Cybercriminals and the Future of Insider Threats

CMMC/NIST Compliance
CMMC/NIST Compliance

In 2018, a fire broke out in Tesla’s Nevada “Gigafactory,” where the company manufactures batteries for its electric vehicles. Shortly afterwards, Tesla CEO Elon Musk sent out a company-wide email informing employees that a factory technician had deliberately sabotaged manufacturing operations and shared sensitive information with an unknown third party.

While some details of the case remain unclear to this day, Musk claimed that the employee had been disgruntled after he was passed up for a promotion and carried out his plan as an act of vengeance. It was not the first or last time that a company was sabotaged by a trusted insider: similar schemes are unfolding throughout federal and private organizations at this very moment.

Today, malicious actors have realized that the easiest way to infiltrate an organization is from the inside. So-called “Insider Threats as-a-Service” are trusted insiders who offer their credentials or access to outside actors for monetary gain or other incentives. In this article, we’ll explain the phenomenon of Insider Threats as-a-Service and what you can do to prevent them.

Insider Threats Today

Data theft is something that organizations have had to worry about for a long time, and so are insider threats. This is doubly true for cleared organizations, especially since 2017 when the Director of National Intelligence (DNI) issued SEAD 3, requiring cleared personnel and non-cleared individuals to monitor their colleagues for possible signs of compromise.

Within a federal context, the Cybersecurity Infrastructure and Security Agency (CISA) defines “insider threat” as an insider who uses their authorized access to harm the Department’s mission, “wittingly or unwittingly”. This last clause is important, because not all insider threats are malicious individuals: according to Forrester, inadvertent (accidental) misuse of data accounted for 39% of data breaches in 2020.

However, the percentage of intentional insider threats has risen dramatically from 26% in 2015 to 43% in 2020. At the same time, the cost of breaches related to insider activity has risen from $8.76 million in 2018 to $11.45 million in 2020. It’s hard to explain this without talking about external factors that are changing the insider threat landscape.

The Future of Insider Threats

In the past, no small number of malicious insiders were driven by petty motives: vengeance, work conflict and entitlement among them. This remains true today. But now, profit, outside influence and ideology are becoming larger factors which lead to longer, more sustained, and more impactful insider attacks. There are three major reasons for this:

  1. Easier Attack Vector

First, as companies increase their cybersecurity investment, attackers are motivated to seek out trusted insiders for access to organizations it would be hard to compromise directly. By bribing Amazon employees to make small changes in the online marketplace, sellers almost gained an unfair advantage worth $100 million before they were caught.

  1. Digital Black Markets

Second, the Dark Web has become a thriving marketplace for illegal services, where “trusted insiders” are bought and sold like any other product. Merchants have refined the craft of recruiting and grooming disgruntled insiders across many industries (including financial services, pharma and big tech) to assist other criminals in their activities.

  1. Remote Employment Vulnerabilities

Finally, the rise of remote employment has created favorable conditions for insider threats to thrive, including reduced transparency and increased anonymity for employees. This enables compromised personnel to “fly under the radar,” coordinate without detection, and distances them from the people they are affecting.

Combatting Insider Threats as-a-Service

Over the next decade, insider threats will likely account for a higher portion of data breaches, financial fraud, intellectual property (IP) theft and infrastructure attacks. Bad actors will increasingly turn to insiders as a first resort and alternative to traditional attack vectors. The traffic in “trusted insiders” will become a booming industry, and organizations will have to be more wary than ever before.

To address this issue effectively, cybersecurity professionals must understand that insider threats are primarily a human problem. At the same time, they are also a technology problem. In the past, insider threat programs (ITP) have been segmented from normal cybersecurity operations, but as the boundary between external and internal threats becomes fuzzier, combined intelligence has become a necessity.

