Insider Threat – What it can look like

Insider Threats

Imagine you’ve brought on an intern, temp, or contractor as part of your marketing team.  Imagine that his name is Noah.  Noah has actually been brought in by the CISO, unbeknownst to marketing.  Marketing thinks they are getting a new contractor.  The CISO wants to test how protected the company is from an Insider Threat.  The CISO also wants IT to be aware of what it can look like, and see if they can detect it.

First day on the job

On the first day Noah comes in, they get issued a PC or laptop with the standard image for your organization and are settled into their cubicle, office, or assigned area.  Their team leader tells them all about what they will be doing over the next few weeks with training, videos they need to watch on the various software packages, etc. The team leader gives Noah his instructions on what to do before lunch, and they head back to their office, putting Noah out of their minds until lunch, 4 hours from now. 

Meanwhile, in Noah’s cube, he is running down the list of things he already knows about your organization based on what he found out at the orientation, what the team lead just told him, and what the company structure is. Noah boots up his PC, logs in, and begins the first training video.  While he is mindlessly not watching the video, he opens up a command prompt and runs a whole bunch of commands. He dumps all of that information into a text file and saves it to a USB drive, for science.  

Noah now knows all the user names of everyone in the domain.  He knows the groups in the domain.  He also knows the names of anyone, or any user, that has admin privileges.  Because he is crafty, he knows the general layout and naming structure of your users and whether they match the email name structure.  From that list, he can also see if there is a special naming convention for admins, be they local, domain, or otherwise. He can’t do much with the information he’s gathered.  It’s just information for now, but this is how an insider threat attack begins.

Back to ‘work’

Noah goes back to watching his boring training videos until he goes to lunch with his team.  There he quickly learns about their pets and their names, their significant others, their children and their ages. After lunch, Noah makes a few notes about his coworkers.  Sadly, he can’t remember if it’s Sparky, who’s 7, or little Bobby.  So mid-afternoon, he goes for a stroll, talks to his new teammates, and starts the process of blending in, making friends, and noticing where cameras are in the office.  What spaces are watched and what isn’t.  He’s also watching the doors.  Noting the ones that need key fob access. Turns out it’s Bobby, who’s 7 and plays baseball, and Sparky, a fat, lazy cat who is 11.

What Has our Insider learned so far?

Yesterday, Noah was able to get user names, figure out who belongs to what groups, and identify any low hanging fruit that might be part of groups he wants to target.  He was also looking for any users that might be misconfigured.  If he finds a marketing person as part of the finance group or a low-level admin person on the Upper Management group as a misconfigured group, they become the first targets. In speaking with his team, he found out details about their lives.  Since the company has no password management, chances are those details are the passwords.

Day two

Day two of the insider threat begins, and along with his work laptop, Noah brought in his personal laptop since there is no BYOD policy.  He hooks up his laptop to the network and fires up Wireshark. Wireshark is great tool to analyze network traffic.  It lets you see what is going on in the network, from people to devices and everything in between.  You see, what takes the most bandwidth, what is being printed, essentially translates the 1’s and zero’s to plain language.  

With Wireshark, Noah is figuring out the naming structures of all the pc’s/laptops, etc. that are on the network, as well as what their MAC addresses are. Noah finds out that he and everyone else has a company issued Dell.  He promptly renames his HP and forges its MAC address.  Now he looks just like the rest of the pc’s as far as the  network is concerned.  There’s nothing to see here.  My laptop is now one of you.  Now that he’s officially blending in, your average network administrator isn’t going to notice some rando machine appearing on the network that shouldn’t be there. Noah then goes back to ‘work’ watching training videos until just before lunchtime.

I’m your Huckleberry

At lunch time, Noah eats at his desk, where he starts a program called Responder.  Responder is a tricky little program.  It’s sole purpose is to act as something else.  For example, when you login, your pc sends out a signal to the server saying, hello – are you the server, I need in – please let me in.  The server asks if you know the secret handshake, you do the handshake with the server and it lets you in.  The responder jumps in front of the server and says yeah, I’m your Huckleberry, show me the handshake.  The user shows you and you take it.

Responder doesn’t get you the actual password from the user in plain text – you get a hash, which you then have to crack.  So it’s not super easy – but there are tools to do the cracking for you. Noah would know what the ‘rules’ are for passwords since he set his, and set his cracking tools accordingly.  After a few minutes the tool cracked the hashes.  Noah now has a few targets, one of whom is Janet.  She works in finance.  Noah will be spending the afternoon creating a plan to get access to what they have access to.  Payday has come early for Noah.

