Cisco Blogs
Share

Insider Threats: Allow Employees to Conceal Network Traffic?

- December 10, 2014 - 2 Comments

You can lock every window and bolt every door to keep out intruders, but it won’t be of much use if the attacker is already inside; if the attacker is an insider. Most security reports and headlines highlight stories of organizations that are attacked by an external party, but incident statistics highlight a growing number of attacks from insiders and partners. These incidents are real, and threaten your most sensitive information. How do you know when an insider is exfiltrating data from your organization? Cisco Managed Threat Defense (MTD) monitors for advanced network security intrusions using expert staff and OpenSOC, which Pablo Salazar introduced last month. Our staff has a decade of experience investigating security attacks and resolving benign anomalies. In my twelve years as an InfoSec professional, I’ve seen cases where employees conceal their activity for a variety of reasons. In one particularly interesting incident, it was discovered an employee was encrypting and obfuscating outbound traffic from his laptop over a period of several weeks, using for-purchase VPN software called Private Internet Access.

Banner image for Private Internet Access, which was used by the employee on the corporate network.

Banner image for Private Internet Access, which was used by the employee on the corporate network.

Detection

In this case, an analyst had discovered an internal employee using VPN within their corporate network. The VPN connections were made to Tor nodes identified using Cisco threat intelligence connected via Cisco FireSIGHT Management Center. This activity is often indicative of a person taking great pains to hide their network traffic, and can be done for criminal or privacy reasons.

Events displayed in Cisco Sourcefire Defense Center, showing connections to Tor exit nodes

Events displayed in Cisco FireSIGHT Management Center, showing connections to Tor exit nodes

The analyst determined that the traffic was originating from a desktop network. The fact that it was routing through Tor exit nodes led the analyst to dig deeper. She quickly found some of the connections from this desktop were using self-signed certificates, which raised concern that malware such as TDSS or Dyreza were present on the user’s device. She raised the case to a security investigator.

Certificate used by Dyreza

Certificate used by Dyreza

Investigation

The security investigator began investigating connection traffic for this desktop using full packet capture (FPC). The traffic evidenced use of Private Internet Access from the user device.

Full packet capture indicating connections to privateinternetaccess.com (host name has been obfuscated to prevent clicking on link.)

Full packet capture indicating connections to privateinternetaccess.com (host name has been obfuscated to prevent clicking on link.)

Upon reviewing the traffic and accompanying HTTP user agent, the investigator looked at NetFlow traffic to see how long this activity had been occurring. He discovered that the activity to Tor exit nodes using this VPN software had been underway for weeks. Given this activity and duration, he escalated a case to engage the employee’s manager and Human Resources (HR), advising them to interview the employee about the activity, including forensic examination of the desktop.

What Might this Mean?

There are several reasons why an employee or contractor might use these techniques to hide their traffic.

  1. Government restricts information to news and social media

Authoritarian countries often block traffic to news and social media sources. An employee working in that country may use products to route around these restrictions and hide their identity to avoid criminal consequences.

  1. Privacy zealot; highly suspicious of surveillance

Some employees, especially IT professionals, hold high standards for privacy, with corresponding suspicion of ISPs and employer monitoring. An employee may use these products to avoid detection.

  1. Access to deep web to buy or sell illegal products

Access to sites like Silk Road marketplace, which has since been shut down by law enforcement, or the Russian Anonymous MarketPlace (RAMP) can be accessed only via network traffic obfuscation such as Tor.

Some of the Russian-language banner ads advertising drugs for sale.

Some of the Russian-language banner ads advertising drugs for sale.

  1. Conducting activity that employer would consider suspicious or breach of employment contract

An employee with semi-advanced IT skill may use these tools to hide his traffic when accessing restricted sites, conducting job searches and interviews, or exfiltrating sensitive information from his employer.

Remediation

The manager and HR interviewed the employee to discover why he was anonymizing and cloaking his traffic. At the end of the interview, the employee agreed to remove the software, and no further action was taken with the employee. Continuous monitoring confirmed that the traffic had ceased. However, this consequence was incongruous with the gravity of the employee’s activity. My recommendation for such cases is to do the following:

  1. Search logs and telemetry sourced from the employee

Determine if downloads from sensitive data stores were suspicious (much larger and/or more frequent than normal, accessing a broad range of data, or accessing documents well outside the scope of the employee’s assigned responsibilities.)

  1. Conduct a forensic examination of the employee’s devices

If warranted from step 1, extract a forensic image of the employee’s laptop and other work devices (smartphone, etc.), tying activity to timestamps extracted from step 1.

If employee malfeasance is discovered, assign consequences to the employee according to your data security policy and HR guidance.

What Would You Do?

Do you believe outbound VPN and route obfuscation using Tor are benign freedoms that corporations should allow employees, or do they enable criminal activity and more insidious threats?  On a corporate network, should security trump individual privacy? Comment below on how you see the risks, and what you’ve done to mitigate them in your workplace.

Tags:

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments

  1. Thanks for the article Martin, always interesting to read whats going on in MTD. In this day and age there are lots of privacy minded employees who don't feel their employer (or anyone else) should see their private web browsing (I.E. banking, gmail, etc) and will go out of their way to enable privacy. You certainly mention that in the article, as well as a couple of other possible reasons but that leads me to a couple of questions.... My questions are: 1) did the company this was found at have a policy against this activity? a) If the answer is no, why did they have to have an HR interview? Should they create such a policy? b) If they did, then why not go through greater lengths to block this traffic? 2) Have you asked for the telemetry data that you recommend investigating? It seems like the private web browsing itself isn't a high fidelity indicator, but would certainly be a trigger to look at bit deeper at suspicious activity. I understand this may be outside of the scope of MTD, but seems like it would make sense. Thanks for sharing this case with everyone, it's always interesting to see real case information out of MTD. -Mike

    • Mike: Great questions. I can't provide much detail on this case due to privacy restrictions, so I'll answer from my experience. 1) I've seen companies that have broad policies forbidding the misuse of proprietary information, but don't have explicit policies addressing whether employees can use VPN or conceal their traffic. In these cases, the HR interview is reactive, and not bound to explicit policy violations. As you suggest, these are not fruitful since they are speculative rather than addressing concrete violations. 2) Telemetry data, as you know, is vastly useful to correlate in such a case, but is not always readily available unless the organization has a mature collection system in place. Further, managed service providers often have incomplete telemetry, especially early in the engagement. I'm glad to say that OpenSOC enables all forms of telemetry - (we call it "machine exhaust"), and we actively solicit east-west traffic and critical server logs to correlate in such cases.

Share