Next Generation of Insider Threats

Overview

Sophisticated cybercrimes are not originating from the outside world alone. There are threat actors within your environment too, who are also becoming tech savvy. After basic internal threats and deliberate attacks by disgruntled employees, there is a greater security risk from tech savvy employees.

Insiders in fact have many advantages over the outsider attackers.

How Do Insiders Evade Detection?

Using following techniques, insider threats can prove fatal for an organization without raising alarms.

• Insiders do not need to conduct reconnaissance before launching an insider attack. Therefore, internal attackers have the advantage of evading possible detection by the IT security team during reconnaissance.
• They also have the advantage of knowledge. They know where the treasure is, so they do not have to conduct messy searches of network and file systems in order to locate confidential information and credit card details of their target employees.
• Another advantage insiders enjoy is that they do not have to download detectable malware in the environment. They can access systems without fetching external malware or contacting remote C2 servers, which could have been detected by the security systems in place.
• Insiders can leverage multiple shadow accounts to disperse chunks of their activities, either fake or borrowed legitimate accounts, to avoid crossing the threshold limit set on automated detectors, thereby avoiding raising suspicion.
• Insiders can also persistently locate key sellable corporate information by utilizing as much time as needed. They can access this shortlisted information and steal or sell it without the raise of an eyebrow.

Hence, insiders can avoid possible detection by noisy reconnaissance, malwares, and hyperactivity.

Special Privileges and Stealthy Internal Hacking

Usually, employees are given more privileges than are necessary for the fulfilment of their jobs, just to ensure convenience. In addition to these excessive privileges, oftentimes the internal access controls are misconfigured, making Corporate’s secret and confidential information accessible by employees. Neglecting the loopholes in the configuration of internal access controls is a bigger mistake than most executives will consider it to be.

Since insider threats are on the rise, not only should information be secured from outsiders, but also from the insiders who are not concerned with the information.

Acquiring any admin-level privileges, insider threats can acquire stealthy internal hacking. For instance, Edward Snowden’s elevation of system privileges can be taken as an example, using which he crafted special digital keys to disguise his activity. When he accessed the confidential information, it appeared as if another user was accessing it. He went as far as deleting system logs to avoid trails and used encryption software so that security-monitoring systems could not detect the data theft.

Exploitation of Privileges

• Excessive permissions given to employees with specialized duties can be exploited, like networking staff appointed for traffic analysis or database administrators who access data for backups, etc. can exfiltrate available information.
• Oftentimes, executives will not bother to refine custom privileges of employees, and will provide Domain Admin access as an alternate, thereby granting employees a super-user status.
• Insiders can also exploit peer relationships to acquire passwords or accessibility given to these special users.
• These special users like Database admins and networking staff may also use easy-to-guess passwords, (sometimes as basic as ‘John1234’) to avoid forgetting them, which can be guessed by other employees.
• A Verizon Data Breach Investigations Report stated that 15% of all breaches involved “malicious or inappropriate use of existing privileges.”

How to Defend from the Insider’s Threat

Organizations have this rising concern of reducing cyber risk by the insiders.

• The first step should be, identifying exploitable information, locating it, and limiting access to it to fewest people possible. Many organizations fail at this first step and make available the sensitive data to all employees of the organization.
• Implement custom privileges best suited for each employee’s job requirement. For employees involved with administrative work, use a least-privileged admin model. “Local admin” accounts can be created where administrative privileges are only granted on selected machines.
• Analyze behavioral profiles of user accounts to identify sneaky behavior. Intrusion prevention systems may not be able to detect these behavioral anomalies but there are software available that work on behavioral threat models.
• Behavioral threat models can detect a targeted noisy behavior, for example, if massive encryption is carried out using a user’s account, immediate alerts are sent to the IT staff to suspend that user account that is potentially running ransomware.

In the end, it’s not easy to spot next generation insiders. Begin with the knowledge that insider threats are already there with the knowledge of key assets and location of sensitive data. Immediate actions should now be taken to limit access to key assets, tailor user’s privileges as per job requirements, monitor and analyze behaviors, and always have someone ready to immediately respond to alerts generated by behavioral threat models.