A Human Problem

As a human problem, detecting insider threats involves monitoring the people in your organization for signs of compromise, especially after common triggers. Behaviors that may indicate an insider threat are outlined in CISA’s Insider Threat Mitigation Guide – they include:

  • Attempts to conceal foreign travel
  • Repeated breaches of established rules and policies
  • Working at odd hours without authorization
  • Erratic, unsafe and aggressive behavior
  • Attempts to conceal foreign travel or contacts
  • Criminal activity, gambling, drug and alcohol use

Common triggers for insider threat events are outlined in Forrester’s report. They include poor performance appraisals, financial distress, sudden departure from the workplace, or vocal disagreement with coworkers and policies. In general, employees who exhibit maladaptive behaviors are more at risk of being compromised.

A Technology Problem

Insider threats leverage their privileged access to an organization’s systems to exfiltrate sensitive data, create backdoors and change files or settings. While a competent insider will avoid overtly malicious activity, their behavior will result in unusual patterns of activity that can be detected through careful observation and specialized software, such as:

  • Activity outside normal hours – if employees are attempting to access internal resources at unusual hours, this can be reason for concern.
  • Privilege escalation – any attempt to vertically escalate system privileges without authorization is a red flag that should be taken very seriously. Furthermore, all users should be assessed to ensure they do not have higher access than needed for their role.
  • Large data transfers – abnormally large data transfers and other unusual network activity can indicate an attempt at data exfiltration.

Organizations can invest in User and Entity-Based Behavioral Analytics (UEBA) tools to establish a baseline for “normal” user behavior and leverage AI to alert on suspicious activity. However, these methods can be unreliable, and should only be used as part of a larger insider threat strategy.

Protecting the Perimeter

Today, the enterprise’s expanding network perimeter is a major contributing factor to malicious and non-malicious insider threats. According to a report by McKinsey, executives are planning to reduce their office space by 30% on average to accommodate a growing mobile workforce.

With employees distributed across a larger geographic area, cleared organizations have more access to defend, and more unseen opportunities for compromise. Protecting this perimeter is a vital step to address the growing problem of insider threats.

We recommend that organizations invest in thorough risk management, and compliance solutions to prepare for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.


Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!

In 2021, Remote Employment is Driving Cybersecurity Trends

cybersecurity trends
cybersecurity trends

Every year, Dan Lohrmann from the Government Technology blog chooses a pithy title for the previous year in cybersecurity. For 2020, he chose ‘The Year the COVID-19 Crisis Brought a Cyber Pandemic,’ and for a summary of the past 12 months, we can’t improve on that. It is no exaggeration to say that last year was a grueling time for cyber professionals, and we expect to be dealing with the consequences into 2021 and beyond.

COVID’s Impact on Cybersecurity

In past blog posts, we have emphasized the “opportunistic” nature of malicious cyber actors who are always looking for chaos to exploit in pursuit of their goals. In many ways, 2020 is a perfect example of this mentality, ushering in an unprecedented rise of cybersecurity incidents that even the most cynical researchers could not anticipate.

Here are just a few cybersecurity statistics from last year:

In a single day, COVID-related cyberattacks grew from a few hundred cases per day to over 5,000 in March 2020 alone. But what made a biological virus such an easy disaster to exploit for digital terrorists? There are many answers, but the most important one is this: following COVID-related lockdowns, the global workforce has gone mobile, and there seems to be no going back.

According to one study, 1 in 4 Americans are expected to work remotely through 2021, and this trend will be mirrored in the federal space: after reports found no negative impact on productivity from remote employment, federal agencies are planning to expand opportunities for telework. While this may be beneficial to the workforce, there are ramifications that affect cybersecurity trends in 2021. In this article, we will outline a few of the most significant.

1. Remote Endpoint Vulnerabilities

In a recent blog post, we wrote that:

When targeting an organization, attackers seek any endpoint that may be attached to it. Those endpoints have expanded to include devices, systems and equipment across a large geographic region. Notoriously vulnerable IoT and mobile devices in employee homes provide the perfect bridge to their work computer and enforcing security measures is tough.

