook messenger at one point harvested all the text messages that were on a corporate phone so in addition to your facebook message accounts it was everything corporately related we had people in the service who wanted to use that for coordinating a rival departure of their units we explain from a security aspect that this is now going to facebook for marketing it's there forever we don't need troop movements coordinated through facebook policy change but this is still something that can be a risky organization in the home stretcher the log on warning is real you do consent to monitoring when you log on most corporate networks and here's what i mean with splunk i can get network data

traffic log on times badge access when you went to lunch when you logged in and out of skiff when you came left from the facility are you arriving at a party at odd times the office in chat content as well as the documents created in o365 as well as all the versions did you rename sensitive file.txt to bob's resume.txt remote file access with gruba if that's installed as an endpoint i can connect remotely just pull your registry we'll run that through axiom to see what the last files you examined were the tools to see what an individual has been up to versus the entirety of a dead box forensic case smaller lighter faster so we can move on

to a false positive this person really isn't doing anything that fairs it's a false positive yes they move files in bulk but we told them to you're moving from this division to that division move the files with you no harm no foul lastly mcafee when enabled properly you can see it when the usb drive was inserted what files were moved there what was printed what was copied and pasted to the clipboard whether it's allowed or denied that still recorded for perpetuity and to get the better picture of what the actor has been doing i mentioned magnet axiom we had one case a million files plus when we did the full forensic collection but there was only one excel document

for someone who didn't do that they didn't use excel from their group lucky guy we can see the uploads to aws we can see the presence of shadow i.t do they have slack installed and files are on chat slack one thing to consider might be the use of a honey file here we've got super interesting company file that no one to touch except the internal threat team knowing this is something that's let's see who actually goes out and collects it much like a honeypot for network intrusion same principle applies here another thing to throw out is can versus should just because you can provide someone a detailed user data for every action on the network

should you if bob in it wants to see what mary in accounting is doing the app that has access is there written documentation is just just someone who's curious about it for whatever reason and if you're uncomfortable push back in writing go to supervisors go to leadership get concurrence before you accidentally breach someone's privacy the risk mitigation principles control the access there's separation of roles and there's a need to know document everything i've got to get this to a wrapped up point here develop an sop for sensitive files a child pornography if you run across that what are you going to do with it before you touch it if it's not written down and documented

it didn't occur two is one one it's not that's just a fun saying now the system worked we found somebody there's an incident we're going to have a meeting who's the imposter three-person rule again we're on a time crunch here i'm used to a full hour 25 minutes is good before you go to leadership and management with we found this incident have two other people verify the finding to say yes this looks suspicious okay did we think about this that or the other because if you go forward and say we believe bob is committing actions that look like insider threat that could damage his career verify it when you have it verified we go to leadership with the report

be prepared because the world is great just like robert ritter from clear and present danger the managers might say well yes they did that but you know it's not really a big deal versus give us all your notes cease investigation we're going to prosecute the individual we're going to terminate them it can go in a variety of directions but be prepared for the well it's not really that big of a deal even though it hits all the hallmarks of insider threat and data exfiltration because the sea level executive they may not know it's a big deal that does happen and it was a little surprising on the private side to have that type of letdown for oh if you get paid that much

money you can take the data last thought here as we're coming up on time the intelligence community has maximum tour lengths for forensic analysts when you're looking at sensitive materials for your own mental health if you're performing a role like this rotate out every so often every year two years do something different do an audit uh do nerc sit from the clients but get your head out of the lost luggage every day is a bad day department because if you can't take care of yourself you can't take care of other people in conclusion identify the key dates and the scope scoping the investigation mind the gaps in the collection why do you not consider document your events

and rotate out on a regular basis that's my twitter that's our email and thank you for coming to the talk utsa students and graduates notably struggled to raise internships and full-time roles in the new virtual environment our members heard their voices and created the competitive student chapter at the university of texas in san antonio just one year ago and constructed our cyber security community in pursuit of their mission the competitive student chapter at utsa aims to transition all members from college students to qualified entry-level cyber security professionals through providing a cyber smart community hosting professional guest speaker events facilitating collegiate cyber security competitions company spotlight events and providing support for acquiring professional sex security certifications

prior to graduating the chapter serves as a growing community resource for over 300 active student members alumni and professionals and has just been awarded the 2021 most outstanding new student organization at utsa for the university awards we continue to extend all of our support to new towns breaking into cyber security have we interested you the chapter is always looking for ways you can gain support to be able to expand this amazing community if you would like to help we are always open to discussing possibilities for future events and we are looking for enthusiastic speakers and companies who would like to connect with utsa cyber students we are also open to collaborating with others to put on

competitions just capture the flag or other engaging events to help bring our chapter members resourceful opportunities to develop if any of this grabbed your attention feel free to reach out to one of our members in this event's official discord server under our channel the comptia student chapter at utsa for any questions you may have we're looking forward to hearing from you and possibly working with you thank you for listening

so

[Music] do

[Music] do

[Music] you