As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline.
First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we create a folder for analysis and show it with browsing in the Redline window.
This process will create the data collector in the folder we choose. Then we open a cmd and run “RunREdlineAudit.bat” script in this folder.
Once the script starts to run, you can see some analysis created in “Audit” folder. Sure, it will take some time to finish the analysis.
When it finishes, click on “AnalysisSessionX.mans” file in the “Audit” folder and this will open Redline again.
This file provides us all the information that we checked at the beginning (Edit your script).
Because an insider is an employee, is a trusted person and has access to various data, insider threats are major risks for organizations. Organizations are investing to prevent perimeter against external threat but focusing less on internal threats. This is the other factor that making insider threat more risky.
Attacks may come from different type of employees. These attackers may be system admins or managers who have authorized access to critical data, some unhappy or terminated employees, users who lost a device including sensitive data, or sending e-mail to incorrect receipints, or untrained personnel about security policies and best practices who subjected to social enginneering attacks.
All types of incidents require similar steps to respond. Here, we will try to explain the stages incident responders and actually whole organization must realize against an insider attack.
EFFECTIVENESS OF INSIDER THREAT
Insider threat is a major risk because these kind of attack are very effective. It is difficult to detect and can go undetected for years. It is very easy to attack from inside since users have authorization to some data and systems, and can easily cover their actions by reaching to logs and deleting or modifying them. This makes also difficult to detect these type of attacks. Organizations need to monitor users’ behavior to detect and respond quickly.
As against all type of attacks, organizations need a well planned and regularly tested incident response plans to contain and eradicate insider attacks.
The organizations must always be ready to an insider attack. Preparation stage is important to detect and respond these attacks.
Conduct security awareness trainings regularly to inform users against social engineering techniques. Insider attacks are not only done by malicious employees. Regular security awareness trainings will prevent your users with access to sensitive data from being used by malicious people.
Train users how to report any policy violation.
Classify organization’s data, identify the critical ones and apply need to know approach to reach to data.
Be sure all necessary logs are collected in SIEM.
Use privileged access management tools for storing passwords for all types of accounts reaching to critical data or production environment.
Make sure that terminated employees’ access rights are immediately removed both for logical and physical systems.
Deploy data loss prevention tools, but never trust that DLP will fully protect you. It is important to know the gaps of DLP tools to prevent data better. Make sure you read our post about DLP 🙂
Install NDR to detect abnormal behaviors of users. You can access our article explaining the importance of NDR against insider threat.
Install honeypot and honeytokens to lure attackers.
Segregate backup network from production or test networks and implement secure access methodologies to backup files.
Device control should be applied in the whole systems of the organizations. Users should not be allowed to use external storage.
Employees should sign a confidentiality and nondisclouse agreement bu Human Resources department.
Regularly and objective interviews and feedbacks from employees will help organization keep employees more peaceful.
DETECT AND ANALYZE
Indicators for insider threats are mostly abnormal behaviors of users. So, NDR with artifical intelligence technologies to detect anomaly in the network, UEBA, and Honeypot tools are critical to detect these type of attacks. The changes in network usage pattern may be indicator for ann insider threat.
It is important to collect logs in SIEM but in most cases, we saw in real life that huge amount of log data causes missing of malicious activity. It is more important to collect valuable logs and corralate them than collecting. Also, missing or modified logs may be indicator for insider threats. All log sources must be checked regularly to detect such an incident.
Accessing resources in unusual time and from unusal location may be indicator of insider threats. However, multiple login fail attempts may be used with these time and location information to cover unauthorized access attempts.
Users’ social media actions should be monitored. Unhappy and unmotivated users may try to post some unnecessary information about the organization.
Incident responders must analyze different logs from different sources after a suspicious activity has been reported. These logs may include IDS/IPS, proxy, NDR, EDR, DLP and email logs. They should check for a suspicious network connection and data transfers outside the network.
For all types of attacks, containment is an indispensable stage for incident responders. It is fatally important to contain the source in question to prevent bad actors’ actions both laterally and outbound. Containment will minimizes the damages. Advanced EDR tools allows containment of such sources without having to be physically present near the source and incident handlers can still keep analyzing these sources while the threat could not be spread.
After detecting the malicious insider and containment, all privileges and credentials of this actor should be blocked, including e-mail and domain account and physical access cards.
The organization should have an incident response plan and procedures to be able to move fast after an incident occurs. Eradication is also an important stage for incident handling and incident handlers should know in advance what to do in a case of insider attack by checking the policies and procedures. However, eradication is not just CSIRT’s job. These are some processes all departments and emmployees must be involved. Malicious actor’s behaviors should be determined step by step and the preventive or detective control missings that allow her to do must be corrected. New security controls should be added and preperation stage should be reviewed again.
