Often, and for good reasons, organizations focus much of their security and defensive measures on keeping attackers and bad actors out of their network and environment. But what if the threat is coming from the inside?
It’s a growing trend that’s easy to overlook. Without knowing the telltale signs or taking proactive measures to prevent it, organizations might be leaving themselves vulnerable to a big blind spot.
We spoke to Ziv Mador, VP, Security Research at Trustwave SpiderLabs, to tell us about these insider threats and teach organizations how to identify them and prevent them.
According to Ziv, a compromise resulting from human error, such as an employee clicking on a phishing link, aren’t considered insider threats. An insider threat is one that’s intentional, and they can be categorized by two different motivations.
For whatever reason, whether job satisfaction, a recent termination, or ended contract, a disgruntled employee or third-party vendor poses a risk if they still have access to your organization’s network, certain servers or specific data. “That’s a significant threat’, says Ziv, “For example, a disgruntled developer can get source code of a product, exfiltrate it and then post it publicly or put it up for sale.”
The risk doesn’t stop there. Customer lists can get out, servers can get taken down, data can get deleted, and even if the culprit is found quickly, the damage is done. This increases the risk further, as bad actors will move as quickly as possible to hurt the company with hardly an effort made to evade detection. Even worse, employees sometimes have default access to sensitive assets and might even be familiar with your security procedures – for example, a salesperson who routinely uses a customer database as part of their job function. Because these potential insider threats will appear as if an employee is just doing their job, they might operate for significant periods of time before detection.
As part of his work with Trustwave SpiderLabs, Ziv is able to monitor activity on the dark web to see what bad actors are up to. He and his team have discovered countless forums that often require credentials to enter, and revolve around cybercrime, credential stealing, distribution of malware, money laundering, stealing credit card information and phishing. Some of these criminal groups have been found to look for help from a company’s own employees.
For example, malicious hacker groups will recruit and promise to pay bank workers (by the hour) for certain tasks, such as increasing withdrawal limits or approving loans so hackers can cash out more money from compromised accounts. In Europe, hackers recruited government workers to help them produce certain certificates or passports and, recently, hackers in the United States were found working with mobile provider employees to help carry out SIM-jacking attacks.
Due to the nature of insider threats, defense and prevention strategies require a less traditional approach. “There are two separate department efforts,” Ziv says, “one is on an HR level, because we’re dealing with humans after all, and another is by leveraging technology.”
HR can help educate department managers to identify unhappy and disgruntled employees, or employees who give off warning signs. They may have strong political opinions, a strong dislike of their manager or function, or they know they’ll be laid off soon. These are the kinds of details to keep an eye on to make sure you’re prepared if the employee does turn against your company.
Co-workers may also be able to sense unhappiness or detect changed behavior—there should be a process or system in place to report odd behavior or communicate the concern.
“At some point,” Ziv says, “a disgruntled employee will do something very different from their daily routine—they might abuse access rights or do something they’ve never done before.”
Here are some of the odd behaviors that may tip you off. They will:
Ziv recommends any IDS or IPS (intrusion detection system, or intrusion prevention system) with anomaly detection features to detect if your employee is connecting remotely (and behaving oddly), threat hunting tools that will flag malicious software, and ensuring your user rights management and access controls are set so an employee doesn’t have access to any data outside of their job functions.
A database protection and monitoring tool will also detect anomalies and flag suspicious activities or requests that violate policies that should be set in the first place. Depending on your policy, this can also alert you when an employee is querying the database at odd hours or during the weekend.
Email security tools with data leak prevention features are essential too as they may be able to identify any attempts at data exfiltration. Monitor VPN connections in unusual times, from unusual locations and for unusual periods of time or connections that involve unusual copy of data. They may indicate attempts to exfiltrate data from the organization remotely or other malicious intent.
Because any given employee can damage an organization in a number of ways, there’s no one tool an organization can rely on—instead, you need several monitoring and detection tools configured properly so you’ll know if an employee decides to turn.
A security department should know how an employee can damage an organization—with their current access, what data can be exfiltrated, changed, or copied? Can they access other departments’ sensitive information? Should they? Knowing the ways and channels an employee can leverage organization can help you with purchasing and configuration decisions.
Lastly, given that this is a risk area, work with your HR department to ensure there are policies in place to prevent employees from being too unhappy in the first place. How’s the overall organizational sentiment? Is there high turnaround or a specific department with the worst job satisfaction ratings? Watch for employees who make highly negative comments about their workplace or manager. Using human judgment and finding ways to improve the quality of life for your employees goes a long way in preventing this kind of attack.
To learn more about how a detection and monitoring service can help you detect and prevent attacks from the inside and the outside, check out Trustwave Managed Detection services.