The scourge of the insider threat
While the entire threat landscape is changing dramatically with the increased sophistication of adversaries, nation state and state-sponsored actors, and rapidly evolving attack surfaces, one of the few thing that hasn’t changed is that the insider threat is one of the most, if not the most, insidious threat in almost any environment.
That’s not FUD (fear, uncertainty and doubt) either, just look at the negative impact that Edward Snowden’s leak of thousands of files form the National Security Agency (NSA) has had on the US intelligence apparatus.
According to a Preliminary Model of Insider Theft of Intellectual Property, a paper published by Carnegie Mellon University, 75% of cases of insider IP thefts were performed by employees. Some 65% had already accepted a new job somewhere else while 35% stole to gain an immediate advantage at a new job. And 25% of cases resulted in the stolen information being given to a foreign government or company.
Today, external attacks are almost constant and less damaging (with the exception of high-profile attacks and near-total breaches, such as those against Sony and Ashley Madison). By contrast, insider attacks are more rare, but typically far more damaging.
It gets worse every day
As Willie Sutton, the infamous American bank robber said, when asked why he robbed banks, “That’s where the money is.” The insider threat is getting worse because that’s where the valuable information is, but there’s an additional component here – that’s also where the weakest controls are.
We lock down the external. As an industry, we’ve become better at that over the years. However, as long as there’s valuable information, someone’s willing to get access via the HVAC network like the case with retailer Target, recruit an unscrupulous employee, or in some of the worst cases – get a job at a company to gain access to information in order to steal it.
One of the most the most common mechanisms used to gain unauthorised access to systems from within is not a technical one; it’s asking a friend. In fact, according to the Carnegie Mellon University paper, 19% of intellectual property theft cases involved colluding with another insider.
Insider threat detection and prevention
In the case of malicious collusion, not much can be done. However, good security awareness training can be invaluable in preventing social engineering attacks; where an employee tricks another employee into providing sensitive information.
Another common technique is improper sharing permissions on drives, folders, and documents. Finally, and this seems to be rarer, is the use of technological exploitation techniques against internal systems.
The problem, from what I’m seeing in the field, is the majority of organisations are overlooking the insider threat. Very few organisations are actively posturing against, or frankly even considering, insider threats.
But, insider attacks can be detected, and avoided, by not only focusing security efforts on protecting the perimeter, but also internally too. Behavioural analysis on internal network traffic is one of the best defences against an ‘Edward Snowden-style’ insider attack. Users typically behave in certain ways. When that behaviour changes, it usually means something.
For example, according to Wired, Snowden spent a great deal of time scouring the private classified NSA network for documents and downloading them to his workstation, memory sticks and CDs – a dramatic shift from typical behaviour of someone in his role. This would have easily been detected with behavioural analysis.
Security technology isn’t just for the external threats
Data loss prevention (DLP), which typically scans outbound data for known sensitive information, can also help, although it’s not a replacement for good physical security. It wouldn’t have prevented either Snowden or Chelsea Manning from walking out with secrets burned onto CDs labelled, for example, “Lady Gaga.”
Unfortunately, none of these will detect or prevent the most dangerous insider threat: when an employee takes sensitive information they have been entrusted with to do their jobs. Unfortunately, this is less preventable via technology and requires insight into employees’ changing behaviour and attitudes.
In order to best protect an organisation from insider threat, CIOs and CISOs need to approach these attacks differently, compared to external attacks. First and foremost, they need to stop treating the internal network like it’s a safe or trusted zone. It’s not. BYOD environments realise this, but the more important lesson here is that non-BYOD networks aren’t safe either.
Regular internal vulnerability assessments and penetration testing are key to finding and remediating internal weaknesses. Remediation is the key. I can’t even tell you how many internal assessments we’ve performed to check a compliance box that it was done, but the results were never acted upon.
The addition of behavioural intrusion detections systems (IDS) sensors on the internal network will improve the situation drastically, as will regular evaluation of access rights and sharing permissions.
The theft of IP due to insider threats can be far more damaging than an external attack. A disgruntled employee is both hard to spot, and even harder to stop if they are determined to steal or maliciously use sensitive company information. But with the right technologies, controls and processes in place, it will be far easier to detect and stop insider threats than if none of the above were in place.
Dave Venable is VP of Cybersecurity at Masergy, which owns and operates the largest independent software defined platform in the world, delivering managed security to enterprises around the globe. In the past Dave has also taught cyber security, computer network exploitation and cryptography at the National Cryptologic School, which is part of the NSA. Perhaps unsurprisingly then, Dave went on to develop and manage several national, classified, projects in support of global anti-terrorism operations for the NSA in his role working on digital network intelligence, computer network exploitation and information operations.