How to Mitigate the Insider Threat

Introduction

The insider threat isn't limited to disgruntled admins

More and more IT pros are getting wise to the true nature of the insider threat. While the phrase generally conjures up images of a disgruntled admin actively sabotaging systems or stealing data to sell to competitors, they understand that the insider threat is much broader than that. Most organizations have hundreds if not thousands of accounts with varying levels of privilege, including not just admin accounts but various user and service accounts as well. Those users can misuse their permissions and do a lot of damage, even if they don't have the same power as admins. Moreover, admins and users alike can make honest or careless mistakes that can result in a breach or downtime. And, of course, hackers can get control of legitimate user or admin credentials for your environment, transforming themselves from outside attackers into insider threats.

Current Approaches Aren't Working Well Enough

Organizations are acutely aware of the risks. In a recent Quest® survey of 400,000 members of an information security community on LinkedIn, 90 percent of respondents said they feel vulnerable to insider attacks, and 66 percent of them consider malicious insider attacks or accidental breaches more likely than external attacks. What's more, half them estimate the financial impact of undetected data breaches to be half a million dollars or even more. As a result, they are taking action: 94 percent already use some method to monitor users, and 86 percent have or are building an insider threat program.

Nevertheless, a full 63 percent of respondents admitted that they experienced an insider attack in the previous 12 months.

Best Practices And Proven Tools That Can Make A Real Difference

Clearly, organizations need to up their game. This ebook explains how. It details three key best practices that will help you mitigate the insider threat — and also explores specific tools that will help you implement those best practices. Specifically, you'll learn practical ways to:

  • Understand and control privilege across the IT environment
  • Control your Group Policy objects (GPOs)
  • Keep admins in their lanes

Understand and control privilege across the IT environment

Auditing Built-In Admin Accounts Is Necessary but Not Sufficient

The first step in mitigating the insider threat is to get a clear picture of who has access to what. For most organizations, that means understanding your Active Directory users and groups and the permissions assigned to them. Organizations commonly focus on the most powerful groups, such as Domain Admins, Enterprise Admins and Account Operators. Membership in any of these groups provides enormous amounts of privilege over an environment, so it is critical to keep them under tight control.

But it's by no means sufficient. Hackers know that these groups are highly monitored, so they look for other ways to elevate their privileges. For example, they try to slip in using Active Directory's group nesting — instead of becoming a member of Domain Admins, they become a member of a group that's a member of Domain Admins, hoping no one will notice. Or they try to get local admin access on the database server with the data they're after, or compromise an account that has access to the data they want, whether it's an admin account or a user account. Moreover, as noted earlier, it doesn't necessarily require either privileged credentials or malicious intent to cause serious problems — a hurried user or a careless admin might simply make a mistake that exposes important data or causes other damage.

Understand Access Permissions with Enterprise Reporter Suite

Quest® Enterprise Reporter Suite will help you identify these quiet paths that the insider threat often takes, so you can minimize the risk to your business. It collects data from across your hybrid environment — directories, databases, files, email and more — and stores it in a powerful central database to facilitate fast and efficient security assessments, pre-migration analysis, capacity planning and much more (see Figure 1).

Figure 1. Enterprise Reporter collects data from across your hybrid environment

Plus, Enterprise Reporter Suite includes Security Explorer®, so you can quickly take action from within the Enterprise Reporter user interface to remove any inappropriate permissions. Security Explorer provides an array of additional security features, such as the ability to quickly grant, revoke, clone, modify and overwrite permissions from a central location. Together. these solutions facilitate security and compliance by enabling you to stay ahead of security vulnerabilities to prevent breaches.

In particular, this combination of reporting and on-the-spot remediation helps you combat the insider threat by making it much easier to understand who can do what across the environment and quickly remove any excessive or otherwise inappropriate permissions. Because Enterprise Reporter collects data from not just Active Directory and Azure AD but file servers, Exchange, SQL Server, Windows Server, Office 365 and OneDrive for Business as well, it can answer questions like these:

Who can add members to critical groups?

  • Who can log on to each Windows Server?
  • Who has admin access to SQL Server?
  • Who can view files on critical file servers?
  • Exactly which files can each user access in OneDrive for Business?

You might be surprised to discover that some of your users have nearly as many privileges as admins, even though they're not members of any of the powerful administrative groups you're watching like a hawk.

Figure 2 illustrates how Enterprise Reporter clears up the complex tangle of permissions that results from group nesting and privilege delegation in Active Directory, which is really hard to do natively. This report shows all accounts in Active Directory that can change group membership, which accounts they can change and how they got that access. In this case, you can see that far too many users are members of the powerful Account Operators group, which enables them to change group membership in the domain. Even worse, a computer account is a member, which means that anyone who is also a member of that computer's administrator group has the rights of an Account Operator — a security vulnerability that requires immediate attention.

