«January 2013 TECHNICAL NOTE CMU/SEI-2013-TN-003 ® CERT Program Copyright 2012 Carnegie Mellon University This material is ...»
Insider Threat Control: Using Universal
Serial Bus (USB) Device Auditing to
Detect Possible Data Exfiltration by
George J. Silowash
Todd B. Lewellen
Copyright 2012 Carnegie Mellon University
This material is based upon work funded and supported by Department of Homeland Security under Contract No.
FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY
MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER
INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.
CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.This material has been approved for public release and unlimited distribution except as restricted below.
Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at email@example.com.
* These restrictions do not apply to U.S. government entities.
Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM-0000084 SEI markings v3.2 / 30 August 2011 Table of Contents Acknowledgments v
vii 1 Introduction 1
1.1 Audience and Structure of This Report 2 2 Mitigating Insider Threat: Tools and Techniques 3
2.1 Utilizing the CERT Insider Threat Database
Special thanks to our sponsors at the U.S. Department of Homeland Security, National Cyber Security Division, Federal Network Security branch for supporting this work.
Universal serial bus (USB) storage devices are useful for transferring information within an organization; however, they are a common threat vector through which data exfiltration can occur.
Despite the threat, many organizations feel that the utility of USB storage devices outweighs the potential risks. Implementing controls to track the use of these devices is necessary if organizations wish to retain sufficient situational awareness and auditing capabilities to detect data theft incidents.
This report presents methods to audit USB device use within a Microsoft Windows environment.
Using various tools—the Windows Task Scheduler, batch scripts, Trend Micro’s OSSEC hostbased intrusion-detection system (HIDS), and the Splunk log analysis engine—we explore means by which information technology (IT) professionals can centrally log and monitor USB device use on Microsoft Windows hosts within an organization. In addition, we discuss how the central collection of audit logs can aid in determining whether sensitive data may have been copied from a system by a malicious insider.
Malicious insiders attempting to remove data from organizational systems may have various ways of doing so, such as by using email and cloud storage services. Some malicious insiders attempt to remove data by using removable universal serial bus (USB) media.
As discussed in a prior Software Engineering Institute (SEI) report, Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources, the use of removable media presents unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems . Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property.
Staff members of the CERT ® Program, part of Carnegie Mellon University’s Software Engineering Institute, have seen instances where removable media played a role in a malicious insider’s attack. Given this and other considerations which we discuss later in this report, organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them.
This report presents methods to audit USB device usage within a Microsoft Windows environment. Using various tools—the Windows Task Scheduler, batch scripts, Trend Micro’s OSSEC host-based intrusion-detection system (HIDS), and the Splunk log analysis engine—we explore means by which information technology (IT) professionals can centrally log and monitor USB device usage on Microsoft Windows hosts within an organization. In addition, we discuss how the central collection of audit logs can aid in determining whether sensitive data may have been copied from a system by a malicious insider. Implementing controls to track the usage of these devices is necessary if organizations wish to retain situational awareness and auditing capabilities during a data theft incident.
The methods described in this report are designed so that each Windows host will check for changes to its USBSTOR registry key every five minutes. Whenever a change is detected, due to either a new USB device being inserted or a previous one being re-inserted, the host will locally log the new registry values as well as the host’s user-session information. At the same time, the host will (optionally) send a short SYSLOG message to a central log server for immediate alerting purposes. Additionally, the OSSEC HIDS system will centrally log the new registry values and session information and forward them to a Splunk system for analysis. 1 (We outline this process fully in Section 2.4.) ® CERT is a registered trademark owned by Carnegie Mellon University.
We discuss OSSEC further in Section 2.5, and we present background about and uses for Splunk in Section 5.
CMU/SEI-2013-TN-003 | 1
This approach offers several key advantages that can assist an organization in its efforts to monitor potential incidents of data theft:
1. USB device usage can be detected quickly. It takes less than five minutes for the system to generate an alert.
2. There is redundant logging of information. Logs are stored locally on the hosts, centrally on an OSSEC server, and centrally on a SYSLOG server.
3. The system provides attribution. Current user-session information is logged when an incident is detected.
4. Native and open source tools are utilized. Local logging utilizes only Windows native capabilities and a single, open source, forensic executable; centralized logging can be done with the open source OSSEC system.
5. The system is customizable. An organization can choose to exclude any of the centralized logging capabilities and retain just the local logging capabilities or further modify the control to best suit its needs.
1.1 Audience and Structure of This Report
This report is a hands-on guide for system administrators and information security teams who are implementing USB device auditing and want to have a better understanding of which devices may be in use throughout the organization. We assume that readers are comfortable installing software and have a basic knowledge of how to edit a script.
The remainder of this report is organized as follows:
• Section 2 describes methods to establish proper auditing policies and technical controls to help reduce the risk of malicious insider activity.
• Section 3 presents additional information about USB audit logs.
• Section 4 lists benefits for 1) federal government agencies that use air-gapped systems and 2) organizations that want to protect intellectual property.
• Section 5 outlines how Splunk can be used to help identify events that are related to USB device usage.
• Section 6 summarizes this report.
CMU/SEI-2013-TN-003 | 22 Mitigating Insider Threat: Tools and Techniques
We define a malicious insider as a current or former employee, contractor, or business partner who
• has or had authorized access to an organization’s network, system, or data, and
• intentionally exceeded or misused that access, and
• negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems Malicious insiders are able to act within an organization by taking advantage of weaknesses they find in systems or by exploiting existing legitimate processes to their advantage. Organizations must be aware of such weaknesses and how an insider may exploit them; organizations must also be aware of the many ways in which weaknesses are introduced. For example, an organization may have insecure configurations or relaxed or nonexistent security policies. In other cases, a lack of situational awareness introduces weaknesses that malicious insiders can exploit, such as understanding how organizational policies effect employees ability to perform their job effectively and efficiently. Additionally, an organization that allows its employees to use USB storage devices is essentially increasing the potential for data leakage. Establishing proper auditing policies and technical controls, as discussed in this report, will mitigate some of the risks.
Our research has revealed that most malicious insider crimes fit into one of three categories: IT sabotage, theft of intellectual property, and fraud. This report focuses on the theft of intellectual property using removable media, in particular, USB devices. When USB devices are introduced into a Microsoft Windows-based system, the system generates numerous artifacts that can be audited or possibly used for forensic analysis. Therefore, it is important to understand how USB devices interact with the system.
The tools and techniques presented in the next sections represent just a subset of various practices an organization could implement to detect and mitigate insider threats. For example, organizations may wish to deploy commercially available software to prevent data loss. These tools and methods can be used by organizations of any size, and we intentionally selected open source and public domain tools since they are freely available to the public. Additionally, many of the commands that we present are native to the Windows operating system.
2.1 Utilizing the CERT Insider Threat Database