The traditional meaning of an insider threat is when a current employee or contractor with authorized access to a secure network intentionally or accidently misuses it to carry out a malicious activity. This type of activity can include sabotage, theft, espionage, fraud, mishandling of data or physical devices, as well as using information to gain a competitive advantage.
An infamous example of this was in 2008 when a city employee changed administrative passwords to gain exclusive access to most of the city’s municipal data. Gavin Newsom, the mayor of San Francisco at the time, had to go to the jail where the perpetrator was being held to personally talk to the disgruntled employee and get the passwords back.
Another example is when a recently fired IT employee from the Indianapolis-based American College of Education changed the administrative passwords that stored email and course information for more than 2,000 students. The employee turned cyber criminal, offered to give up the password, but only if the college paid him $200,000. In that instance, it turned into both an insider threat and a password ransom case at the same time. But not all insider threats are as cut-and-dry as these examples.
Insider vs. inside threat
Coining an attack as “insider threat” makes the assumption that if something is happening inside the network then it must be an insider. The reality is that a breached network is typically not an actual employee, but rather an outsider disguised as an insider.
Most hacks and compromises target someone inside the network, which makes it appear the threat is coming from within. When companies dig deeper, it usually becomes clear that the employee had nothing to do with the attack. As a result of compromised credentials through spear phishing, threats often manifest inside the network but the attacker is often not associated with the company, and may be located on another continent all together.
In this day and age, the term insider threat is often misused. The correct term should be “inside threat,” as that addresses user credentials and system compromises by an outside entity. And, I say “entity” because it’s only a matter of time before we see attacks attributed to artificial intelligence applications, not just attackers running scripts or sitting in front of their keyboard. I serve on advisory boards for a several companies and the same debate comes up during meetings: insider vs. inside threat. Which begs the next question; how do companies protect against the new era of inside threats?
Protecting against inside threats
The first step in protecting against inside threats is having situational awareness and being able to acknowledge and recognize abnormal, or inappropriate activity by systems, services, and people on your network. These are often the early signs that an attack is in progress. The subtlety here is that an attack can occur but the attacker is unsuccessful in gaining access to the crown jewels. This means keeping track of who has administrative privileges and having full control of the network that is connected to company resources, including endpoints.
It used to be easy to figure out network perimeters, but that no longer holds true. Since the popularity of the bring your own device (BYOD) culture skyrocketed, it’s harder to keep track of how far the network reaches. A key focus for companies needs to be securing the endpoints of the network, which often times is where compromises and attacks come through. Most corporations now look at endpoints in two ways, those they own and control, and those that are BOYD. It’s not uncommon for these two endpoints to have significantly different risk profiles.
How big of an issue are endpoints? Many phishing attacks come through endpoints and if the cases of 20 compromised enterprise networks were reviewed, it’s likely that 80 percent were compromised through the an endpoint. There are also major breaches that targeted enterprise “edge devices” with devastating results. For example, the infamous Target breach that occurred in 2013 occurred because hackers breached the external network of the company’s HVAC provider and moved laterally into Target’s network where they were undetected for quite awhile.
This is where situational awareness and defense-in-depth (including the endpoints) come into play. When a breach is initially detected, it often manifests as an “insider” when its most often going to result in an attacker who gained unauthorized access to systems or services. It’s best to assemble the facts and data to establish a forensic pattern of truth unfettered by innuendo.
By redefining the term and protecting against attacks through situational awareness, acknowledging and recognizing breaches, having full control of the network, and knowing where the company’s perimeter is to protect all endpoints – company’s can better respond to suspicious activity “inside” their network.
Source: Help Net Security – News @ February 21, 2017 at 12:15AM