When Your "Insider Threat" Isn’t an Insider

May 17, 2016 10:00:00 AM |


Social Share:

Insider_Threat.jpgA classic urban legend and horror movie trope involves the hapless victim being repeatedly terrorized by creepy and threatening phone calls. When the police are called, they begin to trace the calls. Later, after continued harassment the police call back and tell the victim, “We’ve traced the call! It’s coming from inside the house!” On your network, the attacker is likely to be able to get a foothold “inside the house” as well.

It’s easy to dismiss the traditional concept of the “insider threat”. You run criminal background checks when you hire. Your employees are trustworthy, and have never done anything to break that trust. You take pride in the culture that your organization has nurtured. The idea that a member of the team would “turn” and take malicious action using their internal access is the kind of thing most organizations would expect to happen to someone else.

Industry data shows that between from 10 to 30 percent of confirmed breaches can be attributed to insiders. Motives can range from profit to revenge. This would suggest that Reagan’s favorite Russian proverb, “Trust, but verify”, is a more realistic approach.

What if we take “insiders” out of the “insider threat”?

Let’s assume your trust is well-placed. It turns out that there are many other scenarios, largely out of your control, that are functionally identical to an insider threat:

  • Successful Phishing – With all the training you can afford, if you have enough employees within your organization, attackers will find success with their phishing campaign. After all, they really only need one victim. Using stolen credentials, the attacker will, to your systems, become your insider.
  • Malware – Whether distributed through malicious web advertisements, zero-day attacks on client software, email campaigns, or attached to software your employees download, once malware is running on your employees’ workstations, they can begin the process of launching the real attack from the same network perspective of an insider.
  • Rogue Devices – Without strong asset management, there may be devices on your network you aren’t even aware of. Computers capable of being remotely controlled to gather data and launch attacks can be as small as a deck of cards and could be implanted by attackers with physical access to any part of your facilities.
  • Blackmail – You trust your users, but what are the limits of their loyalty to you? If an adversary digs up (or fabricates) their darkest secrets, what is their breaking point? Given a choice between betraying their employer and losing their reputation, friends, or family, it’s not hard to imagine what their decision will be.

Most attacks on an organization involve establishing some form of internal beachhead. What is the difference between this and an “insider attack”? Insider knowledge might qualify, and is certainly helpful in a successful attack, but an outside attacker, with the time to research and monitor your network from compromised systems, has the potential to be just as successful.

Why does it matter?

It becomes important when we look at the inevitability of initial compromise, despite your best efforts to prevent it. The workstations your employees use to browse the web will be compromised at some point. A small percentage of users will always fall for the latest clever phishing scheme. You will never be more important to your employee than their own solvency and personal well-being. An organization focused solely on its defenses against attacks coming from the public Internet will fail to address the internal vulnerabilities these “insider-equivalent" attackers will find and exploit.

Internal penetration testing usually exposes the “soft underbelly” of the network. It’s common to find systems that lack authentication or security updates, since everyone with direct access is assumed to be trusted. Network segmentation of internal assets takes a back seat to protection from external threats. The temptation is to dismiss the findings of an internal test because “an attacker would have to get in first”, ignoring the certainty of this happening at some point. Lateral movement, the ability of an attacker to use a single compromised host to impact the rest of your organization, should not be ignored.

How do you protect yourself?

As with most security, it should be applied in layers. The security of your sensitive data and operations should not be directly impacted by the compromise of an individual workstation. With network segmentation, firewalls, strong authentication, and firewalls, make it difficult for an attacker (or an insider) to move around your network in unexpected ways.

Is your organization prepared for the attack that comes from “inside the house”? Can you survive and respond to the inevitable initial compromise, and have defenses in place to protect your most sensitive data? Without identifying the vulnerabilities that can be seen by the equivalent to an insider, you might become the victim of your own horror show.


For weekly insights into cybersecurity, please sign up here:

Subscribe to HORNE Cyber Blog