The recovery stage must begin immediately after detecting, containing and eradicating the insider threat incident. If data is stolen and exfiltrated, incident responders should contact immmediately with the threat actor before selling or disclosuring it publicly.
Incident responders must be sure to gather ennough evidence for legal proceedings. This evidence will also help insurance processes.
In case the attacker placed malware or a backdoor inside the network, all systems should be checked carefully and all outbound connections should be checked against a C&C communication. A threat Hunting activity may be required.
If information is stolen and the stolen data is including user credentials, passwords should be changed whole over the organization.
This is one of the most important steps in incident Response. CSIRT should create a lessons learnt document after all incidents, this is also goes for insider threat incidents too. This lesson learnt documents will help organization preparing more effective to possible future incidents. In this stage, all the confusion caused by the incident will be gone and teams and responsible can identify what needs to be done for future readiness. Also, policies and procedures should be reviewed and changed if needed after lesson learnt works.
Also, all incidents and evidences should be documented properly to use in future.
As organizations, and security teams, we purchased many security devices for providing both network and endpoint security. However, attacks continue at the same pace, even we faced bigger attacks last year, and they are getting more sophisticated. So, what is the next step for organizations?
NDR market guide was shared last year by Gartner. As the idea, NDR uses (or must use) artifical intelligence to detect malicious behaviors, both from external threat actors and insider threats. This means, we will no longer just store the huge network traffic data via full packet capture products, but also detect the anomalies in these captured traffic. So, NDR will play a major role in helping security team to response quicker.
Unfortunately, the only obstacle to the teams last year was not the more sophisticated attacks, but also the “new normal” made security teams so hard. Now, more users are reaching to organization’s sources, getting e-mails and downloading files out of office. Control over users’ behaviors is less and less. When that happens, the need for more sophisticated technologies is also increasing.
Even if we implement many security technologies to our structure, attacks are still going on. Now it is necessary to detect whether there is anyone inside as much as protecting the border. Honeypot technologies and EDRs have been used for this for years but these are not enough to decrease the dwell time. If you failed to prevent and detect an attacker inside your network, or an insider threat, it is always difficult to prevent data exfiltration, or your file from being encrypted.
Machine learning is the key here. The main idea is anomaly detection inside the network. The first step is to profile entire organization’s network and users’ and computers’ traffic. After having such a profiling, it will be easier to detect anomalies inside the network. Anomalies can be in different forms like data exfiltration to some rare destinations, uploading files to IP addresses without hostnames, login attempt from strange destinations (for cloud or vpn), and copying in large number of files from an smb share. We expect the NDR to catch all of that, of course more.
More otganizations are using cloud infrastructure more and more. Public, private, or hybrid, cloud infrasturctures are also a part of us. Critical files are stored and applications work there, and the responsibles are the customers for the data’s security.
Think of a scenerio like that; you have users storing files in cloud and they are working with a few of these files during their work. A user, has a permission to reach these files, downloading most of the files in a very short time, then resigns from work. Or, this user’s credentials have been compromised, and someone connected to your cloud from a country that non of your users normally connect and made anomalous behaviors. NDR must cover also cloud and detect these incidents. It is hard to implement a UEBA solution, thus, NDR can be implemented to detect insider threat.
THE NEW NORMAL
Most of the organizations were caught unprepared for Covid situation. Users had to work at home and connected to organizations’ network or cloud from home. That means, users can connect to internet less controlled. An NDR with endpoint capabilities will also cover users at home, corralate users behaviors with your network traffic and can detect threats.
Best enterprise security solution finalists announced by SCMagazine. DarkTrace’s Cyber AI Analyst is one of these solutions, and since I like its mentality, want to write something about it.
For most of the organizations, one of the biggest problems of today is to have and keep qualified analysts. Because of the attacks developing day by day, newly established and growing SOCs and growing teams, it became more difficult to have qualified analysts and/or keep them. Mostly, organizations try to educate young people as analyst but mostly they cannot keep them.
So, unfortunately, most of the organizations are living without a sufficient number of analysts. Cyber AI Analyst is a solution that focuses on this problem. SCMagazine wrote as;
“Detected and contained the spread of a state-sponsored campaign across several organizations globally in March 2020, generating detailed reports of the incidents in real time — weeks before the attack was publicly attributed to APT41.“
According to DarkTrace, it took 3 years to develop Cyber AI Analyst. It has been developed by observing real/human analysts’ behaviors, about investigation and triage. AI can react as expert analysts against an incident. It can analyze and prioritize incidents and reports what you need as an incident report like malicious files that caused that incident, C&C connections, domains and all infected endpoints. Normally, it takes hours to check all related logs to find these information about the incident.
Thus, even the organization has a small number of analysts, security teams can have a valuable incident report. So, these team members can focus other tasks instead of spending hours in SIEM.