Illusive Blog July 1, 2021

Assume Breach, with Insider Threats As Well

By David Pack
Active Defense, Insider Threats, Threat Detection

Insider threats continue to be a significant source of focus for security teams at organizations large and small. While cyber hygiene and security training awareness are very important, an ‘Assume Breach’ approach and trying to identify, detect and mitigate insider attacks within the network is critical. A layered approach is the most effective way to protect both company and individual employees’ personal information.

We recently had a webinar where we were joined by special guests with a wealth of experience and knowledge of insider threats, and how they have evolved in recent years. In addition to Illusive Field CTO Wade Lance, we were honored to have Daniel N. Hoffman, retired CIA Senior Clandestine Services Officer and three-time Station Chief, and Shawnee Delaney, former DIA Detachment Chief and CEO of Vaillance Group. They examined a portrait of the current insider, and how their evolving motivations are making insider attacks more dangerous and damaging to companies of all sizes. They also highlighted the increasingly blurry line between insider threats and nation-state actors or global crime syndicates – creating significantly higher levels of risk on a massive scale..

You can watch the full webinar recording of The Changing Faces of Insider Threats at any time.

Furthermore, we published a new whitepaper, The Ultimate Guide on Insider Threats: Their Changing Motives, Evolving Skills and How to Expose Them which you should be sure to read. The paper covers how security teams can monitor for unauthorized access without tipping off potential attackers or eroding the trust of employees doing their jobs, as well tips for expediting the investigation and evidence collection for in-progress insider attacks.

Common Insider Threat Risks

The first thing to know is that insider threats have evolved, and so our security approach must consider this as well.

So what exactly is an insider threat? 

Our team of experts suggested this definition:

An insider threat is an individual or group with either current or former access to an organization‘s information and/or facilities who uses that access to cause harm – either intentionally or unintentionally – by abusing, misusing, or threatening an organization’s confidentiality, integrity, availability or resources. 

This can mean both employees with malicious intent, as well as those threats which are unintentional and/or caused by negligence. Former FBI Assistant Director Donald Freese called our attention to the “skin behind the keyboard,” urging us to recognize the real people who are potentially a threat or vulnerable to those that are. 

Malicious attackers43% of reported breaches are caused by malicious insiders, according to Forrester – they can typically be different ages, often in low-level positions, and are often motivated by a feeling of mistreatment or injustice by their superiors (pay reduction, not getting a bonus, etc.). They might also see a financial gain that can help support themselves and their families. Fraud is the most prevalent of all insider threat crime, with financial considerations a key motivator.

Unintentional insider threats – more prevalent and sometimes more dangerous – can often stem from bad cyber hygiene (using bad passwords, repeated passwords for different applications, leaving workstations open and visible even outside corporate facilities, and more); social engineering by malicious actors to gain access to critical information, passwords or even devices; and also recruited and sometimes blackmailed by external organizations, such as state actors or non-state actors – competitors, hacktivists, organized crime groups, trusted insiders, and others. 

With nation-state attackers increasingly exploiting organizational dependence on the digital transformation and the data it generates, insider threats are beginning to resemble any other Advanced Persistent Threat (APT). The only real difference is that the new hyper-targeted and often government-funded insider threat will involve a recruitment and grooming process to convince the insider to give the adversaries the access they need to launch their attack.

Lastly, the era of working remotely as a result of the COVID-19 pandemic also plays a role in the increased risk of insider threats. Whether it’s job insecurity, the lack of emotional connection to coworkers, isolation from the organization, or being more vulnerable to recruitment – all of these create an environment conducive to insider threat opportunities.

Ways to Prevent Insider Attacks

Security Awareness and Training – Cybersecurity education, which should be included during employee onboarding and at regular intervals afterwards, should be rolled out with additional awareness campaigns focused on the need to protect intellectual property and trade secrets. Further, insider threat/risks specific policies or policy addendums should be advertised so employees cannot claim they did not know it was against the rules, for example, to email sensitive internal data to their personal account. 

Cyber Hygiene – Similar to the security awareness (and included within), cyber hygiene includes both proper and safe usage of credential information, company devices, and applications. Particular attention should be paid to avoiding clicking on phishing links, a major cause of attackers being able to penetrate IT networks, as well as properly exiting RDP sessions upon their completion.

Look for Potential Warning Signs – Experts on insider threat cases often point out would-be concerning behavior among colleagues before and during incidents that organizations should be on alert for. These actions could have alerted the organization, and yet warning signs were ignored. Beyond that, HR team managers should check in with all employees frequently to ensure their mental health (and physical health of course) is in a healthy state, and provide a discreet forum where concerns are able to be voiced and heard, without leading to vengeful actions taken later.

Ensure Third-Party Vendors are Auditing Their Own Insider Risks – Third parties, including vendors and contractors who form a critical supply chain on which enterprises rely, are particularly vulnerable. They usually do not have the same level of training or awareness as the enterprise’s permanent workforce and do not typically follow equally rigorous security practices. As the SolarWinds and other hacks have proven, no industry or organization is immune from this threat. Security teams must ensure that all software and services vendors used are managing insider risks of their own and act responsibly.

Assume Breach at All Times – Invest in Early Detection

The reality is that attackers will find ways to enter your network – that is something we at Illusive preach all the time when it comes to sophisticated attackers. This is even more the case when it comes to insider threats, as employees start with certain (legitimate) access to the network to begin with, therefore making the need for rapid threat mitigation exponentially more important. Therefore, security needs should:

Know Your Crown Jewels – Leadership must know where the company crown jewels are located, who has access to them, who should have access to them, and what they would be worth to adversaries or competitors if they were compromised. Educating the workforce on what constitutes a crown jewel and how employees can better protect them is important, and ideally rolled into the general insider threat training and awareness platform. With this, if done well, companies should be able to shift company culture to apply more stringent data protection. For example, enforcing a need-to-know policy can help employees understand that the projects they touch daily are worth protecting.

Assume Compromise – While perimeter security tools are important, enterprises should also have a platform in place to detect shared credential usage as well as anomalous, out of pattern database activity, which raises red flags. All enterprises should assume that some insiders threats will move forward, at least with some initial success, and prepare for such a scenario. Again, this could be a malicious employee trying to exfiltrate sensitive data or move toward certain restricted files, or it could be a case of employee access being exploited by other actors. This ‘Assume Compromise’ approach should encompass a robust business continuity plan as well as a holistic enterprise risk management program. 

Illusive has proven time and again to be a simple and effective insider threat mitigation tool that takes a two-pronged approach. Illusive first ensures that users do not have unauthorized credentials and connections to critical business assets. Then, tailored deceptions that even the most sophisticated insiders cannot distinguish from the real thing trigger alerts when the insider’s lateral movement attempt is detected. Real-time source forensics deliver incontrovertible proof of malicious intent and allow for catching insiders without tipping them off.

Learn more about Illusive Active Defense…

David Pack is Vice President, Global Client Services at Illusive.