Figure 2. Enterprise Reporter can show you everyone who can change the membership of groups and how they got those rights.

With the detailed, easy-to-understand reports from Enterprise Reporter, you can right-size access permissions according to each user's legitimate job requirements in accordance with the least-privilege principle. Minimizing a user's permissions reduces the power of that account to do damage, whether it's at the hands of a careless or disgruntled account owner, or a malicious outsider who has stolen the account's credentials.

Audit Changes to Access Permissions with Change Auditor

Of course, once you have a clear picture of access rights in your environment and have cleaned up excessive permissions, you need to audit them closely to spot any modifications. Change Auditor makes it easy to stay up to date on changes across your hybrid environment, as illustrated in Figure 3, including changes to access privileges. For example, it can audit changes to the local Administrators group on Windows servers, as well as changes to individual security rights on member servers.

Change Auditor can proactively alert you when changes are made to critical groups or other objects — and even protect those objects from being changed in the first place.

Moreover, Change Auditor can proactively alert appropriate staff members when changes are made to critical groups or other objects — and even protect those objects from being changed in the first place. For instance, Figure 4 shows an alert on the removal of an account from an important security group, with all the critical details, including which user was removed from which group, who made the change, where the action originated and whether it was successful. By setting up alerts for changes to all groups that have permissions to access important resources, including admin groups and groups for executives, you can minimize the chances of insiders escalating their privileges without being noticed.

Figure 4. Change Auditor can proactively alert you when your critical groups are changed.

Control your GPOs

Group Policy Is Both Powerful and Complex

Group Policy objects are collections of policy settings that you can use to control password complexity requirements, prevent users from accessing parts of the system, rename the Administrator account or reset its password, deploy custom registry values, and much more.

It's hard to overstate the power of Group Policy in any Microsoft environment.

A single errant setting in a GPO can quickly lock users out of business-critical applications, since the altered GPO will quickly replicate throughout the environment. And just one malicious change could cause ransomware or other malware to run when the system starts up, possibly leading to crippling data loss or system downtime.

A single errant or malicious change to a GPO can lock users out of business-critical applications or unleash malware in your network.

Audit and Govern Changes to GPOs With Change Auditor and GPOADmin

Because GPOs are complex, they can be difficult to manage using native tools. As a comprehensive change auditing solution, Change Auditor fully audits and alerts on changes to Group Policy, including who made each change and exactly which setting was changed. You can even protect critical GPOs from being changed at all.

Quest also offers a solution built specifically for workflow-driven, version- controlled GPO management: GPOADmin®. GPOADmin integrates fully with Change Auditor and enables you to automate a wide range of GPO management tasks that are difficult and time-consuming to perform using native tools and PowerShell scripts. For example, you can easily compare the settings of different GPO versions side by side to understand what changes have been made, and granularly roll back any problematic changes in seconds.

Figure 5. GPOADmin transforms manual GPO management into a clear workflow that minimizes errant and malicious changes and ensures accountability.

GPOADmin enables you to granularly control who can do what throughout the environment by closely managing GPOs (see Figure 5). You can easily implement workflow processes to ensure that each change is properly reviewed and approved before it is deployed, as well as test GPO changes before deploying them in production. You can even specify whether a change should be implemented when it is approved or on a specific schedule. All changes are audited and tracked, so you'll know exactly who changed what, when the change happened, and what was changed.

Figure 6 shows the GPOADmin web interface dashboard. You can see the GPOs that have been checked out to be worked on, changes that are pending approval, any unauthorized modifications, and changes that have been deployed. An extension for Microsoft GPMC allows you to work in that interface if you prefer.

Figure 6. The web-based GPOADmin dashboard simplifies GOP management.

Keeping admins in their lanes

As we've seen, limiting the power of user and admin accounts by controlling permissions and GPOs reduces the usefulness of those accounts to attackers. Now let's focus on minimizing the ability of attackers to get control over those accounts in the first place.

Most attacks start on user workstations. After all, they have far more interaction with the external world than admin consoles or servers; users are constantly using browsers, cloud applications and social media on their computers, while other endpoints may not even have an internet connection. Once attackers get a foothold on a user workstation, they look for credentials they can use to move laterally to other systems and stealthily escalate their privileges. It's bad enough if they collect enduser credentials, of course, but it's far worse if they manage to harvest admin credentials that grant more powerful privileges.