This problem will remain a top priority for cybersecurity professionals in 2021, and now we can be even more specific: in some cases, even technologies dedicated to protecting remote devices can be targeted in highly successful attacks.

The Trouble with VPNs

More than 400 million businesses depend on virtual private networks (VPNs) to provide an encrypted connection between remote devices and secure networks. However – as the NSA warned this past Summer – popular VPN protocols suffer from major vulnerabilities. During July, actors using stolen VPN credentials managed to take over the Twitter accounts of high-profile figures including Bill Gates, Elon Musk and many others.

In response to these security problems, some businesses are switching to Zero Trust Network Access (ZTNA) schemes which not only protect against VPN-directed attacks, but also attacks on remote desktop (RDP), email clients and other forms of endpoint communications. Nevertheless, there’s a long way to go before these legacy technologies are phased out, and organizations have their work cut out for them along the way.

Increased Risk From Mobile Devices

Smartphones, tablets and other mobile devices are likely the most common examples of remote endpoints; consequently, they are also highly popular targets for attackers. Last year, we witnessed a rise in spyware targeting encrypted messaging apps, major security flaws in popular Android apps and more.

In response to these highly publicized vulnerabilities, Google has promised to double down on security – fortunately, businesses aren’t waiting for them to follow through. According to Forbes, mobile device security will be the fastest-growing category of cybersecurity between now and 2025, showing that organizations finally recognize the risks inherent to mobile devices.

2. More Phishing Attacks

Phishing has long been one of the most popular methods for targeting an organization, and the incidence of phishing attacks has only increased with the rise of remote employment. According to one report, companies experienced an average of 1,185 phishing attempts per month throughout 2020. At the same time, “spear phishing” – a highly targeted form of the phishing attack – became more prevalent with the help of automation and remains a significant risk to businesses in the public and private sector.

There are promising trends on the horizon which may diminish the impact of phishing attacks. For instance, Gartner predicts that Passwordless Authentication will be among the most influential technologies for cybersecurity over the next three years; without passwords to steal, the effectiveness of phishing attacks will decrease.

In the end, investment in cybersecurity training remains by far the most effective way to protect an organization from phishing attacks and other forms of social engineering. It is no wonder, then, that businesses are spending more on cybersecurity training than ever before, and we hope this trend continues.

3. Advanced Insider Threats

In the ever-shifting cybersecurity landscape, insider threats are one of the few never-changing constants. Whether they are involved in deliberate sabotage or innocent user error, insiders are directly or indirectly responsible for the majority of security breaches and cyber incidents occurring in the organizations they work for.

Unfortunately, the risk of insider threats has only increased as a consequence of remote employment: outside of tightly controlled facilities, it is much harder to monitor employee activity and protected assets. Accordingly, Forrester warned that “perfect conditions” for insider threats were created by COVID lockdowns.

Insider Threats as a Service

To exacerbate the issue even further, researchers warn that an increasing number of insider threats are contracted from outside: so-called “Insider-Threats-as-a-Service” may hire themselves out as corporate spies, advertising their services as a “trusted insider” on the Dark Web, or they may be planted through organized recruitment campaigns.

To protect against advanced insider threats, businesses must remain vigilant in screening candidates. Government contractors are already required to maintain an insider threat program (ITP) as defined by NIST SP 800-171, and commercial organizations may wish to follow their example.

4. Increased Dependence on Cloud

Over the past year, cloud adoption has accelerated as more businesses depend on Software-as-a-Service (SaaS) models and cloud storage to link their connected workforce while maintaining productivity levels. But while cloud technologies are more secure than they’ve ever been, cyber actors are also more talented than they have ever been, and the risk of cloud adoption is obviously not zero.

As a result, businesses are also spending more on Cloud Workload Protection Platforms (CWPPs) and Cloud Security Posture Management (CSPM), which Gartner has also named in its list of influential cybersecurity technologies. In 2021, organizations should familiarize themselves with cloud risks and best practices, alongside important regulations that affect cloud services like FedRAMP and HIPAA.

