The Insider Threat: Detecting Data Exfiltration via EDR

or that our scar okay so now i think you can hear me even better so i'm guessing it's gonna be a bit hard to get your attraction at this time of the day because you're probably tired and not going to be long but first of all i'm going to be introducing myself my name is adeda delawaskar and i'm a senior threat hunter in palo alto networks unit 42 for the past two and a half years now before that i used to be a checkpoint to stock manager and and today i'm going to be discussing with you an insider threat uh use cases that we managed to find on our customers environment we're going to be discussing and i will

be showing you how can you use your edr logs your endpoint detection and response logs in order to target those two frequently seen use cases and i'd say at least 60 or 70 percent of our customer base so without further ado let's just start um so on the agenda today we're gonna start with defining the insider threat we're gonna give you some at least try to set the grounds for this entire conversation then we're gonna share with you a few real real world use cases that i'm pretty sure you're all familiar with at least one of them we're gonna deep dive into how and what we can do in order to spot them using your edr logs

uh q a and we're going to wrap up the session with a few recommendations to everyone so let's just begin so a little bit about the team we're a managed hunting team that's providing on threat hunting for our customers that is based on practically anywhere in the world and this is done on top of 46 dr logs which is palo alto's edr obviously you can do those type of hunting on any type of edr that you own and it doesn't it is not limited to cortex xdr so first of all let's um deep dive into who is he who is the insider and let's try to define him so when you're thinking about a bluetooth

whatever is in our mind all the time is rats and ransomwares and apts and vulnerabilities and those type of things are usually occupying the socks in the blue teams the entire time now there's also one thing that is always floating in the back of our head and it's called the insider threat and i feel as personally as a previous stock manager that we always come short in detecting those insiders throughout our days and in this use cases that i'm going to share with you i hope that maybe some more blue teams around the world are going to are going to be utilizing those specific use cases in order to find those insider threats so i'll give you a couple of examples why

insider threats are a really big problem to organizations worldwide and essentially why they are so hard to detect and essentially they're so hard to detect because they're part of organ our organizations it's we that gave them the credentials and it's we that gave them the legitimate access to those systems and to those data types of data that they need to interact with in order to do their job and when you think about an insider threat or an insider it can virtually be anyone it can be um a careless employee that sends an email mistakenly but it can be much much worse with a rogue business partner that knit that sets sorry right next to you and

decides to turn against the same organization that he is working for so we'll start with a couple of examples and i'm pretty sure that everyone in here probably recognizes the person in this picture on the left so this is edward snowden and this is the famous case of eder snowden versus the nsa and the story begins on 2013 when edward snowden is getting hired by the nsa as an external contractor and throughout his service in the nsa he decides after 15 months of employment to steal a lot of data from the nsa top secret documents approximately 1.7 million documents were alleged to be licked by edward snowden and obviously this caused a whole lot of

embarrassment to the national security agency of the united states how did he do it you ask he essentially had domain admin credentials and he connected an external usb drive to one of the servers which he then leaked a lot of documents from this specific server another example before we dig into the technicalities um the anatom and the urible affair i'm guessing that this is one probably one of the most uses that is less known here in the crowd but this is a really famous uh case in israel and in 2005 anatkam was assigned to work as a clerk in the israeli command office center she was just a regular soldier and uriblau is an israeli rs newspaper that

is specialized in military affairs throughout his throughout her military service anotcom has decided to copy thousands of classified documents including many uh confidential documents also to us an external cd drive this time this was quite a while ago where usbs were not as popular and then after she finished her um her service she took that specific usb with her later on linked it to the journalist uriblau which eventually uh published some of the documents in harris newspaper later on on january 2010 anatka was indicted with espionage and she actually uh served and was sentenced to four and a half years in prison in prison and 18 months of probation so with all this background being laid

out let's start with the first use case that i'm going to be sharing with you and the first one is going to be called living somewhere um so let's just read and go through the life cycle of an ins of a classic insider threat it all begins with a new employees being recruited to the team and he is assigned with a legitimate account to perform its daily tasks later on as time moves on the employees granted with more and more permissions to different types of systems and various data types that he needs to do you know because he's participating in some more project or some new uh teams that he's engaging with and this is something that happens essentially to

all of you i'm guessing as well later on comes the termination phase and this can be a dual part termination can either be the employee's pending to leave the company because he decided to move on to another to another company or he's or this is the company's decision to fire him and this is exactly where the data expectation takes place a few days prior to the last day of the employee he moves on to connect a personal usb drive to his or her machine and copy internal data to this specific disk drive now let's do an anonymous survey i wanted you to raise your hand if you ever copied data from your own and fast employer when you left

