March 13, 2012 Leave a comment
“Wow, your tool would be great against malicious insiders!”
This is a common conclusion made by those introduced to the Triumfant solution. That is because instead of looking for applications or malicious executables, we detect malicious activity through change, whether a threat actor working programmatically creates the change or a malicious insider directly makes the change.
The term “malicious insider” has been gnawing at me since I delivered a short presentation for the Intelligence and National Security Alliance Innovators Showcase last week. My new slides had several screen shots from the Poison Ivy Remote Administration Tool (RAT) that we use in demos of the Triumfant product. It was interesting to see the reaction to those screen shots as people grasped in a very graphical way what it meant to “own” a machine. I realized that perhaps while people have intellectually grasped what a RAT can do, they might not have fully appreciated the term “own” until they actually saw one in action. (More on RAT tools in the previous post)
Today’s attacks are not smash and grab operations – they methodically evade network and endpoint protections to establish a long-term and comprehensive presence on the machine. These are carefully crafted incursions onto target networks that rely on persistence and stealth.
In short, they turn the outsider into an insider. This of course is not news to those in infosec, but to the people we serve, this is an idea they are still wrapping their head around these sophisticated targeted attacks.
Once a RAT is in place, the hacker has the same access as if they were looking over the shoulder of the machine’s user. The user literally guides them through the applications and systems on the network, providing them user IDs and passwords along the way. This allows the hacker to spread their influence to other places in the network until they are able to access their targets. Time is on their side, as every statistic says that they will have at least a month and on average six months to identify and exfiltrate the intellectual property or sensitive data they seek.
Attacks rarely start at the machine that holds the targeted information. Hackers now patiently gain access to the network where they can, and then stealthily move about until they find what they need. And new Advanced Persistent Threats like Duqu illustrate that hackers are now using sophisticated attacks to gather all manner of information to then plan their payoff attack. As I said in the previous post, these attacks put the adversary in your boardroom, laboratories, production lines, and CFO’s office.
If six months and virtually unlimited access does not qualify the hacker as an insider, I do not know what does. Recruiting physical insiders is a long and costly process and smacks of too much Mission Impossible. And even well placed insiders may have trouble moving outside of their areas of responsibility. Why go through all of that risk and effort when an outsider can easily become an insider. If the operation is discovered, the outsider simply moves to the next target.
There is another aspect to being an insider: once you are inside, all of the security measures designed to keep you an outsider are now irrelevant. All of the carefully crafted shields an organization has in place are all pointing outward and are not equipped or designed to catch the work of an insider. Once these shields are evaded they are no threat to the insider. Statistics from the 2011 Verizon Business Data Breach Investigations Report say that less than 6% of data breaches are discovered by the organization’s IT shop. That sound’s like a pretty wide gap that requires some new thinking to me.
The answer to the original question is yes, Triumfant rocks against malicious insiders. All types.