While we know that, as leaders of an organisation, our principal aim is to keep our people happy… we also know that the bigger your network, the greater the risk of cyber-attack from sources close to home.
Whether it’s a disgruntled employee, a contractor with low allegiance, a spear phishing attack compromising credentials, or a legitimate and trusted employee being paid or bribed to infiltrate a system, the risk for Australian organisations is real. These slow burn threats see disgruntled team members performing their own internal reconnaissance, gaining access to data, and attempting lateral movements to other systems.
Where clients engage organisations like Nexon to undertake Penetration Tests, a limited scope see them fall short due to a restricted focus on perimeter and cloud. While this is a great start, it’s time for organisations to recognise the shift in attack dynamics from external to insider threats.
As the risks begin to move closer to home, security reviews should no longer just focus on external entry points, but to internal threats as well, now demanding extra attention in any security maturity assessment.
Top 10 Tips to Manage Insider Threats
To circumvent the devil you know… and the devil you dont!
1. Identify High Value Targets and Assets
To accurately defend an organisation, you need to know the terrain and understand your High Value Targets (HVTs), systems, and data. Think like a hacker. Understand weakened entry points, relationship nuances and locations, and then review and implement access rights and adjust security and access levels.
2. Protect your Endpoints
Endpoint protection is a critical step in ensuring that data assets and Intellectual property are protected from exposure to breach or attack.
- Deploy local endpoint protection (EDR / XDR) to all workstations and prevent disablement; providing IoCs and kill chain visibility.
- Consider and deploy Application Whitelisting, using technologies like AppLocker to restrict user access. Living off the Land (LotL) attacks use trusted utilities to infiltrate in-house systems and applications.
- Ensure patch management is controlled, with group policies and cloud security controls in place.
3. Implement Network Security
We’ve talked about employees/contractors, but what about an approach or entry from others with physical access to your office and by proxy, its systems?
- Start with the basics, disabling unnecessary physical ports that are not in use on desks and meeting rooms to limit the potential for damage from ransomware outbreaks and make hacker access more challenging. Use VLANs (Virtual Local Area Networks) to segment or break up areas of the network, then apply ACLs (Access Control Lists) to these VLAN
- s to restrict access by device.
- Consider using technologies like 802.1x and Deep Packet Inspection (DPI)/SSL Inspection to allow authorised devices to communicate on the network and inspect traffic travelling through the firewall to ensure it is not malicious. Dynamic Arp Inspection, DNS Inspection and DHCP snooping can also be considered to prevent attackers from ‘sniffing’ traffic within the internal network or tunnelling (exfiltrating) via certain protocols. It also prevents attackers obtaining IP addresses for rogue devices from DHCP and/or consuming all of your IP addresses.
- Have a Network IPS/Antivirus in place and enabled on the firewall/IPS.
- Perform a review of protocols in use and disable insecure services (or replace with more secure alternatives such as SMBv1, and clear text protocols, like FTP, Telnet, SNMP all of which can be intercepted by attackers to gain access to other systems).
4. Review and Sanitise your Data
We often sensitive and useful information for hackers contained within network shares. This includes passwords, copies of identification documents (passports, driving licences). IT systems information, configuration files and backups of systems and databases.
Most importantly, clean it up.
Evaluate and re-allocate access to authenticated users (domain admins) and implement further restrictions based on role. Search for pass, password, login, credentials and other common terms to identify and clean up data that could expose your organisation.
5. Remove Legacy Accounts
Ensure all legacy accounts are disabled and removed from the network, applying strong passwords across all accounts, while periodically reviewing and cleaning accounts at an individual and Group level.
6. Implement Alerting & Detection Technologies
We always say forewarned is forearmed. The absence of pro-active monitoring and management of cyber breaches against perimeter and internal networks is simple and easy to do and yet often forgotten. Configure and implement alerting across all internal and perimeter/cloud services, using a Security Information & Event Management (SIEM) platform to help your organisation consolidate and be alerted on events. Impossible travel and high-risk alerting can be set up in O365. It can be as complex or as easy as you need.
Next level protection comes through a SOC (Security Operations Centre), pro-actively monitoring and managing vulnerabilities as they arise.
7. Consider Denial of Service (DoS) Attacks
DoS attacks shut down networks or machines, rendering them inaccessible to users.
A default password configured on your Uninterruptable Power System (UPS), could, with the right intervention, enable a malicious insider to log in and shut down power to all of your systems. Alternatively, they could perform Address Resolution Protocol (ARP) cache poisoning – shutting down network connectivity, directly impacting organisational manpower and expending significant IT team effort in restoring systems.
8. Restrict Physical Access to Systems
While most offices have restrictions around entry and exit, controls can be less stringent from network implant devices, providing access into the network, and USB drops. Restricting USB access is the answer here – implement a policy immediately.
9. Consider Cloud over On-Premise
Cloud is infinitely more secure than on-premise. Where Multi-Factor Authentication (MFA) is missing or disabled, data can be accessed and exploited. Consider labelling your data and using Data Classification Policies to prevent unauthorised access to cloud stored data.
Tools such as MAM (Mobile Application Management) should be deployed for personal devices accessing company information, and MDM (Mobile Device Management) for company issued devices.
Windows Hello/Biometrics can also increase the security on cloud only connected devices.
10. Protect the keys to the Kingdom – Active Directory
So often, our testing shows how easy it is to leverage Active Directory to compromise an entire network. This is a critical area to secure.
Attacks that typically yield a lot of success include Kerberoasting (password cracking) and ticket manipulation. Usage of tools like Sharphound / Bloodhound and lack of hygiene within Active Directory see passwords stored in the description field of a user account.
Ensure you use Group Managed Service Accounts and Managed Service accounts with tough creds and regular changes. Blocking of script usage on local endpoints will also help. Don’t store passwords in Group Policy Preferences and/or in SYSVOL shares and keep your Domain Controllers regularly patched.
Regularly review and clean up admin group memberships and ensure least privilege principles to admin accounts. Configure Group Policy Objects (GPOs) to prevent local accounts from logging on over the network and ensure you are logging all activities!
In the Windows world, you should be logging:
- Process creation, command-line and lineage (including PowerShell)
- Access to “interesting” files
- Scheduled task creation
- Selected Network Activity (with originating IP, not NAT’d)
- Standard 365 logging (mailbox rules, suspect logons etc.)
- AD logins and changes (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor)
- The following Windows Logs:
Windows Log Types 4688 (New Process Logging) 7045 (Service Created) 4624 (Account Logging) 5149 / 5145 (Share Access) 4662 (Object Operation) 5156 (Network Connections) 4663 (File Auditing) PowerShell Script Block 4670 (Object Permission Changes) Sysmon Access
If you need assistance auditing your Active Directory, we suggest reaching out to your technology partner.
The world of insider threats needs to be tackled with independence and diligence. Yes, it’s a confronting topic, but you won’t keep your organisation secure by pretending that they don’t exist. Find a partner to help you apply objectivity to your security network assessments – we are here to help.
Ensure you’re protected by getting a fresh pair of eyes ~ looking inside out and outside in.