Conclusion

Thanks to the trends listed above, there is every reason to believe that 2021 will be a challenging year for cybersecurity and compliance. For businesses who want to avoid cyber incidents, data breaches and expensive fines, here are three major takeaways:

  1. Increase security for remote endpoints – in a past blog post, we shared how organizations can improve the security of remote endpoints and prevent attacks through a mobile workforce.
  2. Provide better cybersecurity training – insiders can endanger an organization, but they can also protect it. In 2021, make cybersecurity a collaborative effort by training your workforce to recognize social engineering attacks and protect your most sensitive assets.
  3. Partner with experts – remaining secure in the face of a constantly-developing threat landscape is a difficult task without outside assistance. In 2021, partner with cyber experts who can test your organization for vulnerabilities, assess compliance and assemble a cybersecurity plan tailored to your individual needs.

Securicon provides information security solutions to public and private sector organizations. Our expert cybersecurity teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services. To learn more, visit our contact page.

How Local Governments Can Help Their Remotely Employed Cybersecurity Teams

cybersecurity checklist
cybersecurity checklist

When the COVID-19 lockdowns began many months ago, experts in the cybersecurity industry knew what was coming next. As we have established in past articles, hackers are opportunistic: eager for any chaos to exploit in pursuit of their goals. A society-wide shut down which left many online for much longer than usual was the perfect opening, especially for high-value targets like local governments, who experienced a 100% increase in site traffic immediately following the stay-at-home orders.

Now six months later – though restrictions have eased throughout the U.S and malicious cyber-activity has reduced from the fever pitch it reached at that time – there are still threats to contend with. This time, cybersecurity teams are working away from the office, and they are facing complex and unprecedented situations. Remote employment is a complicated affair in general, but for cybersecurity teams and operations centers (SOCs) it presents a number of unique challenges.

While 98% of the population says it would “like to work remotely,” no less than 89% of cybersecurity professionals say they are facing increased job difficulty because of stay-at-home policies, according to a recent study. This shocking disparity suggests the obvious: it’s hard for cybersecurity teams to do their jobs properly outside their organizations.

In this article, we’ll look at several reasons why this is the case, and how local governments can help their vitally important cybersecurity personnel to succeed as remote employees.

Insecurity of Remote Endpoints

The first problem is that cybersecurity professionals aren’t the only ones working from home now: their coworkers are doing the same thing, shifting the perimeter that the former are obligated to monitor and protect. In June, only 26% of the U.S workforce were still working in their physical business premises.

When targeting an organization, attackers seek any endpoint that may be attached to it. Those endpoints have expanded to include devices, systems and equipment across a large geographic region. Notoriously vulnerable IoT and mobile devices in employee homes provide the perfect bridge to their work computer and enforcing security measures are tough.

Remote endpoints also offer an increased opportunity for credential theft, which is the main culprit behind 80% of hacking related breaches. While most of these are the consequence of phishing schemes (which have also increased under lockdown), they can easily result from an insecure or keylogged work computer as well. Attackers with stolen credentials are much harder to fend off, since they look like legitimate users.

Protecting Off-Premise Devices

Taking work-devices off-premise has always been a security concern, but it has never occurred at this scale before. Fortunately, there are ways to reduce their vulnerability:

  1. Increase monitoring for suspicious activity on business networks indicating an attempt by a “legitimate” user to elevate their own privileges (new privileged users on network hosts, requests to a domain controller, memory dumps from authentication processes, etc.)
  2. If feasible, recommend that off-premise employees segment the networks in their home office by using dual routers, one for work, and one for personal use. This provides a physical barrier against attacks propagating from vulnerable devices.
  3. Above all, enforce cybersecurity training for all personnel, specifically emphasizing recognition of phishing attacks, the danger of IoT and other non-essential, connected devices.

While none of these measures can guarantee protection from attacks through remote employees, they will definitely diminish the opportunity.

