What’s the an organization’s biggest asset? It’s people. What’s the biggest threat to any operation? Again, people. In 2016, the Ponemon Institute reported 55% of breaches are precipitated by negligent or malicious employees. That means that over half of breaches are advanced in someway by an insider threat! Insider threats are scary because even if you did everything right they can still take, leak, or damage your assets. While that statistic looks internally at both intentional and unintentional insiders, there exist nefarious external actors which often exploit weaknesses (like negligent insiders) to gain access to networks. Fortunately, if you are postured to catch an insider threat you can probably catch bigger fish, too.
The first step to mitigating insider threat risk exposure is prevention. We will assume that your company has very thorough background checks and your badging and accreditation process is air tight. You are ahead of the power curve and have the policies and procedures like rotational responsibility in place to prevent an adversary from physically gaining access to your operations. Well done! You wrote a policy that informs users of proper behavior on the network and they even signed a very appropriate acceptable use policy. Excellent! You spend time locking your network down and even have some containerized applications running. However, locks only keep honest people honest and unfortunately we have unhonest contemporaries. What if one of those contemporaries somehow accesses your system?
Eventually a threat that is advanced enough will, regardless of vector, get in by bypassing your prevention. Some will smash and grab and leave quickly. Some are for more insidious: they go native and stay quiet. They lurk, they wait, they watch. They are persistent. Hence the Advanced Persistent Threat (APT) moniker. Effectively, they are so deep in the system, so far past your defenses, that their behavior looks normal. Given enough time, an APT effectively becomes an insider threat.
Many security teams focus on hardening the network itself and endpoints. They are not wrong to do so and often their role is written as such. However, even with 100% coverage on areas like patching, firmware updates, and security settings that exceed national standards, there’s something else: the domain itself. Again, regardless of vector, technical or otherwise, an advanced threat aims for legitimate access to your system which gives them that persistence. Certainly there are style points awarded for complexity or simplicity of access vector, escalation, timing, and tempo! Maybe they compromise someone’s credentials or maybe they simply gain access to the domain and make their own account. This is why the security team and the operations team need to come together to focus on the domain! Any seasoned administrator will regale you with tales of the importance of the domain but they are often so inundated with day-to-day operations that without protected, dedicated time it is very easy to lose track of who has access and to what they have access.
Regardless of who, what, where, why, or how an adversary gains persistent access to a system, if they really are advanced, they will need to periodically access to the system to maintain that access. They will probably sculpt their traffic to look legitimate enough to avoid triggering outlier detection when accessing the system: this would include logging in during local work hours from a geographically relevant IP address with a MAC address similar to those used in the network to name a few. Again, style points. They might be bad guys (adversaries) but give credit where credit is due. Learn from them. Take notes. Either way, they look and behave like an insider and have access to the same things as an insider.
So how do you find an APT on the network? Hunt for insider threat! Starting with the endpoint and network is great (like preventing VLAN hopping), but regularly reviewing users for legitimacy and least privilege will go a long way! Inevitably, you will find people that either have access to things they should not in one form or fashion or are misusing access they are supposed to have. Once you find problems, fix them! If you find users that were supposed to be deleted, you have two options: you could delete them…or you could fully reduce their access/privileges and set off every alarm you have if someone tries to use them. That could be fun! Vendors also often have some sort of deployable analytic that helps catch user anomalies. If you don’t have one of those solutions in place, find one that fits your use case and use it! Just because an adversary is advanced doesn’t mean they are perfect. They will screw up at some point. You need to have the mechanisms in place to detect when they screw up.
I’m not advocating for CISOs and their teams to go on a mole hunt! If you scare users into leaving the network or make the workplace unpleasant, you’ve already lost. What I am advocating for is that administrators and security teams work together to protect the domain through a combination of technical controls (proper architecture, segmentation, containers), administration (least privilege, job rotation, account review), and detection (SIEMs, honeypots, advanced analytics). I once walked into the network engineering section and they had, in jest, written “Silo of Excellence” on the whiteboard. Though tongue-in-cheek, they understood that we don’t fight our adversaries alone: we fight as a team.