Illusive Blog April 14, 2020

The Rapid Rise of Insider Threats During COVID – and How You Can Stop It Now

By Kirby Wadsworth

What an amazing time to be a hacker – systems weakened, attention drawn elsewhere, targets operating under duress in unfamiliar environments. It’s infuriating that right now, while armies of medical professionals and first responders are risking their lives to save ours, armies of nation-state cyber attackers are working 24/7 shifts to silently plant seeds across the global enterprises that they will return to compromise as the crisis passes.

The cyber industry is right to be focusing on stopping these external attacks, but unfortunately, it’s also an amazing time to be a malicious insider. Insiders are suddenly outsiders. Working from the privacy of home, separated physically and emotionally from company and colleagues, those facing increased temptation due to financial hardship, greed, anger, or disenfranchisement may be more emboldened to act.

Illusive customers are reporting a steep rise in insider attempts during the ongoing crisis, echoing signals picked up by our researchers. Just as systems are breaking, so are people. The strain of anticipated and real job actions – layoffs, leave of absences, pay cuts, plant closings – raises stress levels and reduces loyalty. With no one looking over their shoulder, increasingly disaffected individuals have more opportunity, and less reluctance to act. Short-term personal self-interest takes precedence as the insider’s belief in the long-term fades.

Insider threats are challenging to identify in good times. Insiders have access. They know what normal behavior is expected. They know the network, the organization, and the culture. All making it easier for them to deceive and hide their tracks. With defensive systems weakened, the opportunity increases for employees with ill intent to gain and maintain enhanced access and privileges undetected.

Because, very unfortunately, the tools most often used to identify insider behavior have suddenly been rendered useless. Anomaly detection never worked well at finding needles in haystacks, but in a crisis like this, when everything looks like a needle, it falls over completely. No normal baseline exists. Everything is an anomaly.

Illusive is receiving daily reports from customers, colleagues, and partners that SOCs are overrun with alerts – the vast majority false positives – flooding in from NTA, UEBA, and other analytics tools failing under the mounting pressure of work from home (WFH) and bring your own device (BYOD) imperatives.

Because Illusive has no reliance on patterns or behaviors, rapid environmental change like we are seeing now has no effect on our detection efficacy or efficiency. Illusive detection is based on the simplest of algorithms – either the attacker interacted with a deceptive element or did not. Illusive’s massively distributed, highly authentic deceptions force the attacker to unknowingly interact in order to progress their attack in any direction – laterally throughout the data center, vertically to and from the cloud, or between clouds. Only those navigating the underside of the network encounter Illusive deceptions. When an Illusive notification fires, it’s not white noise—the incident requires immediate investigation.

For more information about Illusive’s Insider Threat Solutions, checkout our eBook, Stopping the Attackers You Trust.

Illusive has proven time and again to be a simple and effective insider threat mitigation tool that takes a two-pronged approach. Illusive first ensures that users do not have unauthorized credentials and connections. Then, tailored deceptions that even the most sophisticated insiders cannot distinguish from real trigger when the insider’s lateral movement attempt is detected, and real-time source forensics deliver incontrovertible proof of malicious intent. We can stand up a solution in days, not months or years.

Click here for a quick demo.