In 2018, a fire broke out in Tesla’s Nevada “Gigafactory,” where the company manufactures batteries for its electric vehicles. Shortly afterwards, Tesla CEO Elon Musk sent out a company-wide email informing employees that a factory technician had deliberately sabotaged manufacturing operations and shared sensitive information with an unknown third party.
While some details of the case remain unclear to this day, Musk claimed that the employee had been disgruntled after he was passed up for a promotion and carried out his plan as an act of vengeance. It was not the first or last time that a company was sabotaged by a trusted insider: similar schemes are unfolding throughout federal and private organizations at this very moment.
Today, malicious actors have realized that the easiest way to infiltrate an organization is from the inside. So-called “Insider Threats as-a-Service” are trusted insiders who offer their credentials or access to outside actors for monetary gain or other incentives. In this article, we’ll explain the phenomenon of Insider Threats as-a-Service and what you can do to prevent them.
Insider Threats Today
Data theft is something that organizations have had to worry about for a long time, and so are insider threats. This is doubly true for cleared organizations, especially since 2017 when the Director of National Intelligence (DNI) issued SEAD 3, requiring cleared personnel and non-cleared individuals to monitor their colleagues for possible signs of compromise.
Within a federal context, the Cybersecurity Infrastructure and Security Agency (CISA) defines “insider threat” as an insider who uses their authorized access to harm the Department’s mission, “wittingly or unwittingly”. This last clause is important, because not all insider threats are malicious individuals: according to Forrester, inadvertent (accidental) misuse of data accounted for 39% of data breaches in 2020.
However, the percentage of intentional insider threats has risen dramatically from 26% in 2015 to 43% in 2020. At the same time, the cost of breaches related to insider activity has risen from $8.76 million in 2018 to $11.45 million in 2020. It’s hard to explain this without talking about external factors that are changing the insider threat landscape.
The Future of Insider Threats
In the past, no small number of malicious insiders were driven by petty motives: vengeance, work conflict and entitlement among them. This remains true today. But now, profit, outside influence and ideology are becoming larger factors which lead to longer, more sustained, and more impactful insider attacks. There are three major reasons for this:
- Easier Attack Vector
First, as companies increase their cybersecurity investment, attackers are motivated to seek out trusted insiders for access to organizations it would be hard to compromise directly. By bribing Amazon employees to make small changes in the online marketplace, sellers almost gained an unfair advantage worth $100 million before they were caught.
- Digital Black Markets
Second, the Dark Web has become a thriving marketplace for illegal services, where “trusted insiders” are bought and sold like any other product. Merchants have refined the craft of recruiting and grooming disgruntled insiders across many industries (including financial services, pharma and big tech) to assist other criminals in their activities.
- Remote Employment Vulnerabilities
Finally, the rise of remote employment has created favorable conditions for insider threats to thrive, including reduced transparency and increased anonymity for employees. This enables compromised personnel to “fly under the radar,” coordinate without detection, and distances them from the people they are affecting.
Combatting Insider Threats as-a-Service
Over the next decade, insider threats will likely account for a higher portion of data breaches, financial fraud, intellectual property (IP) theft and infrastructure attacks. Bad actors will increasingly turn to insiders as a first resort and alternative to traditional attack vectors. The traffic in “trusted insiders” will become a booming industry, and organizations will have to be more wary than ever before.
To address this issue effectively, cybersecurity professionals must understand that insider threats are primarily a human problem. At the same time, they are also a technology problem. In the past, insider threat programs (ITP) have been segmented from normal cybersecurity operations, but as the boundary between external and internal threats becomes fuzzier, combined intelligence has become a necessity.
A Human Problem
As a human problem, detecting insider threats involves monitoring the people in your organization for signs of compromise, especially after common triggers. Behaviors that may indicate an insider threat are outlined in CISA’s Insider Threat Mitigation Guide – they include:
- Attempts to conceal foreign travel
- Repeated breaches of established rules and policies
- Working at odd hours without authorization
- Erratic, unsafe and aggressive behavior
- Attempts to conceal foreign travel or contacts
- Criminal activity, gambling, drug and alcohol use
Common triggers for insider threat events are outlined in Forrester’s report. They include poor performance appraisals, financial distress, sudden departure from the workplace, or vocal disagreement with coworkers and policies. In general, employees who exhibit maladaptive behaviors are more at risk of being compromised.
A Technology Problem
Insider threats leverage their privileged access to an organization’s systems to exfiltrate sensitive data, create backdoors and change files or settings. While a competent insider will avoid overtly malicious activity, their behavior will result in unusual patterns of activity that can be detected through careful observation and specialized software, such as:
- Activity outside normal hours – if employees are attempting to access internal resources at unusual hours, this can be reason for concern.
- Privilege escalation – any attempt to vertically escalate system privileges without authorization is a red flag that should be taken very seriously. Furthermore, all users should be assessed to ensure they do not have higher access than needed for their role.
- Large data transfers – abnormally large data transfers and other unusual network activity can indicate an attempt at data exfiltration.
Organizations can invest in User and Entity-Based Behavioral Analytics (UEBA) tools to establish a baseline for “normal” user behavior and leverage AI to alert on suspicious activity. However, these methods can be unreliable, and should only be used as part of a larger insider threat strategy.
Protecting the Perimeter
Today, the enterprise’s expanding network perimeter is a major contributing factor to malicious and non-malicious insider threats. According to a report by McKinsey, executives are planning to reduce their office space by 30% on average to accommodate a growing mobile workforce.
With employees distributed across a larger geographic area, cleared organizations have more access to defend, and more unseen opportunities for compromise. Protecting this perimeter is a vital step to address the growing problem of insider threats.
We recommend that organizations invest in thorough risk management, and compliance solutions to prepare for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.
Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services. Contact Us to learn more!