Cybercriminals and the Future of Insider Threats

Posted on
Cybersecurity Strategy
Cybersecurity Strategy

In 2018, a fire broke out in Tesla’s Nevada “Gigafactory,” where the company manufactures batteries for its electric vehicles. Shortly afterwards, Tesla CEO Elon Musk sent out a company-wide email informing employees that a factory technician had deliberately sabotaged manufacturing operations and shared sensitive information with an unknown third party.

While some details of the case remain unclear to this day, Musk claimed that the employee had been disgruntled after he was passed up for a promotion and carried out his plan as an act of vengeance. It was not the first or last time that a company was sabotaged by a trusted insider: similar schemes are unfolding throughout federal and private organizations at this very moment.

Today, malicious actors have realized that the easiest way to infiltrate an organization is from the inside. So-called “Insider Threats as-a-Service” are trusted insiders who offer their credentials or access to outside actors for monetary gain or other incentives. In this article, we’ll explain the phenomenon of Insider Threats as-a-Service and what you can do to prevent them.

Insider Threats Today

Data theft is something that organizations have had to worry about for a long time, and so are insider threats. This is doubly true for cleared organizations, especially since 2017 when the Director of National Intelligence (DNI) issued SEAD 3, requiring cleared personnel and non-cleared individuals to monitor their colleagues for possible signs of compromise.

Within a federal context, the Cybersecurity Infrastructure and Security Agency (CISA) defines “insider threat” as an insider who uses their authorized access to harm the Department’s mission, “wittingly or unwittingly”. This last clause is important, because not all insider threats are malicious individuals: according to Forrester, inadvertent (accidental) misuse of data accounted for 39% of data breaches in 2020.

However, the percentage of intentional insider threats has risen dramatically from 26% in 2015 to 43% in 2020. At the same time, the cost of breaches related to insider activity has risen from $8.76 million in 2018 to $11.45 million in 2020. It’s hard to explain this without talking about external factors that are changing the insider threat landscape.

The Future of Insider Threats

In the past, no small number of malicious insiders were driven by petty motives: vengeance, work conflict and entitlement among them. This remains true today. But now, profit, outside influence and ideology are becoming larger factors which lead to longer, more sustained, and more impactful insider attacks. There are three major reasons for this:

  1. Easier Attack Vector

First, as companies increase their cybersecurity investment, attackers are motivated to seek out trusted insiders for access to organizations it would be hard to compromise directly. By bribing Amazon employees to make small changes in the online marketplace, sellers almost gained an unfair advantage worth $100 million before they were caught.

  1. Digital Black Markets

Second, the Dark Web has become a thriving marketplace for illegal services, where “trusted insiders” are bought and sold like any other product. Merchants have refined the craft of recruiting and grooming disgruntled insiders across many industries (including financial services, pharma and big tech) to assist other criminals in their activities.

  1. Remote Employment Vulnerabilities

Finally, the rise of remote employment has created favorable conditions for insider threats to thrive, including reduced transparency and increased anonymity for employees. This enables compromised personnel to “fly under the radar,” coordinate without detection, and distances them from the people they are affecting.

Combatting Insider Threats as-a-Service

Over the next decade, insider threats will likely account for a higher portion of data breaches, financial fraud, intellectual property (IP) theft and infrastructure attacks. Bad actors will increasingly turn to insiders as a first resort and alternative to traditional attack vectors. The traffic in “trusted insiders” will become a booming industry, and organizations will have to be more wary than ever before.

To address this issue effectively, cybersecurity professionals must understand that insider threats are primarily a human problem. At the same time, they are also a technology problem. In the past, insider threat programs (ITP) have been segmented from normal cybersecurity operations, but as the boundary between external and internal threats becomes fuzzier, combined intelligence has become a necessity.

A Human Problem

As a human problem, detecting insider threats involves monitoring the people in your organization for signs of compromise, especially after common triggers. Behaviors that may indicate an insider threat are outlined in CISA’s Insider Threat Mitigation Guide – they include:

  • Attempts to conceal foreign travel
  • Repeated breaches of established rules and policies
  • Working at odd hours without authorization
  • Erratic, unsafe and aggressive behavior
  • Attempts to conceal foreign travel or contacts
  • Criminal activity, gambling, drug and alcohol use

Common triggers for insider threat events are outlined in Forrester’s report. They include poor performance appraisals, financial distress, sudden departure from the workplace, or vocal disagreement with coworkers and policies. In general, employees who exhibit maladaptive behaviors are more at risk of being compromised.