all right so there's some courage people in here because so first of all i'm guessing that no one has actually fell into this because when we were doing it internally in palo alto a couple of people were actually raising their hand and we were saying is someone taking notes i mean we should be kind of taking notes for the next time that they're going to leave so no one's going to admit it but i'm guessing that if we're really honest probably a lot of us have probably did that a longer along the way so what i'm going to be providing with you first of all is some example of reports every obviously everything that is customer related is

obfuscated in here but just i'll give you a high level of what is this report is all about so the managed threat hunting team has managed to find over the past three months three users that have copied excessive amount of data to an external usb drive you can see one and a half gigabytes of data 5.1 gigabytes of data and 15 gigabytes of data the key finding in this specific report is not the amount of data that was copied but the fact that for the last 90 days for the last 45 days story no login event was was spotted for this specific user and this may hint that this user is no longer part of the organization

the second part of this report is followed by highlighting to the customer what is the type of data that was being linked so we can see a couple of really interesting named directories like clients which contains 5000 suspected internal company documents my appeals again a lot of company documents alleged that are containing in this specific directory and ipdump now this was a really big law firm company which later on confirmed to us that indeed those directories were containing internal documents another example another user that has copied 1.8 gigabytes worth of data to an external usb drive from a directory that is called fda submission this was a really large pharmaceutical company and again when looking through the copy event obviously

fda submission is highly suspicious when we're looking at this event so how do we create those type of reports so we're going to use two queries and in this specific um screenshot what you can see is is a is this it's a screenshot of an xql query xql is a proprietary language of uh palo alto networks but you can use it at any ed r that you own it could be either splunk or any or crowdstrike or anything similar to that and with that query we're doing a couple of things we have the first query that is going to get a list of all the users that copied data to an external usb drive and were and did not observe login

for the last 45 or 90 days you can just adapt it to any um duration of time that you would like this is what we call the lead generation query we're going to get all the leads to our further hunting efforts based on query number one then we're gonna go to query number two and query number two is all about getting an idea on interesting files or folders that were spotted throughout the copy event so this is query number one and this is the lead generation query and we're going to use the following output columns in order to make our life easier let's login when was the last time stamp where the user has logged into any

systems in the system that we actually have logs for usb connecting number of days this is the unique amount of days that this specific user has connected i use a usb drive to his machine throughout the query period and this is just to show you how often is this user is prone to connect usb drive to his machine part of his regular job or not total amount of emails that were copied throughout the event total amount of documents amount of images total amount of code and total amount of gigabytes and count of the unique files that were copied throughout the event all of this columns are designed in order to generate and make our life

easier in picking those highly suspicious leads where we're gonna run the second query on top and this is the exam this is an example of the output of the query i know it's in uh it's in dark mode so it's really hard to see i hope that you can see it but you have the query highlights right above so the user's last login was july 13th and this was actually this was a query that was executed around um december 2021 so for quite a while the user did not log into any system of the specific customers environment over the past 90 days the following usb properties were spotted so the user has connected only on one day i mean for only one day the

user connected a usb device to his machine a total a total amount of 1.8 gigabyte was copied over 1.1 k unique files and the file type breakdown says that two email file types are copied 85 file type 85 images sorry 102 code files and 646 documents so following this really good line and you can see the output in here this is the drive letter the username which is math and all of this type of data that is like on the query itself this is where we're gonna pivot to query number two and query number two is analyzing the copy and again the columns are here to help us understand better what was copied out throughout this

event so one of them is the timestamp which is obviously the time step of the copy the full path of the file that was copied the username the drive letter the host name and the file size which are all which are all pretty straightforward this is an output of the second query and this is related to the first query that we just saw with the fda submission so you can see that the drive that a directory called fda submission was copied to a usb drive a few days prior to the user's termination so while we're experiencing the feedback that we got we send a lot of um those type of reports to customers and it essentially happens on every

environment that doesn't block usb drive so one thing that we recommend to our customers is maybe enforce a usb block and just open the usb to those people who need it to be part of their actual work and if this is something that you will not be able to enforce in your organization so we highly recommend you to have those queries or those similar type of queries running in your environment regularly just spot them even if it happens after the users get is getting terminated i mean for us as blue teams when a specific file leaves our environment and it doesn't matter if it's physical copy or an online copy it usually means game over in a way

but then again we had a lot of customers that were reaching out to users after their termination and starting kind of a legal actions against them because they took and they violated company policy with doing that okay so this is something that's really key and while you're all reading the feedback do you have any questions while i'm drinking some water awesome

so the second uses is called uploading somewhere and this is very similar to the first use case you can see that the lifecycle that is laid out in front of you is extremely similar to the first one with one exception instead of connecting a usb drive to your host you're going to link it to one of the online drives and the third-party vendors that are aligned that are allowing external storage for people that are gonna use it so a couple one two report examples with two key differences which i'm gonna highlight for you so one of them you can see that over the past three months a user was spotted to upload 5.7 gigabytes to one drive

