11 tips for spotting insider threats

Security experts offer advice aimed at helping companies find an insider attack sooner rather than later

Security pros are constantly being warned about insider threats. We're told our companies need next-generation software, integrated threat intelligence, and the ability to correlate massive amounts of event logs and context to arm ourselves against these threats.

We're told that these tools are necessary to block attacks and to recover from attacks, should they be successful. Unfortunately, when companies eventually figure out that they've been compromised, they also discover their systems had been compromised for an extended period of time.

"Insider threats can include a combination of malicious insiders, compromised insiders, and careless insiders," says Wade Williamson, director of product marketing at Vectra Networks. "You will need clear visibility for identifying all of these threats, but they will differ in behavior and how security will be able to detect them."

To help companies spot the insider sooner, we collected advice from security experts aimed at helping companies find an insider attack sooner rather than later.

Tip 1: Watch for strange patterns in your DNS traffic

Arno Meulenkamp Myspace

Arno Meulenkamp

"DNS is often a layer that is forgotten," says Arno Meulenkamp, systems engineer at Infoblox. "It can be used as a way to exfiltrate data. Weird patterns in DNS traffic, such as hashes, can signal that something is going on."

Tip 2: Check logs for host-to-host authentications

"When you see someone authenticate to a host from a different host while the target host is usually only authenticated to via the domain controller, you might have a problem," says Yonathan Klijnsma, senior threat intelligence analyst at Fox-IT. "In this context, it's important to know the tools the attackers use -- such as PSExec (and variants of) or Mimikatz -- and look for traffic associated with those tools. It's common for tools like these to be used for lateral movement, to move between windows computers in a network, using host-to-host communications."

Tip 3: Check for exposed employee credentials on the Web

Nagraj Seshadri

Nagraj Seshadri

"Monitor paste sites such as Pastebin for exposed employee credentials," says Nagraj Seshadri, vice president of marketing at Recorded Future. "If the leaked credentials on the Web have been exploited, you could have yourselves an insider and the employee who owns the credentials wouldn't know it. Take action by changing passwords and consider implementing two-factor authentication."

Tip 4: Watch data flow around key assets

"A malicious insider will often steal large volumes of data over a short period of time. Gathering up large volumes of data is easily identifiable by monitoring the internal assets," adds Williamson of Vectra Networks. "By watching the internal traffic, teams can quickly see if data is being tunneled out of the network, or bounced between multiple devices for exfiltration."

Tip 5: Map multiple machine logins to cloud-based storage services

"Look for users logging in to different machines from the same account, accessing large data stores on these systems, and syncing their data to a cloud-based storage service such as Dropbox," says Itsik Mantin, director of security research at Imperva. "An insider could leverage the user's compromised credentials to access the users Dropbox account -- this data upload could otherwise look like normal business use of the services."

Tip 6: Use fake credentials and files as bait

"An insider will move around the network, seeking out new credentials and using their newfound privileges to access data," says Haroon Meer, founder/researcher at Thinkst. "By setting up bogus credentials and fake files as bait, you can see when those (never-should-be-used) credentials are used."

Tip 7: Look for ‘things' that no longer exist

"Insiders will often attempt to cover their tracks and malware will attempt to remain persistent by deleting things," says Fabien Perigaud, security expert at Airbus Defence and Space -- CyberSecurity. "Look for registry keys, services, and helper objects that were accessed, used, or otherwise executed in the past but no longer exist on the machine. These could be telltale signs that an insider was there."

Tip 8: Map endpoint authentication logs with ActiveDirectory logs

"If a user previously only ever used three or four assets in the network, but now is accessing significantly more than that in a short timeframe, there is a chance of an insider," says Mark Schloesser, security researcher at Rapid7. "Also the logs from Active Directory (AD) should be correlated and augmented with the ones from the endpoints, as these include local account authentication events that would not be visible to the AD."

Tip 9: Locate the first instance of an event

"Look for the first time an activity is performed," says Johan den Hartog, sales engineer at Tenable Network Security. "If you've never seen that activity before, it could point to the start of an insider attack that needs to be profiled. HSBC and Sabre are two examples of this where ghost employees were created using aliases and new activities performed under those new aliases."

Tip 10: Identify shadow IT tools being used

"In our recent Application Usage and Threat report, we noted that more than 4,400 organizations had five or more unique remote access applications in use concurrently -- the chances are they would expect one or two, but not as many as five," says Greg Day, vice president and CSO, EMEA at Palo Alto Networks. "While there may be intentional use, use of these tools could lead to unintentional consequences."

 Tip 11: Before you delete malware, analyze it

"Since keeping things running is a top priority, companies have gotten in the habit of identifying malware and immediately re-imaging the systems that have been infected so they can be brought back online," says Ralph Pisani, executive vice president of Field Operations at Exabeam. "Malware is a sign of something bad happening -- companies shouldn't be so quick to eliminate this important clue that could help them piece together the cyber kill chain. Malware is not the end; it's often the beginning. It's critical to know what users did before the malware was detected and where they went after the infection."

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk and compliance -- with a focus on specialized industries such as government, finance, healthcare, insurance, legal and the supply chain.

This story, "11 tips for spotting insider threats " was originally published by Network World.

Copyright © 2016 IDG Communications, Inc.