Getting around a brick wall

The company that hired Noah has a great internal website that lists out all of their applications and uses a single sign on option with multi-factor authentication.  All the users can see the applications, but the ones they wouldn’t have access to, they simply have no user account for.  When the authorized user attempts to login to any application, like the financial package, the HR application, or even the marketing software, it sends a text token to their cell phone – a six-digit code the user has to enter.

Email doesn’t use SSO or MFA, so the first thing Noah does is take a look at Janet’s email.  He logs into her Outlook via webmail, thinking she may be storing other passwords or data there that would be beneficial later.  Noah finds a few other passwords to various systems, none of which are overly exciting.  What he does find is that Janet does have her cell phone number conveniently located on her email signature. He sits there for a few moments, staring at the SSO screen.  That’s when Noah comes up with a wonderful, awful idea.  He picks up his desk phone and calls Janet.  The phone call goes something like this:

I thought you worked in Marketing

Hi, is this Janet?  This is Noah, from IT.  Hey – I wanted to let you know we are going to be moving the financial package software from one server to another this afternoon, and I need to make sure you’re logged out of it.  I’m also going to need to login as you to export the database.  Can I do that now?  Janet agrees and logs out.

Noah tells her he doesn’t need her password (IT never needs your password – we can change it), just needs her to confirm the code he’s going to send her to start the export.  Noah Clicks on the financial package to login as Janet – the financial package sends her the token, and she happily reads it to Noah over the phone. He thanks her for her time and cooperation, reminds her the transfer will probably take about 2 hours to complete, and ends the call.  In those two hours, Noah has full access to their finances.

But I wanted a computer!

Noah isn’t satisfied by just getting access to their finances.  He wants to walk away with actual equipment.  No amount of security in the world is good enough if someone has physical access to the devices.  Then they have all the time in the world to get at your data.

Noah’s been here for a few days.  He’s been mingling and walking around to blend in.  On one of those walks, he found where the old IT equipment is kept.  Even though Noah has had a busy day so far, he’s staying late tonight to catch up on the training videos. 

After everyone leaves and the cleaning crew is gone, he heads over to the room where old IT equipment is kept.  Avoiding the areas where cameras are, of course.  And he picks up a bunch of old laptops and heads back to his desk. There, he powers them on and goes after the data on the hard drive. He finds some user data no one wants, including passwords that no longer work, but he does find the local admin account and is able to hash the password and crack it.  Unsure if the admin password is still good, he tries it on his work-issued laptop, and it works!  He now has admin access locally at least, meaning he can now run programs not currently on his PC, like malware.

A bug for you, and you

Malware can do all kinds of things, from espionage and spying to simple damage to systems or holding systems for ransom by encrypting all the data.  In this case, Noah wants to see just how far he can get, and a local admin is chump change when you could go after the IT team and get domain admin.  Effectively getting the keys to the castle.

Noah knows who’s on the IT team since they were on the list he got on day one.  Then, he was able to identify their machines with Wireshark.  He sets up a malware program he can run remotely with the local admin account on their PCs.  The malware program is set to keylog.  Noah is hoping for a better password.  He goes to connect to one of their PCs, and they’re all either turned off or they took them with them. Tomorrow is another day…

Day Three of the Insider Threat

Noah is determined to get his malware launched and land a few bigger fish today.  His first marketing team meeting is tomorrow, and he knows nothing about marketing.  He has his malware ready to go, he just needs to bide his time until the IT guys go to lunch.  Lunch time rolls around, and he heads over to the IT office, where those guys are eating at their desks.  Do they never leave?! Since they aren’t moving, right next door is finance, and Noah pays a visit to his old friend Janet.  She’s just leaving for lunch, so he’s able to ‘finish up the transfer from yesterday’ at her PC. 

Janet leaves for lunch, and Noah logs in as her.  He brings up PowerShell (great tool to run commands in Windows from the command line), plugs in his USB device where his malware is stored, and sets it loose. Noah has written this program specifically for this organization.  It’s not detectable by the antivirus, but it will send hashed passwords back to his pc. As he is sitting there basking in his brilliance, IT shows up.  The jig is up.  Noah confesses to being hired by the CISO. How did he get caught?

What did we learn from Noah?

  • Be careful with the hiring process.
  • Be aware of the access you grant to users.
  • Invest in systems that watch not only activity coming at you from the outside, but also what is happening inside the organization.
  • Properly dispose of old equipment.
  • Password rotation is key to preventing attacks using old passwords.
  • Monitor for exposures.  The sooner you are aware of a data leak, the sooner you can resolve the issue and protect both your organization’s data and that of your customers.

This scenario is inspired by a Dark Net Diaries Podcast