A Technology Problem

Insider threats leverage their privileged access to an organization’s systems to exfiltrate sensitive data, create backdoors and change files or settings. While a competent insider will avoid overtly malicious activity, their behavior will result in unusual patterns of activity that can be detected through careful observation and specialized software, such as:

  • Activity outside normal hours – if employees are attempting to access internal resources at unusual hours, this can be reason for concern.
  • Privilege escalation – any attempt to vertically escalate system privileges without authorization is a red flag that should be taken very seriously. Furthermore, all users should be assessed to ensure they do not have higher access than needed for their role.
  • Large data transfers – abnormally large data transfers and other unusual network activity can indicate an attempt at data exfiltration.

Organizations can invest in User and Entity-Based Behavioral Analytics (UEBA) tools to establish a baseline for “normal” user behavior and leverage AI to alert on suspicious activity. However, these methods can be unreliable, and should only be used as part of a larger insider threat strategy.

Protecting the Perimeter

Today, the enterprise’s expanding network perimeter is a major contributing factor to malicious and non-malicious insider threats. According to a report by McKinsey, executives are planning to reduce their office space by 30% on average to accommodate a growing mobile workforce.

With employees distributed across a larger geographic area, cleared organizations have more access to defend, and more unseen opportunities for compromise. Protecting this perimeter is a vital step to address the growing problem of insider threats.

We recommend that organizations invest in thorough risk management, and compliance solutions to prepare for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.

Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!

In 2021, Remote Employment is Driving Cybersecurity Trends

Posted on
cybersecurity trends
cybersecurity trends

Every year, Dan Lohrmann from the Government Technology blog chooses a pithy title for the previous year in cybersecurity. For 2020, he chose ‘The Year the COVID-19 Crisis Brought a Cyber Pandemic,’ and for a summary of the past 12 months, we can’t improve on that. It is no exaggeration to say that last year was a grueling time for cyber professionals, and we expect to be dealing with the consequences into 2021 and beyond.

COVID’s Impact on Cybersecurity

In past blog posts, we have emphasized the “opportunistic” nature of malicious cyber actors who are always looking for chaos to exploit in pursuit of their goals. In many ways, 2020 is a perfect example of this mentality, ushering in an unprecedented rise of cybersecurity incidents that even the most cynical researchers could not anticipate.

Here are just a few cybersecurity statistics from last year:

In a single day, COVID-related cyberattacks grew from a few hundred cases per day to over 5,000 in March 2020 alone. But what made a biological virus such an easy disaster to exploit for digital terrorists? There are many answers, but the most important one is this: following COVID-related lockdowns, the global workforce has gone mobile, and there seems to be no going back.

According to one study, 1 in 4 Americans are expected to work remotely through 2021, and this trend will be mirrored in the federal space: after reports found no negative impact on productivity from remote employment, federal agencies are planning to expand opportunities for telework. While this may be beneficial to the workforce, there are ramifications that affect cybersecurity trends in 2021. In this article, we will outline a few of the most significant.

1. Remote Endpoint Vulnerabilities

In a recent blog post, we wrote that:

When targeting an organization, attackers seek any endpoint that may be attached to it. Those endpoints have expanded to include devices, systems and equipment across a large geographic region. Notoriously vulnerable IoT and mobile devices in employee homes provide the perfect bridge to their work computer and enforcing security measures is tough.

This problem will remain a top priority for cybersecurity professionals in 2021, and now we can be even more specific: in some cases, even technologies dedicated to protecting remote devices can be targeted in highly successful attacks.

The Trouble with VPNs

More than 400 million businesses depend on virtual private networks (VPNs) to provide an encrypted connection between remote devices and secure networks. However – as the NSA warned this past Summer – popular VPN protocols suffer from major vulnerabilities. During July, actors using stolen VPN credentials managed to take over the Twitter accounts of high-profile figures including Bill Gates, Elon Musk and many others.

