Monitoring network traffic for insider threats

How technical monitoring can help defend against insider threats

The number of annual security incidents caused by insider threats continues to increase. TheCERT Guide to Insider Threats notes that, “Some assert that they are the most significant threat faced by organizations today.”

Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain. Any of these can constitute a critical national defense breach or breach of public trust.

To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. Organizations should be sure that all employees know the policies on information resources and workplace behavior and be alert to any negative change in their behavior. Large organizations also can set up anonymous phone lines or websites where employees can report concerns or complaints.

But although behavior monitoring can alert us to many possible incidents, it often fails when dealing with network and server administrators who go rogue. We can easily miss behavior signals when an employee does his or her best to hide them.  When behavior monitoring fails or is insufficient, technical monitoring should fill the gap.

Nonadministrators

For nonadministrators, we can control how much information an employee can access (and what they can do with it) by enforcing need-to-know, least privilege, and separation-of-duties policies. Organizations enforce all three by properly managed authorization policies and processes. 

The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it.  Together, they strictly limit insider threat damage.

Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. To illustrate, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems. 

Next, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then you should use indirect means.

One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX (Internet Protocol Flow Information Export) standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of technological infractions happening on the network enables the possibility for a quick and effective response: stopping the employee or mitigating their effects on the organization.

In addition to NetFlow, Security Information and Event Management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.

Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources.  During a job change, removing all access and then granting access for the new role is a good approach.  Failure to adequately perform these tasks is a significant cause of many insider incidents, especially those caused by administrators.

Administrators

While the above controls also can work for malicious activities by administrators, they also have weaknesses. Administrators can alter logs or create backdoor accounts for use after hours or even after termination. Monitoring all employees and using separation of duties can help eliminate these vulnerabilities.

Administrator monitoring must extend to changes applied to special purpose files.  One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.

In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group.    If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs. 

Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows it, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.

For more information regarding insider threats and network security, check out the CCNA security course offered by the InfoSec Institute. Remember that every employee has the ability to be an insider threat. The most impactful threats are caused by those at the top: managers, administrators, programmers, and security experts. Insider threats are real, and they will eventually cause an incident in every organization.  Proper preparation, training, and vigilance can prevent or alleviate related consequences.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above