and again the last login for that user was spotted 45 days in earlier now notable directories that were spotted throughout the copy event is archive.pst a psd file is probably microsoft outlook's internal mailbox file and it probably copied and contains an internal copy of the user's email backup including a lot of stuff that we probably don't want to leave the organization so this is the output of the copy again now highlighting the uh process that actually initiated this specific upload towards the cloud in this case we have onedrive.exe another example is when you're when when you're hunting for customers or essentially in your environment you have an idea on what is the allowed third-party software that

this specific organization allows their users in order to use for cloud storage so for example in palo alto networks we're using google drive and in this specific company we saw that onedrive is something that is fairly used by in this specific organization which made us to believe that onedrive was the authorized third party vendor that this specific company has chosen not to mention that the remote host that this the onedrive is uploading the data to is the domain is called sharepoint.com but luckily enough for us microsoft also um registers a sub domain which is masked in here which you will be which is which is owned by this specific company so in here for example

if palo alto was to use one drive in order to store their file it would have been palo alto.my.sharepoint.com and when to me as a threat hunter this is a really key and important investigation point because i can whitelist everything that goes out to this specific subdomain i'm guessing that this is allowed an allowed connection that is done by onedrive but in here you can see at this specific account that google drive dropbox were used throughout the organization not to mention that using this technique of the remote host you'll be able to determine if a user is connected with his personal onedrive because when you're going to be connecting with your user with your personal onedrive your data get is

getting uploaded to a different domain and not the company owned domain so again this is an example of the query and you can see that those processes that are responsible for uploading a lot of data towards uh both.dropbox.com and google apis google apis dot com which belongs to google drive sync and dropbox.exe so how to create the report so again we're going to use two queries really similar to our first assumptions getting a list of all the users this time who uploaded data the third party vendors and their last again was set to back in the past the second query is gonna help us in understanding what are the type of files that are being executed so

again very very similar i'm not going to bore you with again but last login date number of unique uh uploaded days where the user is actually uploading stuff to the cloud total amount of emails documents images code total amount of gigabytes and unique files that were spotted the query number two is to help you analyze the copy again and this is where the q a comes and if you do want to do the q a at the end because i have a wrap up all right so i'm going to jump straight to the wrapping up so wrapping up so blue jeans it's really easy to focus on the on the outside i mean if i would

have an enormous survey in here and ask you if you're a member on the on a blue team what concerns it the most i'm guessing that ransomware would be number one followed by i guess crypto miners and some uh botnets and and rats but nobody would have mentioned the inside of france now there's a real if you're gonna google some really interesting cases over the past few few months even there are a lot of cases where insiders from really popular companies like even google and tesla there were a lot of cases where it really affected the company and made them pay millions of dollars to just counteract those activities that are made by the insider threats

one another thing and this comes from me to you in a data-driven world where everything essentially we're doing is being documented don't borrow stuff with you when you when you leave a company because essentially we can see everything and again if you would like a copy of the queries again this is xql based so if you have all follow auto networks cortex xtr you'll be able to use them out of the box but if not it's just a general idea on how to build them then you can adapt into your own edr language so please don't don't hesitate to reach to reach out i'm pretty sure you'll be able to do so on linkedin twitter or

anything similar that you feel free to so thank you very much for having me and the q a thank you uh [Applause] yeah i was wondering whether waiting for 45 or 90 days isn't too late is it by informing the customers in real time about these events is it too false positive of an approach so that's actually an excellent question the problem is when you have third-party hunters is that we don't have the ability to know who's spending to leave the company so for some of the customers that we actually reported it to we build a process that actually they're gonna send us the people that are pending to leave and we would run those queries before the alleged date of

this specific user that is going to be leaving if you are working for a company and you're um threat hunting for a company for your internal company then you don't have the you have the ability to contact your hr and have them send you all the employees that are pending to leave or even worse ones that are getting terminated soon so this is going to be uh but this this this is a good a good comment because you when you're sending something that happened three months ago it's usually a little bit problematic in terms of the customer

uh thanks for the for the talk really great talk just out of curiosity you said that when your clients like received the report they could maybe sue that that employee that stole their data um i don't know if maybe if you know the answer but is like the data from your report is applicable at court for them to sue but maybe they didn't record the all the data that is transferred so again an excellent question and thank you so the thing is i'm not sure they will be able to utilize our report but our reporting also includes the queries themselves and the query squares their data that they're saving on on palo alto's cloud and if they're gonna use those queries

in order to get the output from the apollo's cloud it's it's applicable to court i mean it aligns with all the data regulations that are needed and they can just provide the output query and i'm guessing it stands in court i guess thank you anybody else okay in that case once again thank you to odd and his young assistant thank you [Applause] you