High profile cyberattacks are very much on the government’s agenda: following a spate of well-publicised hacking cases, the EU has agreed on the first EU-wide legislation on cybersecurity. This requires operators of essential services in the energy, transport, banking, and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the authorities.
While external, highly sophisticated threats are certainly grabbing the headlines, the weakest link within an organisation is often the human element or the insider threat. The question is, how can organisations best defend themselves against both external and internal threats that are evolving and have the potential to cause significant reputational, financial, and operational damage?
Institutions should certainly keep perimeter security current, but the smartest approach to cybersecurity should start with the assumption that threats are already inside your IT network. This may be the result of a sophisticated external attack that has infected your network with malicious code, lying in wait to discover, collect, and extract your most valuable data, or an insider attack via an employee with ‘keys to the kingdom'.
The weakest link
To make things more difficult, the insider threat can come in many forms. It may be a result of an employee’s accidental actions, such as clicking on an infected email or visiting an infected site that downloads malicious code to your network.
A 2015 report on breach investigations by Verizon shows that nearly one in four employees is likely to open a phishing e-mail, and one in ten is willing to open an e-mail attachment from an unknown person. Phishing e-mails can be a vehicle for malware, which, once opened, can infiltrate a network and quietly access information without the knowledge of the organisation.
Intrusions like this can go undetected because the complexity of today’s computing environments creates the perfect hiding place for malware. Studies suggest that it can take many months – an average of 256 days in the Ponemon Institute research – before a company identifies malicious attacks that have likely already exported masses of sensitive corporate information.
Threats can also come from an employee committing straightforward fraud or IP theft for personal gain. Unfortunately, the insider threat is often more sinister. Criminal gangs are looking for account and credit card information, corporate trade secrets, financial reports, and employee and customer information. They understand it is often easier to place one of their own members on the inside or encourage an existing employee to reveal information, rather than mount an uncertain attack on the institution’s cyber defences.
Traditionally, most IT security professionals focused on securing the IT network perimeter. However, most firewalls and antivirus technologies guard only against known threats – ones which have been experienced before. They are less well equipped to protect against insider threats or new, unknown, never-before-seen threats.
As a result, there is growing widespread interest in technologies that can discover threats that have managed to get into organisations’ IT networks but which have remained hidden. Rather than focus purely on prevention, many now understand they need a cybersecurity solution that operates inside the company network, ingesting and analysing network log data to identify anomalies (events and patterns that are out of step with usual behaviour), indicating threats that need to be investigated.
Whereas conventional security solutions look for signs of malware code, security-analytics techniques monitor network activity for telltale signs of cybercriminal behaviour. For instance, this could be a device trying to access large amounts of data or connecting to multiple external devices, user accounts being used to access data outside normal working hours, or from unusual geographical locations – possible indications of both external and internal threats and behaviour outside of the network’s baseline activity.
This activity will leave indicators of threats which are hidden in multiple data sources including DNS, Proxy, Firewall, AD, VPN, Netflow and DHCP logs. This is data that organisations already pay to collate and store but normally do not analyse. It holds essential information that forms a powerful body of evidence that companies can leverage to fight back against illegal activity.
Taken separately, each of these data streams might not be enough to raise suspicions on its own – but analysis at an organisational level can quickly raise flags for further investigation of anomalous activity. In effect, analytics does the ‘heavy lifting’ for security analysts, identifying previously unknown threats and enabling them to spend their time investigating high priority threats.
Once threats have been identified and confirmed, cyber analytics can then be used to provide insights used to correct or contain the threats as quickly and thoroughly as possible.
But while analytics software may help companies proactively identify threats on the network, there are other steps that should be taken to address insider threats that can result from human error.
Assuming threats are already present on the inside, assurance and security practices should immediately be tightened. Organisations should look for missing or altered information, plus check for unusual login behaviour from employees. The staging of data, where large quantities of information is being collected by one user, can be an indication that an insider is about to export this data, whether via the network or storage devices such as USB drives.
While the ability of criminals to create, identify, and exploit vulnerabilities in networks creates significant challenges for companies, a combination of technology and some common-sense approaches can go a long way towards mitigating insider threats.
Paul Stokes, COO of Wynyard Group
Image source: Shutterstock/Andrea Danti