Assessing your organization's current state of insider threat awareness
The primary goal of this part of the Insider Threat Workshop is to assess where you are now in relation to what was gathered in the portion of this workshop where you selected insider threat use cases.
This Insider Threat Workshop is available as a 5-day engagement with Splunk Professional Services. If you do not feel comfortable completing this workshop on your own, or would like hands-on training with any of the concepts and processes included in this offering, contact our Professional Services experts.
In reviewing your current state, consider how close you are to achieving the following goals and objectives of operationalizing an insider threat program:
- Run data-driven investigations
- Build out knowledge objects around known indicators and activity
- Reduce time frames of investigative process
- Alert to need for investigation
- Begin investigation
- Complete investigation
- Reduce start time of investigations
- Move from after data exfiltration occurs to before when possible (MITRE ATT&CK)
- Gather data for calls to action
- Track more events, track them better
- Use data to push for policy changes
For more information on goals and objectives, see The house always wins: A case study for using Splunk Enterprise to fight data exfiltration from insider threats.
Review your data sources
User definition data
This comes from the identities framework in Splunk Enterprise Security (ES). The default fields of the lookup provide basic enrichment for user data. In particular, the category, location, and watchlist fields will be most helpful for insider threat use cases. Additional lookup fields can be created to hold enrichment data for user-related data based on risk potential. Some attributes you should include about users are:
- Employment state: two-week notice, temporary employee, contractor. These could possibly be used as categories instead of separate field.
- High-risk locations: projects, government, locations with a problematic history.
Activity data
This is the traditional event data associated with the Splunk platform. Due to these data sources driving the largest volume of MITRE tactics, the primary data sources to focus on should be:
- Endpoint data: Carbon Black, Cloudstrike, Sysmon(open source), auditd(open source), Windows Event IDs
- Network data : Proxy, firewall, Suricata(IDS, http/dns)
All data should be normalized with Splunk Common Information Model (CIM). You can use Splunk supported add-ons to onboard data and normalize it. You must be able to track user or host within the data for the ES risk data model to work. IP addresses are not very reliable for this. Given the choice, use hostnames instead. The ES asset and identity framework can help with IP/host name normalization.
Interesting Sysmon event ID and fields
- Event ID 1 - Process Creation: process, path, parent patch, command line etc.
- Event ID 3 - Network Connection: src, dest, communicating process.
- Event ID 7 - Image Loaded (DLLs): These can be chatty but useful if there is room for the extra data.
- Event ID 8 - CreateRemote Thread (Process Injection): Malware commonly uses this, as well as anti-malware tools.
- Event ID 10 - ProcessAccess (Credential Dumping): Mimikatz uses this for credential dump from LASS.
- Event ID 11 - FileCreate: Super noisy data source. If you use this, you will need to make file exceptions.
- Event IDs 12/13/14 - RegistryCreateOrDelete / RegistryValueSet / RegistryKeyValueRename: Malware activities.
- Event ID 17/18 - Pipe Created / Pipe Connected: This catches obscured communications. Cobalt Strike Beacon Activity is the only real way to catch this.
Minimum Windows events for collection
- Authentication and Permissions on DCs
If utilizing Sysmon, disable - 4688 (ProcessCreate), 4657 (RegistryChange), 4663 (FileCreate), and 5156 (FirewallConnection), as these would all be duplicate events.
For more information on Windows Eventlog ID collection best practices, see Malware Archaeology Cheat Sheets.
Powershell logging
Powershell logging can also be a valuable endpoint data source. However, the volume can be excessive because normal administrative activity in most Windows environments uses Powershell scripting. Specify exceptions for that known good administrative activity in the logging policy.
Two other good resources for “living off the land” type of attacks, which are something typical to look for in endpoint logs are Living off the land binaries, scripts and libraries and GTFOBins. These sites are curated lists of Windows and Unix binaries that can be used to bypass local security restrictions and are normal files that are part of the operating system.
Data sources common to insider threat use cases
The more challenging and time consuming data sources to onboard are indicated with an asterisk *.
| Data Source (Category) | Indicator | Component of Threats | Supported Add-ons | Threat Types |
|---|---|---|---|---|
| Windows Authentication data |
|
|
|
|
| Outbound web logs (proxy data) |
|
Unusual data/share access user rules based on user |
|
|
| Firewall data |
|
|
|
|
| DLP data |
|
|
Insider Threat | |
| Endpoint data |
|
Unusual alarms | Insider Threat | |
| Badge data (physical access logs) | Access outside regular assigned business hours | Unusual building or door access attempts, frequency, outside regular assigned business hours, etc. | Typically custom add-ons/input configs* | Insider Threat |
| Expense reporting system logs | Unusual expense patterns | Unusual expense patterns | Custom inputs, proprietary data connectors* | Insider Threat |
| Change control system logs | Missing change control approvals for configuration changes | Review change approvals against configuration changes | Insider Threat | |
| Printer log data | Higher than usual page counts and data volumes | Unusual printer volumes per user | Insider Threat | |
| RDP log data | Remote access traffic outside of assigned business hours | Unusual remote access times or patterns | Insider Threat | |
| VPN data |
|
Unusual remote access times or patterns | Insider Threat | |
| Mobile device logs | Unusual call and texting activity | Unusual call and texting activity | Insider Threat | |
| Cloud IDM, policy logs | IDM policy violation alerts | Unusual access activity | Insider Threat | |
| Backup logs |
|
Unusual scheduled backup jobs, anomalous backup job sizes or failure rates | Insider Threat | |
| Storage logs |
|
|
Insider Threat | |
| Components of employee termination process | Monitor employee terminations as possible driver for insider activity | Custom, could be AD logs, or some other system (RED) | Insider Threat | |
| Email communications |
|
Sentiment, activity and presence monitoring | Insider Threat | |
| Zoom/Webex |
|
Sentiment, activity and presence monitoring | Insider Threat |
Evaluate existing security detections, data sources, and coverage in Splunk Security Essentials
The Splunk Security Essentials app has a number of useful utilities in it, in addition to being a security use case library. One of those utilities is called “Map Saved Searches to Splunk's Out-Of-The-Box Content” This can be used to systematically map saved searches to out-of-the-box content.
Content development can also be managed within the SSE app. Chosen content within the repository can be bookmarked and its status maintained and annotated through the deployment process. Even custom content can be added to the repository and tracked. This part of the app should be used to record and track your current state of insider threat detection content.
MITRE coverage
In the context of MITRE ATT&CK, tactics give use categories of activity, and techniques offer specifics of activity. Single techniques from one tactic can be normal activity, but sudden use of multiple tactics may equal badness. This is where RBA is helpful. It can collect alerts in the risk index, then, when these multiple alerts together reach a risk threshold, alert to the behavior. When evaluating MITRE coverage, coverage percentage is not as important as coverage depth. The Security Essentials app can also be used to track current MITRE coverage of security content.