SIGN YOU HAVE AN INSIDER THREAT
An insider spy is perhaps the most significant threat to enterprise security. Monitoring their behavior is a critical component in detecting and deterring their activities.
It’s not about the 98% you catch, it’s about the 2% you miss –NSS Labs
Insider Threats – Some Statistics
- Roughly 70% of incidents at ﬁnancial institutions involved current and former employees.
- 60% at industrial manufacturing organizations
Verizon DBIR 2015: 20.6% of breaches are characterized as “insider misuse”
Insider Threat: A malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.
Watering Hole: It is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.Muleware: Muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign. “Up until this point, cybercriminals have attained their resources by exploiting and compromising devices, but wouldn’t it be more efficient and much more profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain?” – Lancope CTO, TK Keanini
So who is attacking the Network?
Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane.
Malicious Insiders – Insiders who intentionally steal data or destroy systems.
Compromised Insiders – Insiders whose access credentials and/or computer have been compromised by an outside attacker.
How do we protect ourselves from an insider spy? The Intelligence says monitoring the behavior of employees and other insiders is critical in detecting a spy. Here’s a summary of some of the user behaviors they say enterprises should be looking for:
- Individuals who without need or authorization, access proprietary material not related to their work duties.
- Individuals who show an unusual interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors.
- Individuals who unnecessarily copy, store, or transmit material, especially if it’s sensitive, proprietary, or classified.
- Individuals who remotely access the computer network while on vacation, sick leave, or at other odd times.
- Anyone who disregards company computer policies regarding installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.
- Anyone who works odd hours without authorization or exhibits notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted.
- Individuals who engage in suspicious personal contacts, such as with competitors, business partners or other unauthorized individuals.
- Individuals who show particular concern that they are being investigated, such as installing software to monitor searches of their data files, emails, and other communications.
On the surface it may seem extreme to think we need to monitor for spies. But virtually everyone agrees that we need to be on guard for anyone who is stealing our data, regardless of what is motivating them.
An insider spy may or may not be physically inside our facilities, but today’s spies and cyber-criminals are certainly capable of remotely penetrating our insides as impostors of our own employees.
Five Sign of Insider Threat in short:
- Stolen Credentials
- Suspicious Behavior
- Unauthorized Access
- Unusual Movement
- Policy Violation
Insider Threat Defenses — Detection
- Log ﬁle accesses, software installation, and USB device usage
- Generate alerts on access to ﬁle storage services (e.g., Dropbox)
- If implemented correctly, ﬁnds activity before it causes harm
- Less inhibiting than full prevention
- If implemented incorrectly, ﬁnds activity after irreparable harm
- Requires active effort by the security team
Insider Threat Defenses - Prevention
- Prevent all removable media from being used
- Block access to personal email and ﬁle storage services
- Block end‐users from installing software
- Stops a technique before it can be used
- Cheapest once implemented
- Often clashes with a company’s oﬃce culture
- Can inhibit department-speciﬁc productivity
The Bank Heist – Forensic Analysis
- File servers and internal web apps were scraped for sensitive information
- Moved data out of organization control through USB, personal email, and printing
- Files were locally deleted after being exﬁltrated
- The forensic timeline showed over 100 ﬁles taken and the precise times that the actions occurred
Some Resources might be helpful :
- C3 Cyber: CyberCrime, CyberWar, CyberTerrorism
- International Cyber-Security
- Ransomware Tips
- NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says
In Next article
Proactive Measure, File exfiltration, Forensic Analysis. Anti-Forensic, Policy Insider Threat
The opinions expressed in this contributor article are solely those of the author, and do not necessarily reflect those of individuals
Src : Trendmicro, WiKi, RSA