Therefore, it's critical to closely control where admin credentials are used. To help, Microsoft developed the enhanced security administrative environment (ESAE) model, which is often called Red Forest. You hold your admin accounts in three separate administrative forests, numbered 0–2. The most powerful accounts go in Tier 0, where you can more easily keep a close eye on them and apply more stringent security measures, such as requiring that they log on from a hardened workstation or complete a multifactor authentication (MFA) step.

To learn more about keeping admins in their lanes, be sure to watch Quest's on-demand webcast with security expert Randy Franklin Smith, "Quantifying Potential AD Lateral Movement Exposure," and read the associated ebook, "Enhancing Active Directory Security: Best practices for limiting lateral movement by attackers in your network."

Most attacks start on user workstations, so it's essential not to leave admin credentials there for hackers to harvest.

Keep Informed About Who Can Log on To Which Workstations Using Enterprise Reporter

As we have seen, Enterprise Reporter makes it far easier to understand who has access to what, which of course includes assessing the privileges of admin accounts to inform your Red Forest model. For example, Enterprise Reporter will show you everyone who can log on to a particular workstation, as shown in Figure 7, so you can ensure that admins cannot leave credentials behind on user workstations for attackers to harvest.

Figure 7. Enterprise Reporter shows everyone who can log on to workstations and other endpoints where attackers might harvest their credentials.

Audit and Alert on Logon Activity With Change Auditor

And Change Auditor can alert you if an admin attempts to log on to any vulnerable endpoint, with critical details such as the date and time and whether the attempt was successful (see Figure 8), so you can wipe any credentials they might have left behind and update your policies to prevent them from logging on there in the future.

Figure 8. Change Auditor alerts you when admins log on to vulnerable endpoints, such as user workstations.

Tying it all together

IT Security Search: An Intelligent Looking Glass into Your It Environment

Quest also provides a solution that helps tie all of these efforts together: IT Security Search. IT Security Search is included free with Enterprise Reporter and Change Auditor, as well as several other Quest security and compliance solutions, such as InTrust®, Recovery Manager and Active Roles. It also works with GPOADmin because Change Auditor integrates fully with GPOADmin.

IT Security Search is a powerful search engine that enables IT administrators and security teams to quickly respond to security incidents and analyze event forensics. Its web-based interface correlates disparate IT data from multiple Quest security and compliance solutions into a single console (see Figure 9).

Figure 9. IT Security Search correlates disparate IT data from many Quest security and compliance solutions into a single console, facilitating analysis and quick incident response.

The simple, Google-like search, shown in Figure 10, makes it easy to perform on-the-spot forensics and dynamically pivot your investigation as other details emerge. For example, you can easily understand how a workstation was used in a hacking attempt or a breach scenario.

Figure 10. IT Security Search offers a simple, Google-like search of data across your hybrid IT environment.

Starting from a simple, Google-like search, you can quickly uncover all the critical details of an incident — including details that native logs simply do not collect.

Suppose Change Auditor alerts you to a change to a sensitive financial database. Using IT Security Search, you can simply type the word "finance" in the search box, and within minutes, you'll know which users, groups and workstations were involved and even the specific commands that were run on those workstations — details that native logs simply do not capture but Quest solutions do. For example, Figure 11 details all the actions taken by a particular user, organized into a coherent timeline that's easy to understand and analyze. With a single click, you can drill down into the details of a particular event, or pivot to see what else occurred on workstations that the user touched.

Figure 11. IT Security Search makes it easy to perform on-the-spot forensics and dynamically pivot your investigation as other details emerge.

Conclusion

There's no magic bullet to eliminate the insider threat. Users and admins need certain access permissions to do their jobs, and you can't guarantee they will never make mistakes or abuse their privileges. Nor can you guarantee that outside attackers will never take over legitimate user accounts to try to steal your data or disrupt your business.

However, there are three practical steps you can take to dramatically reduce the insider threat:

  • Understand and control privilege across the IT environment
  • Control your Group Policy objects (GPOs)
  • Keep admins in their lanes

Quest offers practical, proven solutions that make it much easier to carefully manage privileges, control GPOs and keep admins in their lanes.

Quest offers practical, proven solutions that simplify implementing these key best practices. We invite you to learn more:

  • Enterprise Reporter — quest.com/enterprise-reporter
  • Change Auditor — quest.com/change-auditor
  • GPOADmin — quest.com/products/gpoadmin/
  • IT Security Search — quest.com/products/it-security-search

About Quest

At Quest, our purpose is to solve complex problems with simple solutions. We accomplish this with a philosophy focused on great products, great service and an overall goal of being simple to do business with. Our vision is to deliver technology that eliminates the need to choose between efficiency and effectiveness, which means you and your organization can spend less time on IT administration and more time on business innovation.