Strained Security Resources

During the lockdowns, local governments and other organizations have experienced a dramatic rise in IT support tickets to troubleshoot problems with business software and home office equipment. Accordingly, nearly half of cybersecurity professionals said they had been shifted to an IT role, leaving their colleagues with double the workload.

Little wonder, then, that in the middle of a cybersecurity talent gap, many have considered leaving their current jobs for calmer waters where they can practice the profession they trained for. This is a loss that local government agencies can ill afford – and fortunately, it’s mostly unnecessary.

Reducing Work Strain

To this day, upper management often considers cybersecurity a mere function of IT when they are actually distinct.

  • Avoid hemorrhaging your security resources by clearly defining the domain of IT and the domain of cybersecurity. Allow the former to handle implementation and troubleshooting made necessary by the transition and consider outsourcing or new hires if they are necessary.
  • Provide adequate resources for your cybersecurity team; maintain communication through HR and ensure that they are not overburdened during a time when they are needed most.

In the hectic and sometimes experimental transition to remote employment, it’s easy for any business to become disorganized and leave people behind in the shuffle. Preventing this is an utmost priority.

Communication Problems

Effective cybersecurity requires a constant stream of communication between different operatives, and often communication between departments, especially when problems need to be resolved in real time. But while it is possible to remain in communication while working remotely, that does not mean it is easy.

As vCISO at Dubai Expo 2020 Dr. Grigorios Fragkos notes:

When you work with your team throughout the day, you can discuss, coordinate and brainstorm on-the-fly, but it takes way more time to have these micro-communications over virtual mediums, phone-calls and emails, compared to a brief face-to-face catchup.

Therefore, remote employment brings delays to the communications process, and important communications may even be lost in the noise.

Ensure Communication

There are several ways to make sure your cybersecurity professionals can stay in touch:

  • Invest in collaboration software and lightweight communication channels that bring together your IT, cybersecurity, HR and business teams
  • Even if channels are provided, engagement with those tools may be low, simply because old habits die hard. Ensure regular team check-ins, and make those channels a fundamental part of the new work process.
  • Segment critical channels from more general ones so your cybersecurity team knows how to prioritize their response to incoming information.

Your security professionals are frequently inundated with data – especially in a SOC environment – that may require intense and focused attention. Ensuring they have the tools they need to quickly communicate and get back to work is essential to their success.

Conclusion

In our free infographic checklist, we step through all the ingredients of an effective remote cybersecurity team including:

  • Crucial security strategies for remote endpoints
  • Key points of effective cyber hygiene for your entire organization
  • What every remote cybersecurity professional needs to succeed

cybersecurity checklist

Remote employment is far from impossible, even in the domain of cybersecurity, but the process of establishing a balanced workload, communication and effective strategies for securing remote endpoints requires proactivity from everyone involved, especially those at the top.


Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!

Everything Government Contractors Need to Know About CMMC and NIST 800-171

After its release in January 2020 and after many delays, the new Cybersecurity Maturity Model Certification (CMMC) has not yet been enforced in contracts from the Department of Defense or any other agency. This is expected to change this month, following updates to the Defense Federal Acquisition Regulation Supplement (DFARs). While contractors have until then to prepare for compliance reforms, many are still unaware of CMMC, DFARs, or how they both relate to a single document: the National Institute for Standards and Technology (NIST), special publication (SP) 800-171.

In this article, we’ll review the basics of SP 800-171, how it relates to CMMC, and explain why every federal contractor handling Controlled Unclassified Information (CUI) needs to be compliant.

NIST 800-171: What is It?

Since 2017, any federal contractor working with the Department of Defense (DoD) has been required to comply with the standards outlined in SP 800-171, formally titled: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. Based on the more comprehensive SP 800-53, the document outlines strict rules for systems that handle sensitive information and data not meriting a “classified” designation.

