by Jake Anthony, LogPoint Senior Sales Engineering Manager
We no longer live in a world where we have the privilege of believing our privacy is our own, or that we are 100% effective in protecting the privacy of those people that entrust their data to us. Organizations are slowly, ever so slowly, coming around to the idea that no matter the preventative measures put in place, the act of being compromised is a matter of when and not if.
Organizations have, for the past 10-15 years, used everything in their arsenal to mitigate the issues caused by external threat actors. Whilst not a complete success, it has forced threat actors to change tack, and now the buzz word on everyone’s lips is the internal threat actor, Insider Threat.
If we accept the hypothesis that compromise is a matter of if and not when, then it becomes clear that an appropriate response to such claims is to focus attention on being able to detect and understand the Indicators of Compromise (IoC) these attackers leave behind.
Who knows where?
Your enterprise edge is probably not your first thought when discussing insider threat, but in a world where so much of an organization’s infrastructure is exposed to the external world, insider threat is not limited to the stereotypical “inside”. The utilization of cloud infrastructure and remote access architectures that enable flexible working and operations also vastly increase the places an insider can access your network from.
In this context, geographical anomalies that can regularly rear their heads when being infiltrated by a more careless/inexperienced threat actor are common place.
If you are an organization that solely does business within EMEA, is there any reason you would be communicating with a network based in ASIAPAC? Very unlikely, and even if there is, it is certainly an obvious IoC and something that requires your review.
Rogue one
Continuing the theme of insider threat from the outside, endpoints (specifically mobile endpoints) are yet another example of expanding our enterprise edge to the potential detriment of the organization’s overall security posture. Security professionals are constantly refining the balance between providing flexibility and responsibility to their users whilst maintaining a secure corporate network.
These devices are prime targets for potential threat actors looking to infiltrate a network due to the often-lax security placed on mobile endpoints.
Reviewing or monitoring the processes that are running on endpoint devices against a pre-defined list of approved processes can be a simple way to identify rogue processes, that whilst not a sure fire IoC, certainly warrants a conversation with the endpoint owner.
Beam me up
The majority of insider threats rely significantly on the ability of threat actors to gain seemingly “legitimate” access to the network through predefined accounts and then propagating from there. This is achieved through a variety of means including social engineering and cross-referencing data from previous breaches which hold potentially useful login data.
Once this data is successfully mined, it is then crucial for the attacker to use that in an effective manner that arouses the least suspicion within an organization.
Despite that, there are a wide variety of potential IoC’s to be found in this space ranging from the location the login has occurred, the time at which the login occurred or even the amount of times any one login occurred. These can be set as absolutes or against baselined behaviour, but either way is a set of easy-to-spot IoCs that you should be monitoring.
Live long and prosper
It is a common thread in attacks that the initial infiltration of an organization often yields little to no useful intelligence/data/rights. What attackers aim to do, is to propagate from this initial infection point across the network, escalating privilege and visibility as they go. The longer an attacker is alive on your network, the more control/data they are going to amass.
This concept of lateral movement within an organization to gain privilege and information is not new and requires detailed analysis in most cases to yield the underlying IoCs.
However, a simple IoC you can look for in this vein is the idea of privilege escalation, monitoring the changes in privilege across your account base and thus the access all accounts have. The moment a newly created account is granted admin privileges, questions should be asked as to the validity of that action.
How LogPoint can help
When a SIEM solution, enhanced with top-notch security analytics, supports analysts in threat hunting, time spent on eliminating false positives is drastically decreased, empowering your team to focus on threats which really matter.
With LogPoint UEBA, you can easily detect both suspicious user behavior as well as other entities such as cloud, mobile or on-premise applications, endpoints, networks and external threats – out of the box.
Read more about how LogPoint UEBA can help you detect insider threats and reduce the time to respond to attacks: