Red teams and remediation: How to be proactive about insider threats
June 28, 2019 9:57 am
4 min read
This content is provided by FireEye and Carahsoft.
Between October 2013 and May 2018, 41,058 U.S. citizens fell victim to business email compromise, losing at least $2.9 billion collectively, according to the FBI. Worldwide, those numbers jump to 78,617 known victims, for a total loss of at least $12.5 billion. Insider threats can be extremely lucrative, and they’re not going anywhere anytime soon, so businesses and federal agencies need to learn how to defend against these and other insider threats.
That’s why FireEye has an internal-facing insider threat program, where they fine-tune techniques for preventing insider threat breaches. Matt Shelton, director for technology, risk and threat intelligence at FireEye, said they focus on three different types of insider threats: non-hostile, hostile, and supply chain.
Step 1: Understand your business
“The first step is understanding your business and what risks your organization is concerned about,” Shelton said. “So, for example, at FireEye, our brand and our reputation is extremely important. Such is the case with our customers as well. In fact, based on the critical resources and services we provide, we become a part of our customer’s supply chain.”
Step 2: Identify your “crown jewels”
Second, Shelton said it’s important to understand what an organization’s “crown jewels” are. These are the systems an insider is most likely to target. That could mean source code, financial data and transactions or personally identifiable information.
Step 3: Model threats
Once you know what your crown jewels are, Shelton said the third step is to model threats to that data or those systems.
“You can start with just coming up with a list of scenarios that an insider might use to intentionally or unintentionally misuse data in your organization,” he said. “As an example, if you have identified a SharePoint site containing sensitive departmental budgets, think through all the ways an insider might abuse that resource. Perhaps the non-hostile insider downloads and emails a spreadsheet to a personal email address in order to have a mobile meeting. Or perhaps an employee might download that data to a Dropbox account. Here at FireEye, we’ve taken a lot of time to think through where all these data sources are, and how an insider might steal data from those data sources.”
One effective way Shelton said FireEye models its threats is by hiring a red team, an organization that comes in and assesses the environment by pursuing data and systems the way an insider, hostile or otherwise, would. They think and act like bad actors to identify weaknesses.
“So for example, we might ask our red team to go after a particular employee’s email accounts, or we might ask our red team to go after finding actual data here at FireEye,” Shelton said. “And then we unleash them to try to find a way to complete their objectives. They then provide those results back to us and we use that information to a remediation plan.”
Having a strategy to prevent insider threat is becoming more and more necessary as the threat landscape evolves. Employees are the largest threat surface a company faces, and “Nigerian Prince” scams barely scratch the surface of the level of sophistication some of these players can field.
“On October 30, 2018, the U.S. Department of Justice filed indictments against two Chinese Ministry of State Security intelligence agents who hired five hackers. And those hackers identified two insiders within a corporation to help them exfiltrate information out of the organization. Since they were able to hire two company insiders, these bad actors were able to bypass spear phishing, and other forms of initial compromise that might lead to their detection,” Shelton said.
Shelton said this particular example highlights all three threat types: nation state actors, for-profit hackers and insiders who provided the initial foothold. These groups are becoming more and more sophisticated with their intrusion activities.
“At FireEye we use an intelligence-driven approach where we look at other examples of similar compromises and we apply that to our own environments through various remediations,” Shelton said.
Step 4: Plan for the worst
But even identifying the risks, gaming them out and developing remediation plans isn’t enough; Shelton said you have to assume that at some point, a breach is inevitable. So FireEye also invests in security monitoring infrastructure, and runs tabletop exercises to find the gaps in our Incident Response Plan.
“Testing the incident response plans that you’ve built is critical to identifying an insider threat or even an external threat. It’s as simple as asking questions like ‘When do we bring in law enforcement? When do we make a public statement about it?’ These are questions that are good to talk about and have documented in a formal plan.”