It’s easy to become overwhelmed by the constant barrage of new cyberthreats. Not a day goes by where we aren’t bombarded by news of attacks and data breaches. While we might be tired of hearing about them, the fact remains – cybersecurity is and always will be an evolving problem, and we should accept it as an essential element of how we conduct our daily business. This is never truer than when the threat strikes from close to home: sometimes it’s even the co-worker sitting beside you.
According to Crowd Research Partners’ 2018 Insider Threat Report, 53 per cent of respondents stated that they had suffered an insider attack in the previous 12 months, and a massive 90 per cent of them still feel vulnerable to this threat. This has resulted in 43 per cent of organisations allocating upwards of 8 per cent of their IT security budget toward preventing, detecting, and mitigating insider threats.
And they’re right to be worried. Insider attacks have the advantage of taking place inside the security perimeter. This means insiders are in a position to skip several cybersecurity steps and measures which outsiders would need to circumvent to gain access to network resources. Simply put, inside attackers go largely unchallenged and undetected.
Insider hacks have become so common that you need to know precisely where to look to counter them. This article focuses on the root cause of insider threats: the four categories of people who pose the highest risk to your business.
Meeting your “insider threat” head-on
Introducing Johnny Clumsy – the unknowing, accidental attacker.
Johnny doesn’t want to do anything harmful on purpose, but he is prone to messing up. He is the guy who will download a cache of codes from the internet to patch a company issue because he forgot how to do it himself, or he’s just too lazy.
A typical consequence of Johnny’s clumsiness would be a data leak either through bad internet usage (personal cloud storage, personal emails, unmanaged online tools, social media, etc.) or through lost devices (misplaced USB sticks, laptops, etc.). Johnny is a risk to the company because his employer was lenient in defining business rules and translating them into technical enforcements – perhaps in the hope of maintaining employee freedoms and productivity.
While Johnny’s SNAFUs are frustrating, he still is less dangerous than our next attacker – the dishonourable employee, Ansel Evil.
Ansel wants to harm his company. For a myriad of reasons, Ansel is angry and is looking for ways to damage his employer. Ansel will intentionally exploit his rights to various resources to steal secrets and/or destroy company assets. On some rarer occasions, an IT-competent Ansel might go on a hacking spree to access data that are normally out of his reach. He is capable of inflicting catastrophic consequences.
Our third threat comes from someone who is arguably equally dangerous as Ansel. Meet Janet Puppet, the face of hidden attackers.
Her name says it all – like a marionette doll, hackers hide behind innocuous-seeming Janet, pulling her strings to mount their attack by pretending to be her. Because Janet is a legitimate user with no bad intentions (and her colleagues love her), it makes it hard for existing security measures to detect any foul play.
In this context, Janet’s compromised account is most commonly used for state-sponsored espionage or sabotage, financial gains, and ideological sabotage. Organisations should expect that the hacker – posing as Janet – is technically capable of exploiting IT weaknesses and vulnerabilities to gain access to resources that “Janet” shouldn’t be able to see. Compared to disgruntled Ansel, who may not always have an extensive knowledge of IT, hackers hiding behind Janet will have the time, dedication, and knowledge to ensure their work pays off – literally.
Our last, but certainly not least, worry is Esther Partner, the wildcard attacker.
Esther has the potential to deal the same damage as Johnny, Ansel, or Janet. The only difference is that she’s not an employee but a subcontractor. This theoretically gives her limited rights over her client’s technical infrastructure.
However, it is hard to be generally conclusive on typical real-life subcontractors’ rights. In many cases, the management of these supplier rights and privileges varies and is poorly implemented or updated. This means that accounts are often provisioned at the IAM (Identity and Access Management) or Directory levels directly, thus bypassing HR’s business rules and basic hygiene. Poor hygiene, like forgetting to remove the contractor from the Active Directory (AD) or failing to restrict their access correctly, can leave the door into your company wide open for a hacker to walk right in – and exploit however they please.
Esther poses a threat that rivals any of the other three insiders.
Anticipate. Defend. Respond.
Now that we are better acquainted with our insider threats (and more scared of our colleagues than we were when we started reading), we can begin looking at how businesses can pre-emptively ensure they put all the necessary measures in place to protect the organisation.
It’s not a trick, it’s simply common sense. When you want to protect something valuable, you put it under lock and key in a safe. If you know a criminal is likely to escape from custody, you might bring in more guards or install CCTV. Anticipating an attack on a growing organisation is just as basic a requirement as building a wall around a prison.
We’ve seen that the insider threat comes in multiple forms. Fortunately, there are a few common denominators shared by the various actors. In the interests of securing our companies and networks from the inside as well as the outside, here are a few steps all organisations should follow to protect against malicious and accidental insider threats:
- Maintaining good hygiene across the whole chain, starting with the HR system. Notably, an approach of “least-privilege” should be defined and then enforced with compliance tools.
- Organisations should minimise the risk of involuntary data leakage through perimeter protections (DLP, EPP, firewalls, etc.) and encryption, even if the privileges are limited.
- Prevent lateral movement, credential access, and privilege escalation by hardening and monitoring vital infrastructure in real-time. It is, however, worth mentioning that compliance approaches are mostly ineffective against technically-capable opponents.
- Contractually enforce regular security assessments of the security posture of your organisations’ suppliers.
- Specify each party’s responsibilities and liabilities in the event of a breach at the contracting stage. This won’t prevent a breach, but it should make third parties more careful and may provide you with some redress if the worst happens.
- Reinforce Directory Services defences if contractors’ accounts are outside of the HR system’s scope.
- Actively enforce Microsoft’s and trusted advisors’ (Gov-CERT, etc.) best practices, while also monitoring Active Directory to uncover regressions. This should be a continuous process.
While the above steps will help secure your organisation, there is a difference between detecting Active Directory attacks and detecting compliance regressions, as most attack patterns are chains of compliant events. Detecting attacks on Active Directory is all about gaining intelligence on the tactics, techniques, and procedures used in the wild by adversaries, and checking Active Directory events and objects that match those indicators.
This is technically very hard to implement with traditional monitoring technologies, as Active Directory logs are hard to collect and analyse in real time, and correlation rules are hard to define and maintain. Similarly, effective attack techniques don’t leave a single log in the system, rendering log-based correlation useless. With the “help” of Johnny, Ansel, Janet, and Esther, Active Directory can quickly become a very ugly place if neglected.
Growing organisations also need to invest in Active Directory-native tools to anticipate and detect attacks. Once you have a monitoring tool, you can begin actively responding to existing threats before an attack is mounted. Without a doubt, at some point, some attacks will succeed. Active Directory-centric security solutions must be put in place to integrate seamlessly with your incident response practices, so that your cybersecurity efforts aren’t in vain.
Given the complexity and frequency of attacks these days, no matter how tired we get, sticking with the status quo and relying on your traditional methods of monitoring is no longer enough. Through a layered combination of best practice approaches and monitoring tools, IT teams can ensure they are doing their best to keep organisations safe. Only then can businesses focus on growth without the unnecessary cost, interruptions, and hassle of data breaches.
Jérôme Robert, CMO, Alsid