By Edward Serafin, Chief Security Architect
This blog is the second in a three-part series discussing security concepts and tactics I observed and participated in at Black Hat 2019 / DEF CON 27. The first installment can be found here.
In August, I attended Black Hat USA 2019 / DEFCON 27 in Las Vegas. What an overwhelming experience it was—there was so much to see and do! For those of you that don’t know, Black Hat USA is the world’s leading information security event, providing attendees with the very latest in research, development, and trends. DEFCON is the security/hacker community conference that occurs right after the Black Hat Conference. Thousands of hackers and security professionals from around the world congregate to learn about new technology vulnerabilities, cyberattacks, and more.
My primary reason for attending was for technical training. Black Hat Training offers attendees deeply technical hands-on courses on topics ranging from broader offensive security to the latest in penetration testing, infrastructure hacking, mobile application security, analyzing automotive electrical systems, and everything in between. Often designed exclusively for Black Hat, these hands-on attack and defense courses are led by some of the most sought after industry and subject matter experts from all over the world with the goal of defining and defending tomorrow’s information security landscape..
Black Hat Training: Insider Threat Hunting & Social Engineering
This year I decided to go low-tech and dive into counter social engineering; the official class title was “Insider Threat Hunting – Track, Elicit, Interview, and Mitigate. The course was led by multiple instructors with backgrounds in law enforcement, military, and intelligence/counterintelligence. While the class was fantastic, the only issue I have with courses such as these is the fact that they are condensing a 3+ week course into just a few days (or less). However, while it may be a challenging prospect, it’s well worth the time and effort.
As an ethical hacker, I’ve always enjoyed the social engineering aspect of my craft. As we all know (or should know), hacking people is far more effective than hacking computers; hackers and scammers alike use social engineering against human targets to achieve their goals. The insider threat course explains the science behind how social engineering works, why it’s so effective and how to leverage the very same tactics against adversaries. Understanding the psychology and scientific method of the tactics I’ve been leveraging for years was fascinating.
This course has changed my perspective on social engineering, providing a much deeper understanding as to why social engineering tactics work and how they can be used for maximum blast effect to the benefit Micro Strategies’ customers.
Defending Against Insider Threats within your Organization
One of the largest threat vectors we face every day is the insider threat. Defending against this type of threat is challenging and requires practitioners to understand and apply various tactics to detect deception; These tactics include looking for tells such as micro expressions (the 11 subconscious facial expressions we all do under certain circumstances), conducting on-the-spot personality analysis utilizing the OCEAN (Openness, Conscientiousness, Extroversion, Agreeableness, & Neuroticism) and behavior analysis using the TIPI model.
However, having tools and understanding how to implement them is only half the battle. A successful business needs employees and a successful security program means interacting with those employees in a positive, meaningful way. Your staff was hired for a reason. They are valuable assets and possess important skillsets and knowledge that are required for the success of your business.
Most incidents involving insider threats begin small. Whether it’s because a person feels slighted or because of a conflict with another employee, these problems escalate into incidents. The key to success is identifying threats early on by using the various techniques above.
If an employee exhibiting behaviors consistent with insider threat can be identified early, it’s in the organization’s best interests to attempt to correct the problem before it escalates into an incident. After all, it costs more money to replace an asset then it does to fix an asset.
Understanding Behaviors is Key
This is the reason why I often recommend that security team members make a concerted effort to interact with their colleagues. It’s important to establish a working relationship with the people employed in your organization. Building rapport provides you with an opportunity to spot potential issues before they become bigger problems.
How do you know if an employee is having a bad day if you never established a baseline? Also, it makes approaching the employee a little easier. He or she might even be willing to open up about the issue with you because they’re comfortable with you. It’s the little things in life, they mean a lot to people and those perceived “little things” can add up to big problems if we don’t take the time to understand the people around us.
In the coming weeks, look for my next, and final, blog in this series where I will conclude with takeaways and memorable moments from my time at Black Hat 2019 and Defcon 27.
The number of insider-related breaches is rising every year. Thirty-four percent of all breaches in 2018 were caused by insiders and the average cost of an insider-related incident is around $513,000. These types of threats are significantly harder to detect and prevent in comparison to outside attacks. Implementing an insider threat hunting solution can help you protect your data. Interested in learning more? Contact us today.