NIST 800 and CMMC

This CUI is broad in scope, encompassing almost any data – scientific, financial, or operational – exchanged in the course of a government contract. Since compliance with NIST 800-171 was rolled into DFARs – a supplement to the FAR rules – it has been adopted by state and federal agencies outside the Defense department including GSA, NASA and others.

Full compliance with SP 800-171 entails the implementation of a System Security Plan (SSP) for all systems handling CUI during a contract, including email, FTP, content management platforms (CMPs), cloud platforms, project collaboration tools and more. Earlier this year, a minor revision (Rev. 2) to the regulation was released, but the basic security requirements in chapter 3 have not been affected.

NIST 800-171: Why Does it Matter?

The vulnerability of protected information has been a growing national security concern. Federal agencies are under constant attack from Advanced Persistent Threat (APT) groups and other malicious actors who may represent foreign adversaries attempting to gain an advantage over the United States. In recent times, these threat actors have shifted their attention to the massive Defense Industrial Base, seeking opportunities to steal and otherwise exploit sensitive information intercepted by government contractors.

Just this March, a Colorado-based Aerospace firm fell victim to a ransomware attack which exposed data from customers including Lockheed Martin, General Dynamics, Boeing and SpaceX. Such incidents go to show that – without adequate security controls – the supply chain of federal services can easily be compromised, representing a threat to the businesses who are targeted, their clients, and ultimately the government.

There is a good reason CUI is a protected asset under ITAR, right along military technology, arms and services: information is power, and that power becomes deadly in the hands of an enemy. Contractors entrusted with CUI or any other form of sensitive information must wield it responsibly as a protection to themselves and their customers, and that is the ultimate purpose of regulations like NIST 800-171.

How CMMC Changes NIST 800-171 Compliance

In light of evidence that a woefully small percentage of defense contractors were actually complying with NIST 800-171, the DoD began rolling its security requirements into the CMMC in 2019. The first major change is that self-assessment will no longer be enough: after October, contractors will be required to undergo third-party review to demonstrate their compliance with DFARs.

While that means that organizations will have to tighten up their compliance strategy, a second development will make the burden easier to bear: a single standard for compliance will no longer be applied to all defense partners. Under CMMC, there are five security levels and – while all require NIST 800-171 to be followed in some degree – that degree changes between levels:

  • Level 1 Basic Cyber Hygiene – requires basic safeguarding of information systems which encompass 17 security requirements listed in NIST 800-171.
  • Level 2 Intermediate Cyber Hygiene – requires an additional 55 controls for protection of CUI, coming to a total of 72 security practices.
  • Level 3 Good Cyber Hygiene –adding 58 security practices bringing the total to 130 practices. Contractors at this level must document each practice and establish a plan for maintaining compliance.
  • Level 4 Proactive – at this level, all contractors must review and measure their practices while sharing findings with upper management and establishing response procedures to changing techniques. A total of 156 security practices, including new ones from Rev. 2.
  • Level 5 Advanced – at this level, all previous requirements must be met, and contractors must have a standard process to defend against Advanced Persistent Threats (APTs).

After pending updates to the DFARs rule, compliance with NIST 800-171 will expand to second and third-party businesses and vendors working with a Defense contractor, and – at level 3 and beyond – the contractor will be required to ensure that their partners are compliant. Consequently, DFARs requirements will soon be extending to a much larger group of businesses than those working directly with the DoD.

How to Prepare

Since many businesses will have to comply with NIST 800-171 even if they are not working directly with the Defense Department and other agencies, we recommend that they prepare to comply with as much of the regulation as possible. To that end – in conjunction with a copy of CMMC V.1 – they may consult the NIST Handbook 162 to conduct a self-assessment ahead of taking on contracts under CMMC.

However, while self-assessment is a useful tool for preparation, it won’t be enough in the long run: before you are vetted by a third-party, consider partnering with veteran cybersecurity experts to make sure that your organization is meeting the requirements set down by NIST and the DoD.

To become NIST SP 800-171 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!