15

After the Mt.Gox crash, and also keeping in mind recently published attacks on Target and Neiman Marcus, one is led to believe that sometimes so-called hacking is perpetrated by insiders.

What are the tell-tale signs of an insider-led compromise as opposed to break-in by outsider threats? Please limit your arguments to digital forensic evidence from the affected systems, and not from suspects' personal computers/mobiles etc.

Is it realistically possible to cover the traces of insiders in a compromise completely?

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • 1
    Since it's going to be closed soon, I'd better accept John Deters' answer. To close voters: it is much better to put the reasons for closing into comments. – Deer Hunter Feb 25 '14 at 14:30
  • "What are the tell-tale signs of insider hacking?" is pretty clear and specific. Why is this closed as "too broad" instead of being made Community Wiki reference? – Pacerier Jan 17 '16 at 00:21

2 Answers2

20

The only reliable evidence of an internal person attacking your systems is if you catch them with their fingers on the keyboard.

People often suspect insiders because they have spent an extraordinary amount of money building extremely sophisticated defenses, and they simply cannot imagine a hacker being able to navigate them. They have grandiose releasing processes that assure that only code that has passed through QA will be released into production. They have firewalls blocking attackers, NDIS scanners looking for attacks, anti-virus tools at all the endpoints, and DLP tools to watch for data exfiltration activities. They have all the right processes, best practices, projects, plans, spreadsheets, audits, and endless checklists.

Meanwhile, the hacker doesn't know about any of this stuff. They simply exploit a hole, and escalate their privileges; then laterally move about the network using stolen credentials appearing like any other legitimate user. Eventually they find their way to a machine that contains valuable information. They either use customized, modified tools that don't trigger AV or NDIS scanners, or they use the OS's own tools already present on the victim's machines. Once they find the data they're looking for, they encode their stolen goods to avoid DLP tools, camouflage it to make it look like ordinary traffic, and ship it out.

When you've invested so much in building a security system that appears formidable, it's hard to believe that the attacker can be anything but an insider. Instead of leaping to the assumption that it's an inside job, it's your duty to keep digging until you find the actual trail.

Your best bets are going to be searching through independent logging servers, ones where the attacker may not have had access to corrupt the logs. Once you've identified the credentials, track back to the machines where those credentials were used, looking for the evidence of the attack. Router, NDIS, or firewall logs are also going to be helpful.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • And yet, insider jobs are very common (and commonly blamed on "hackers"). Banks have this sort of problems all the time. – oakad Feb 26 '14 at 00:41
  • 2
    @oakad, I didn't say the evidence would or would not lead in a particular direction. It's that forensic evidence deals in facts, instead of starting from a point of suspicion of certain people. – John Deters Feb 26 '14 at 03:14
  • @oakad, It might just be that guys responsible for the security don't want to lose their jobs or get demoted, hence the frequent claim "it must be the insiders". – Pacerier Jan 17 '16 at 00:39
1

One arrives at a very weird interpretation of a question when it sounds like a cyberpunk plot point and appears next to a tiny icon which most strongly evokes a Transformers symbol. I thought this must be a gaming question before I followed the link.

Consider that an insider by definition already has legitimate access to many assets; is known and probably trusted by at least one executive, who has more access; is likely protected by contracted security from ordinary interference. They may be able to subvert trust relationships to perform tasks which individually appear desirable or at least harmless (even harmful, if not very much so nor often), that a malicious outsider might wish to do, but would be actively prevented from attempting (with poor chances of gaining access or avoiding retaliation). Unless the insider makes an obvious mistake (for example: taking part in a conspiracy with its own malicious insider), they can likely avoid detection indefinitely.

It is instructive to note how the largest government information leaks have occured. In the case of the largest Wikileak, it appears that nearly unrestricted access was provided to a relatively low ranking technician. He was not recognized to be doing anything other than the work expected of him, yet his goal was to thoroughly compromise information security. Everything he attempted was permitted.

The best way to protect an asset is to never make it available. If it must be exposed, each access requires justification proportional to its importance. One should not presume it could ever be made inaccessible again.

user130144
  • 111
  • 2
  • 2
    You managed to type all this up and at no point did you realise that it has nothing to do with the question.. – pjmil Feb 26 '14 at 03:05
  • 1
    I think you misread. I agree with John Deters: the inside attacker can more easily hide their activity. One should not expect to find traces of it, and not be so confident as to believe there could be no successful outside attacks. – user130144 Feb 26 '14 at 06:24