Insider Threat Kill Chain – Reconnaissance
It is increasingly difficult to defend against attacks. This has led security teams to acknowledge the inevitability of a successful infiltration and the adoption of “kill chain” defenses. A “kill chain” defines a set of activities that an attacker must complete successfully in an attack. Stopping any of the individual activities blocks the attack.
Both internal and external threat actors require information on their targets, making reconnaissance the first step in both kill chains. For an external attacker, reconnaissance means learning everything possible about the target. This includes technical information about the target organization’s infrastructure as well as “soft” information that can be used in a social engineering attack.
For the Insider Threat Kill Chain, reconnaissance is different. The insider already knows email formats and internal roles and responsibilities. They may even know who has access to the desired information; it may be the attacker himself. Reconnaissance for a malicious insider will be research into how to extract information, avoid detection, and cover their tracks. Examples include:
- Downloading or launching tools commonly used by hackers – Password crackers (or password recovery tools) can be used to steal credentials from a CFO or IT Administrator. Packet sniffing tools like WireShark and Tcpdump can capture network data.
- Launching PowerShell, Terminal, and similar command line tools– Powershell is a command line shell developed by Microsoft and is part of Windows. System Administrators use it to build and run scripts. However, it can also be used to run malicious scripts. Understanding when it is run and by whom can be an early indicator of a bad actor.
- Unusual rates of opening files – This could be an indicator that a malicious insider is looking for specific information and doesn’t know which file includes the data. Again, context is important. A copywriter or software engineer may open a lot of files every day. An employee in accounts payable may do so infrequently but still have legitimate reasons for doing so.
- Unusual access to new file locations – This could be an insider searching for targeted data, a curious employee “browsing” in areas where they have no legitimate purpose, or someone making an inadvertent error.
- Mounting USB drives or accessing cloud storage – A common exfiltration strategy is a USB thumb drive or cloud storage account (Gmail, DropBox, etc.). An insider may test organizational defenses by copying innocuous files to these devices or locations to see if they are stopped.
Stopping an insider attack at the first step of the kill chain is ideal. Simply blocking all of these activities or questioning employees for every action is counterproductive. It’s important to note that the simple presence of any of these tools or activities is not proof of an insider attack. The tools can be used to diagnose network issues and recover forgotten passwords. The actions could be user errors or people attempting to improve their productivity by moving information to the cloud so they can access it from home. Instead, one needs to look at the activity in context; who is downloading and launching these tools, if the information being moved is sensitive or normal work product, and whether the actions are anomalous.
The next blog post on this topic will discuss Circumvention; detecting how an attacker might attempt to bypass existing security measures.