In response to these security problems, some businesses are switching to Zero Trust Network Access (ZTNA) schemes which not only protect against VPN-directed attacks, but also attacks on remote desktop (RDP), email clients and other forms of endpoint communications. Nevertheless, there’s a long way to go before these legacy technologies are phased out, and organizations have their work cut out for them along the way.

Increased Risk From Mobile Devices

Smartphones, tablets and other mobile devices are likely the most common examples of remote endpoints; consequently, they are also highly popular targets for attackers. Last year, we witnessed a rise in spyware targeting encrypted messaging apps, major security flaws in popular Android apps and more.

In response to these highly publicized vulnerabilities, Google has promised to double down on security – fortunately, businesses aren’t waiting for them to follow through. According to Forbes, mobile device security will be the fastest-growing category of cybersecurity between now and 2025, showing that organizations finally recognize the risks inherent to mobile devices.

2. More Phishing Attacks

Phishing has long been one of the most popular methods for targeting an organization, and the incidence of phishing attacks has only increased with the rise of remote employment. According to one report, companies experienced an average of 1,185 phishing attempts per month throughout 2020. At the same time, “spear phishing” – a highly targeted form of the phishing attack – became more prevalent with the help of automation and remains a significant risk to businesses in the public and private sector.

There are promising trends on the horizon which may diminish the impact of phishing attacks. For instance, Gartner predicts that Passwordless Authentication will be among the most influential technologies for cybersecurity over the next three years; without passwords to steal, the effectiveness of phishing attacks will decrease.

In the end, investment in cybersecurity training remains by far the most effective way to protect an organization from phishing attacks and other forms of social engineering. It is no wonder, then, that businesses are spending more on cybersecurity training than ever before, and we hope this trend continues.

3. Advanced Insider Threats

In the ever-shifting cybersecurity landscape, insider threats are one of the few never-changing constants. Whether they are involved in deliberate sabotage or innocent user error, insiders are directly or indirectly responsible for the majority of security breaches and cyber incidents occurring in the organizations they work for.

Unfortunately, the risk of insider threats has only increased as a consequence of remote employment: outside of tightly controlled facilities, it is much harder to monitor employee activity and protected assets. Accordingly, Forrester warned that “perfect conditions” for insider threats were created by COVID lockdowns.

Insider Threats as a Service

To exacerbate the issue even further, researchers warn that an increasing number of insider threats are contracted from outside: so-called “Insider-Threats-as-a-Service” may hire themselves out as corporate spies, advertising their services as a “trusted insider” on the Dark Web, or they may be planted through organized recruitment campaigns.

To protect against advanced insider threats, businesses must remain vigilant in screening candidates. Government contractors are already required to maintain an insider threat program (ITP) as defined by NIST SP 800-171, and commercial organizations may wish to follow their example.

4. Increased Dependence on Cloud

Over the past year, cloud adoption has accelerated as more businesses depend on Software-as-a-Service (SaaS) models and cloud storage to link their connected workforce while maintaining productivity levels. But while cloud technologies are more secure than they’ve ever been, cyber actors are also more talented than they have ever been, and the risk of cloud adoption is obviously not zero.

As a result, businesses are also spending more on Cloud Workload Protection Platforms (CWPPs) and Cloud Security Posture Management (CSPM), which Gartner has also named in its list of influential cybersecurity technologies. In 2021, organizations should familiarize themselves with cloud risks and best practices, alongside important regulations that affect cloud services like FedRAMP and HIPAA.

Conclusion

Thanks to the trends listed above, there is every reason to believe that 2021 will be a challenging year for cybersecurity and compliance. For businesses who want to avoid cyber incidents, data breaches and expensive fines, here are three major takeaways:

  1. Increase security for remote endpoints – in a past blog post, we shared how organizations can improve the security of remote endpoints and prevent attacks through a mobile workforce.
  2. Provide better cybersecurity training – insiders can endanger an organization, but they can also protect it. In 2021, make cybersecurity a collaborative effort by training your workforce to recognize social engineering attacks and protect your most sensitive assets.
  3. Partner with experts – remaining secure in the face of a constantly-developing threat landscape is a difficult task without outside assistance. In 2021, partner with cyber experts who can test your organization for vulnerabilities, assess compliance and assemble a cybersecurity plan tailored to your individual needs.

Securicon provides information security solutions to public and private sector organizations. Our expert cybersecurity teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services. To learn more, visit our contact page.