SAN FRANCISCO – Companies keep watchful eyes on disgruntled employees who are insider threat risks. But Code42’s CISO Jadee Hanson said distraught employees, that are particularly vulnerable to outside ploys, should be equally scrutinized.
Hanson said factors such as terminal illnesses, divorce or personal tragedies can be used against employees by attackers in the form of phishing emails that contain risky attachments and links. She said more companies are now trying to identify these “high risk” employees before external attackers do.
“If I can get the person in the finance department of a company to wire money to someone because I’m preying off of something that is going wrong in her life, and I’m threatening to tell her boss, that’s a much higher payoff to me than sending the mass phishing attack to everybody in the company,” Hanson told Threatpost in an interview at the RSA Conference 2019 last week.
She said adversaries are combing through social media and any other type conversation threads they can get their hands on to find a target who may be contributing to a survivor or support message board.
What follows is a video interview conducted at the RSA Conference last week.
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.
** What follows is a transcript of the interview **
Tom Spring: Hi. We’re here at Broadcast Alley at RSAConference in San Francisco, and I’m joined by Jadee Hansen with Code42. Jadee, please introduce yourself.
Jadee Hansen: I’m Jadee Hansen. I’m the CISO at Code42 and also lead our IT team.
Tom Spring: Well, Jadee, welcome to Threatpost Broadcast Alley. I was really intrigued by our last conversation when we were talking about different types of cybersecurity as it pertains to not just firewalls but more specifically towards insider threats and the unique ways that the adversaries are exploiting insider threats, which I honestly hadn’t considered until you shared them with me. Can you talk a little bit about your insider threat perspective and some of the new threat landscapes you’re seeing there?
Jadee Hansen: Absolutely. Yeah. You know, from a security perspective, we’re very focused on the external actor and sometimes lose sight of the internal threat that we should be all aware of. There was something that was just released this week on the Verizon data breach report talking about the rise of the insider threat issues and classifying them as either malicious or non-malicious, and it’s fascinating.
We like to think that all the employees that we work with love where they work and wouldn’t do anything to harm our company. However, we’ve seen it play out how insiders and how employees of companies absolutely take advantage of the companies that they work for.
Tom Spring: You know what is interesting, though, was what you were talking about when it comes to adversaries taking advantage of people’s, I don’t know, for lack of a better term, psychological vulnerabilities.
Jadee Hansen: Yep.
Tom Spring: To where if somebody’s lost a loved one or is dealing with some type of critical issues, how these things are exploited by the bad guy.
Jadee Hansen: Yeah.
Tom Spring: In the real world.
Jadee Hansen: Yeah. There’s psychological studies that look at tone and language that employees use throughout the work day, and so if it’s negative in nature, the adversaries can absolutely take advantage of that and use that person.
Tom Spring: But how would the adversaries get a hold of the context of any communication? Is that, is this a post-penetration sort of analysis –
Jadee Hansen: Yes.
Tom Spring: In terms of being able to analyze emails or perhaps a personal blog or something along those lines? Social media?
Jadee Hansen: Yeah. Social media. Twitter. Following certain security people or certain people that have sort of elevated access. What are they saying in a public forum, and trying to exploit them. Just knowing that they’re more of a disgruntled employee rather than your average employee.
Tom Spring: That reminds me of a study that came out last year about how, it was an APT attack against lonely engineers, and the adversary scanned their social media feeds, their LinkedIn, and they posed as a young, attractive woman who had an interest in photography, and she used that, or I should say the adversaries, the APT used that to infiltrate many companies, not just one. I feel like that’s kind of where your messaging is coming from.
Jadee Hansen: Absolutely. Just thinking through what are the, what’s the employee’s weaknesses, and having the adversary prey on that.
Tom Spring: So can you talk more specifics in terms of what you’ve seen or what data is coming back in terms of, without naming names, in terms of what you’ve seen, and how, I mean, it’s not just malicious. It’s sinister. It’s pretty nasty. Do you have any examples of how this has played out in the real world?
