The CERT® Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) > Chapter 7. Technical Insider Threat Controls > Infrastructure of the Lab

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

The CERT® Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

Search

Table of Contents

Chapter 2. Insider IT Sabotage

Chapter 3. Insider Theft of Intellectual Property

Chapter 4. Insider Fraud

Chapter 5. Insider Threat Issues in the Software Development Life Cycle

Chapter 6. Best Practices for the Prevention and Detection of Insider Threats

Chapter 7. Technical Insider Threat Controls

Infrastructure of the Lab

Demonstrational Videos

High-Priority Mitigation Strategies

Control 1: Use of Snort to Detect Exfiltration of Credentials Using IRC

Control 2: Use of SiLK to Detect Exfiltration of Data Using VPN

Control 3: Use of a SIEM Signature to Detect Potential Precursors to Insider IT Sabotage

Control 4: Use of Centralized Logging to Detect Data Exfiltration during an Insider’s Last Days of Employment

Insider Threat Exercises

Summary

Chapter 8. Case Examples

Chapter 9. Conclusion and Miscellaneous Issues

Appendix A. Insider Threat Center Products and Services

Appendix B. Deeper Dive into the Data

Appendix C. CyberSecurity Watch Survey

Appendix D. Insider Threat Database Structure

Appendix E. Insider Threat Training Simulation: MERIT InterActive

Appendix F. System Dynamics Background

Infrastructure of the Lab

The lab consists of two virtual environments that are capable of simulating very detailed network architectures and system configurations, running from the network perimeter to the end-user workstation. We use one virtual environment to test micro-scale scenarios, and another larger-scale platform to simulate the behavior of a “real” network. In other words, the “micro-lab” provides us with a small network of fewer than ten servers, workstations, and users in order to stage our scenario. The “macro-lab” can replicate a network topology of several hundred servers and workstations, and we have actually used this lab environment to simulate the behavior of up to 5,000 users.

The micro-lab consists of a few physical systems running various virtual machines to simulate complete networks. This flexibility provides a quick way to reconstruct insider attacks and respective defense mechanisms. It enables us to determine the effectiveness of various controls and tools against the threat of malicious insiders and to test our proposed new countermeasures in a realistic environment. As a result, we can now provide concrete, technical recommendations for prevention and mitigation of insider threats. We create realistic environments to study insider attacks and to evaluate candidate defense mechanisms. Additionally, the lab allows us to rapidly prototype small to medium-sized networks at minimal cost and allows us to inte....

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial