Insider Threat

Three categories of Insider Threats:

• Malicious insiders

  • Theft of IP

  • Sabotage

  • Espionage

• Negligent Insiders

  • Ignoring policy and procedures

  • falling for phishing or social engineering attacks

  • Misusing or oversharing privileges

• Accidental insiders

  • Accidental disclosures of sensitive info (e.g., emails, file uploads)

  • Loss of devices

  • Unintentional installation of software

Systematic ethical decisions

Employees who have people problems.

Many corporations are blocking the usage of personal applications entirely (e.g., google, webmail, drop box, etc) and also adding additional levels of system monitoring like Proofpoint ObserveIT activity recording.

List of some insider threat indicators:

• Direct correspondence with competitors

• Email messages with abnormally large attachments or amounts of data

• Domain Name System (DNS) queries associated with Dark Web activities

• Use of activity masking tools (e.g., virtual private networks [VPN] or the Onion Router Tor])

• Executing offensive tools

• Executing malware

• Connecting an unauthorized device to the network

• Downloading or installing prohibited software

• Unexpected activity outside of normal working hours

• Attempts to bypass or disable malware protection tools or security controls

• Attaching an unidentified device to a workstation (USB, external hard drive)

• Maintaining access to sensitive data after termination notice

• Different users attempting to log in from the same workstation or device

• Lack of log messages or monitoring data

• Unauthorized modification of centrally stored files

• Copying large numbers of documents to a local drive

• Authentication failures or failed login attempts

• Unauthorized configuration file changes or permission changes

• Unauthorized database content changes

• Irresponsible social media habits

• Unauthorized attempts to escalate permissions or privileges, especially without a need to know

• Attempting to print or copy protected or restricted documents

• Abnormally large number of software or operating system errors

• Insider attempts to access resources not associated with that insider’s normal role

• User account used from multiple devices

• Multiple accounts identified for a single user

• Triggering of key words or phrases in emails, text messages, or phone calls

Tools used to abuse Insider Threats

Anonymity Tools - VPNs

??????

Anonymity Tools - Browsing

Thanks for pointing out TAILS "The Amnesiac Incognito Live System".  I have heard of it but never used it.

"Recently the Afaaq Electronic Foundation (AEF), an arm of the Islamic State who are dedicated to “raising security and technical awareness” among jihadists, published their advice on how to avoid law enforcement surveillance. Their message was broadcast on Telegram, with a message of “Stay calm and use strong encryption”:  It provides a focus on the three T’s which are cause law enforcement to lose sleep: Tor, Telegram and Tails OS."  (Buchanan, 2018).

The TAILS feature to wipe memory seems pretty bullet-proof.  The main forensic evidence for CD-booted filesystems are gathered through memory analysis.  The TAILS memory wipe feature adds an additional hurdle to the investigator in that they would have to capture memory while TAILS is being used.

"By automating forensic memory analysis of RAM, Digital Forensics Solutions has provided investigators with a method to completely reconstruct a live CD-booted filesystem. Recovery of the filesystem not only allows for standard forensic process to be followed, including the recovery of all relevant evidence, but it also allows for the evidence obtained and the results gathered to be used in a legal setting. Through the development of the Volatility memory analysis plug-in, the anti-forensics power of live CDs has been greatly diminished, and analysis of these systems is now possible for investigators of all skill levels."  (Case, 2011).

To add even more security TAILS started supporting secure boot in 2020.

"However, until today, despite the plethora of security and privacy features it possessed, Tails did not support UEFI Secure Boot setups. Users who wanted to use Tails on a computer had to disable Secure Boot in the computer's BIOS, leaving their devices vulnerable to firmware tampering that could later compromise the communications carried out through Tails.  According to the Tails website, work began on adding Secure Boot to Tails six years ago (Links to an external site.), and starting with Tails 4.5, released yesterday (Links to an external site.), users can now safely enable Secure Boot and run it alongside Tails, out of the box, without having to do anything or run complicated workarounds."  (Cimpanu, 2020)

References

Buchanan, B.  (2018, August 2018).  The 3T challenge for digital forensics: Tails, Telegram and Tor.  Medium.  Retrieved September 10, 2021 from https://medium.com/asecuritysite-when-bob-met-alice/the-3t-challenge-for-digital-forensics-tails-telegram-and-tor-8d800c42af15 (Links to an external site.)

Case, A., Pfeif, D.  (2011).  Evidence Technology Magazine.  Forensic Investigation of Live CDs.  Retrieved September 10, 2021 from https://www.evidencemagazine.com/index.php?option=com_content&task=view&id=735&Itemid=50 (Links to an external site.)

Cimpanu, C.  (2020, April 8).  Tails, the security-focused OS, adds support for Secure Boot.  ZDNet.  retrieved September 10, 2021 from https://www.zdnet.com/article/tails-the-security-focused-os-adds-support-for-secure-boot/

References

Johnson, J.  (2021, January 21).  Most common data exfiltration behaviors during insider threats in the United States in 2020.  Statista.  Retrieved August 21, 2021 from https://www.statista.com/statistics/1155846/most-common-data-exfiltration-insider-threat-types-usa/