Insider Threats: Allow Employees to Conceal Network Traffic?
You can lock every window and bolt every door to keep out intruders, but it won’t be of much use if the attacker is already inside; if the attacker is an insider. Most security reports and headlines highlight stories of organizations that are attacked by an external party, but incident statistics highlight a growing number of attacks from insiders and partners. These incidents are real, and threaten your most sensitive information. How do you know when an insider is exfiltrating data from your organization? Cisco Managed Threat Defense (MTD) monitors for advanced network security intrusions using expert staff and OpenSOC, which Pablo Salazar introduced last month. Our staff has a decade of experience investigating security attacks and resolving benign anomalies. In my twelve years as an InfoSec professional, I’ve seen cases where employees conceal their activity for a variety of reasons. In one particularly interesting incident, it was discovered an employee was encrypting and obfuscating outbound traffic from his laptop over a period of several weeks, using for-purchase VPN software called Private Internet Access.
In this case, an analyst had discovered an internal employee using VPN within their corporate network. The VPN connections were made to Tor nodes identified using Cisco threat intelligence connected via Cisco FireSIGHT Management Center. This activity is often indicative of a person taking great pains to hide their network traffic, and can be done for criminal or privacy reasons.
The analyst determined that the traffic was originating from a desktop network. The fact that it was routing through Tor exit nodes led the analyst to dig deeper. She quickly found some of the connections from this desktop were using self-signed certificates, which raised concern that malware such as TDSS or Dyreza were present on the user’s device. She raised the case to a security investigator.
The security investigator began investigating connection traffic for this desktop using full packet capture (FPC). The traffic evidenced use of Private Internet Access from the user device.
Upon reviewing the traffic and accompanying HTTP user agent, the investigator looked at NetFlow traffic to see how long this activity had been occurring. He discovered that the activity to Tor exit nodes using this VPN software had been underway for weeks. Given this activity and duration, he escalated a case to engage the employee’s manager and Human Resources (HR), advising them to interview the employee about the activity, including forensic examination of the desktop.
What Might this Mean?
There are several reasons why an employee or contractor might use these techniques to hide their traffic.
- Government restricts information to news and social media
Authoritarian countries often block traffic to news and social media sources. An employee working in that country may use products to route around these restrictions and hide their identity to avoid criminal consequences.
- Privacy zealot; highly suspicious of surveillance
Some employees, especially IT professionals, hold high standards for privacy, with corresponding suspicion of ISPs and employer monitoring. An employee may use these products to avoid detection.
- Access to deep web to buy or sell illegal products
Access to sites like Silk Road marketplace, which has since been shut down by law enforcement, or the Russian Anonymous MarketPlace (RAMP) can be accessed only via network traffic obfuscation such as Tor.
- Conducting activity that employer would consider suspicious or breach of employment contract
An employee with semi-advanced IT skill may use these tools to hide his traffic when accessing restricted sites, conducting job searches and interviews, or exfiltrating sensitive information from his employer.
The manager and HR interviewed the employee to discover why he was anonymizing and cloaking his traffic. At the end of the interview, the employee agreed to remove the software, and no further action was taken with the employee. Continuous monitoring confirmed that the traffic had ceased. However, this consequence was incongruous with the gravity of the employee’s activity. My recommendation for such cases is to do the following:
- Search logs and telemetry sourced from the employee
Determine if downloads from sensitive data stores were suspicious (much larger and/or more frequent than normal, accessing a broad range of data, or accessing documents well outside the scope of the employee’s assigned responsibilities.)
- Conduct a forensic examination of the employee’s devices
If warranted from step 1, extract a forensic image of the employee’s laptop and other work devices (smartphone, etc.), tying activity to timestamps extracted from step 1.
If employee malfeasance is discovered, assign consequences to the employee according to your data security policy and HR guidance.
What Would You Do?
Do you believe outbound VPN and route obfuscation using Tor are benign freedoms that corporations should allow employees, or do they enable criminal activity and more insidious threats? On a corporate network, should security trump individual privacy? Comment below on how you see the risks, and what you’ve done to mitigate them in your workplace.