While many cybersecurity programs focus almost exclusively on protecting network perimeters, insiders are responsible for more than two-thirds of a very costly form of cyber attack: theft of intellectual property. For example, the National Security Administration, with possibly the best cyber-defense capabilities in the world, failed to discover defense contractor Edward Snowden as he downloaded thousands of secret government documents.
And, having built a physical and logical fortress for its highlyvalued wind turbine application, American Semiconductor failed to notice when employee Dejan Karabasevic stole the application’s source code in a series of sessions across three months. Those attacks led to the layoff of two-thirds of its 900 employees and a $1 billion plunge in market value.
Snowden, Karabasevic, and others like them are trusted and are using legitimate access to resources. An insider in your environment could be an employee, contractor, business partner, vendor, customer, or other party given trusted access to your organization’s resources.
AT WHAT POINT DOES AN INSIDER BECOME MALICIOUS?
A malicious insider doesn’t typically come into an organization with malicious intent. He or she behaves in a trustworthy manner for five years on average before being recruited or reaching a turning point, according to a 2012 report by the Software Engineering Institute (SEI), Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector.
As a result, improving the processes for pre-employment screening, vendor screening, and other types of screening is largely ineffective in detecting insider threats. For that reason, some security experts recommend that enterprises periodically repeat such screenings to identify changes; this would include credit checks.
Studies show a trend: the malicious insider’s relationship with the enterprise weakens at the same time an opportunity emerges. Snowden was disenfranchised with his organization’s mission and knew of a platform to disperse the documents he collected. When he was demoted from head of automation to a customer service position, Karabasevic was approached with a generous financial offer in exchange for the source code.
Motives may include financial gain, revenge, whistleblowing, activism, coercion, or a combination of factors. Attacks are not necessarily technically complicated; many times,an insider simply transfers money, for instance to fake employees, offshore accounts, or non-existent vendors. In other instances like the cases we’ve been exploring, files are simply copied using the insider’s given authorization.
Studies provide insight into the mindset of an insider attacker. Once again from the SEI report:
- 33% were described as “difficult”
- 17% were described as being “disgruntled”
- 27% were in financial difficulties at the time
DETECTING MALICIOUS INSIDERS
The FBI identified several behavioral indicators in its article,The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy. A malicious insider may demonstrate one or more of these indicators:
- Takes home information without need or authorization
- Expresses interest in proprietary or classified information unrelated to work duties
- Remotely accesses the network at odd times such as outside of business hours or while on vacation
- Has sudden unexplained wealth or international travel
- Faces significant personal or work disappointments
Because of high-profile incidents like the Snowden case, some enterprises have treated highly-privileged system administrators as the top insider risk. However, system admins comprised only 1.5 percent of 65 cases of insider espionage the FBI examined, said Patrick Reidy, formerly with the FBI Insider Threat Program, when presenting at the 2013 Black Hat conference. (System admins do pose a significant risk for another reason: 90% of saboteurs are system admins, Reidy noted.)
Mature policies and procedures, codes of conduct, and security training were in place at both Snowden and Karabasevic’s organizations and were ineffective in dissuading them. However, those tools may be more effective for another audience: other insiders. The SEI notes that 85 percent of the time, someone else was aware before or during the malicious actions. The FBI article recommends that enterprises “provide non-threatening, convenient ways for employees to report suspicions” in addition to regularlyscheduled training.
Once an attack begins, the malicious insider remains undetected for 32 months on average, the SEI report said. The low and slow events, where smaller packets of information are stolen over an extended period of time, are more difficult to detect and therefore more damaging, the report notes.
Distinguishing between an insider’s malicious and legitimate activity is a significant challenge. Insider threats cannot be detected with traditional security tools that are designed to identify threats by malware signature or by odd network traffic. Such tools are designed primarily to protect the network perimeter, and an authorized insider can steal information that doesn’t trigger alerts with cameras, storage devices, instant message platforms, email, or printing. Reidy is among those who think that security tools that examine patterns of behavior will be the best bet. As an example of similar existing technology, he recalled in his Black Hat presentation having his credit card declined while attempting to buy running shoes because the purchase did not match his consistent prior shopping pattern. In part, he was at a different store buying a different color shoe.
Today several companies are developing enterprise security tools. Behavior-based authentication doesn’t just match a user to the resources for a position. It analyzes usage patterns including which information is accessed and when. For instance, CyberArk can generate alerts for unexpected privileged user activity, to allow early intervention.
CA Advanced Authentication uses behavioral profiling to determine whether a user’s activity falls within normal range. An onsite employee usage profile who logs in from a new IP address in another country would generate an alert, while that behavior might be expected for a road warrior.
At least one startup tool claims to block login if the time passed since the prior login is inadequate to travel to the new login location. In addition, the tool claims to allow dynamic authentication: privileges can be temporarily escalated without human intervention.
Enterprises may also consider adopting these best practices as well:
- Add or promote Employee Assistance Programs, hoping to help those who may be experiencing isolating work or personal issues. For instance, Karabasevic was going through a divorce in addition to his demotion.
- Add a pop-up window that prompts users to acknowledge company policy for risky activities such as saving data to external storage.
- Check whether your business insurance covers revenue losses, expenses, and lawsuits that may result from insider threats.
- Carefully manage access to enterprise resources on all personal devices, if Bring Your Own Device is allowed.
- Remind exiting employees that they’ve been compensated for their work with intellectual property, trade secrets, and other proprietary and confidential information, and have no ownership right to that data.
- Immediately update a user’s network privileges upon a job change or upon separation from the enterprise.
IGNORANCE IS NOT BLISS
The hope is that your enterprise does not experience detrimental acts at the hand of a malicious insider. However being prepared to monitor, detect, and prevent malicious insider attacks should be included as a critical element of your enterprise’s cyber security strategy.