Jadee Hansen: I don’t have a very specific example. I can talk through many kind of general examples that I’ve seen. A simple example is phishing attacks. So somebody’s gonna spearphish someone, they’re looking for that emotional or very public weakness to exploit, and they’re getting people to click on links or download malware or engage in a conversation just over email.
Tom Spring: So this seems much more like a spear phishing attack, where they’ve found their target, and they’re looking for ways to get people to open up an email.
Jadee Hansen: Yep.
Tom Spring: Is it all email based? How does it play out?
Jadee Hansen: I would say email is probably the most prevalent. You’re going to see that most often just because it’s the easiest. It’s easy for an attacker to send an email and get somebody to click on a link. We click on links every day all day. So email tends to be the most prevalent used attack path because it’s easiest for an adversary to get in.
Tom Spring: But was there ever a shift, I guess, in terms of adversaries using, like, “You won a free trip,” to “Latest cures for cancer” to “I was just talking with your ex, and I have something for you to look at. Click here.” Is there a shift? Has there been an evolution?
Jadee Hansen: Yeah. There certainly has been. So it used to be just the spam, all the phishing attacks to a company, and it has gotten much more targeted because the payoff for a targeted attack is much higher. So if I can get the person within the finance department of a company to wire money to someone because I’m preying off of something that is going wrong in her life, and I’m threatening to tell her boss, that’s a much higher payoff to me than sending the mass phishing attack to everybody in the company.
Tom Spring: And are we seeing more and more of these types of attacks?
Jadee Hansen: Absolutely.
Tom Spring: Can you give me any sense of how these are playing out?
Jadee Hansen: I can’t give you percentage changes.
Tom Spring: All right.
Jadee Hansen: Because a lot of it is not really public.
Tom Spring: All right. Well, here’s the $10,000 question. Is there anything that companies can do, knowing that perhaps people within their company may be vulnerable in more ways than one? They may be vulnerable emotionally and then be considered bigger targets to these types of phishing attacks. From a CISO standpoint, that must be crazy navigating the privacy issues, navigating … I’m drawing a blank in terms of all the issues that are involved with something like that, but how do you in a company deal with those types of sensitive insider threats?
Jadee Hansen: So building insider threat programs is not easy. It’s a strong partnership with HR and whatnot, but having a program that looks for a disgruntled employee, that looks for abnormal behavior, that looks for language being used in emails that might indicate an employee that is on the brink of doing something that they shouldn’t be doing. Even things like performance improvement plans or if you know that the employee is leaving the company. All of these things indicate risk aspects for an individual employee, and monitoring that behavior for that employee is what needs to be put in place.
Tom Spring: I guess I’m thinking of it from the employee standpoint. If my life is going so badly, all of a sudden I’m not only having a bad day, but my employer is now going to be considering me a high risk at work. Is that the sobering truth of the matter?
Jadee Hansen: That is the sobering truth of the matter.
Tom Spring: That’s pretty heavy stuff.
Jadee Hansen: At the end of the day, security teams need to be transparent about it because the job of the security team is to protect the company. And so if that means that I have to monitor you closer, that’s what that means. And so being transparent about it and telling your employees this is what we’re doing and this is why we’re doing it makes it a little bit more inclusive than singling you out.
Tom Spring: All right. Just to be a little more paranoid here. So are employers taking this aspect of cybersecurity more seriously today than ever before?
Jadee Hansen: Yes. Absolutely. And you think about it, too. As perimeter defenses get better and better, and our tools get better and better, the adversaries still need a way to get into an environment, and the way to get in is the employee that works there that has access already.
Tom Spring: I gotta tell you. It’s kind of one of those, you’re damned if you do, and you’re damned if you don’t, especially when you consider some of the privacy concerns from an employee standpoint, but it makes so much sense from an employer standpoint when these types of threats can walk in the door twice as easily because of an employee who’s more vulnerable than others.
Jadee Hansen: Exactly. Absolutely.
Tom Spring: Well, that’s a fascinating look into a really important topic, and I want to thank you so much for talking with us.
Jadee Hansen: Thank you, Threatpost.
Tom Spring: And joining us here at RSA. Thank you.