Some of the most damaging attacks to hit organizations over the last several years weren’t caused by outside threat actors. They originated from within an organization’s corporate network. They were inside jobs.
It’s not that outside attackers don’t pose a threat. Between adversaries looking to steal data, nation state attackers wielding the newest zero days, and hacktivists looking to cause hijinks, today’s cyberattackers present a constant challenge for today’s defenders.
What makes insider threats more threatening is, almost unequivocally, they have the deck stacked in their favor.
According to Verizon’s 2018 Protected Health Information Data Breach Report, over half of all healthcare cybersecurity incidents last year (58 percent) involved insiders. When looking at Verizon’s other study, the flagship Data Breach Investigations Report, more than 28 percent of all breaches – not just healthcare – were carried out by insiders.
By design, insiders – trusted employees, contractors, and business partners – already have privileged access to sensitive material. Having that access spares bad actors from perhaps an attacker’s biggest challenge: Having to gain access to a system in the first place.
Without having to engineer an exploit or install malware – something that would likely trip security alerts – insiders can operate quietly, under a veritable shroud of secrecy. If there are controls in place on a system, an insider would know and could easily bypass them – assuming they have the appropriate access privileges. With insiders, there’s no need to install a backdoor to communicate with a command and control infrastructure. Already having a foothold on a targeted system can greatly help eliminate overhead for attackers.
Insider Threats: Keeping a Low Profile
While all of these are wins for insiders, the biggest payoff comes from a noise level perspective. By being able to pull off an attack internally, insiders can keep the noise down, and operate within their own established baseline, all without raising the scrutiny or suspicion of administrators.
While it helps that insiders have access to systems, the fact that they’re familiar with the environment – where the most critical data is stored – can’t be underscored enough either.
When it comes to knowing where data is stored, outsiders can be blind. When an adversary gains access to a system they need to acquaint themselves with the particulars, like whether or not they need further access to systems or settings, and whether their overall objective is even possible given the scope of those needs. A lot of discovery needs to be done, which can take time and conflict with the time window an attacker may have. Insiders have valuable contextual knowledge that can assist them in accessing and stealing data, swiftly and undeterred.
Speaking of stealing data, insiders have a plethora of options for exfiltrating it. Unlike an outsider, which usually has to exfiltrate data via a command and control tunnel, an insider can exfiltrate data through a handful of methods. In some instances attackers can print data they’re looking to steal, copy it on USB devices, save it to cloud storage, or burn it to disk. An insider can even take pictures on a phone because they have physical access.
That’s to say nothing of legitimate tools already installed on employee machines, like instant messaging apps, browser extensions, and third party apps that can be used to covertly exfiltrate data without an administrator’s knowledge. In 2018 the possibilities are endless.
Access is Everything for Insider Adversaries
When it comes to malicious insiders, what’s often overlooked isn’t the concept that they’re in the best position to steal valuable intellectual property and data, it’s that they’re in the best position to open up their organizations to vulnerabilities in the network. That in turn can grant outsiders access to the system. Even if they’re not out to steal data, insiders can click on links, open email attachments, and visit infected websites. These actions can open the floodgates for attackers, essentially allowing adversaries to walk in through the front door.
Recent research supports this idea as well. Almost one in five breaches Verizon looked at in its DBIR were spurred by such negligence.
The inherent problem in this scenario is that many employees at companies lack fundamental security knowledge and that alone exposes networks to risk.
These days there’s an increased attack surface for the insider. The consumerism of IT has helped the bring your own device (BYOD) culture permeate organizations. It’s difficult for administrators to fundamentally secure personal laptops and their configurations. When employees deal with sensitive data and are allowed to sync that data to their BYOD, corporations can expose themselves to risk if they don’t have visibility on that endpoint.
Unlike insiders, outsiders certainly have their power in numbers; an outside hacking group can be comprised of large organizations of hackers, while state funded governments have the money and the means to steal data. At the end of the day it can be difficult to stop that.
Discussion around insiders versus outsiders has been the subject of fierce debate over the years and will likely continue for the years to come.
CISOs should be dedicating funds to prevent their own employees from enabling threat actors getting into their systems, a vector that in my experience accounts for almost 90 percent of intrusions. This includes rolling out security awareness campaigns to educate end users on day-to-day security best practices, gaining enhanced visibility across all endpoints to minimize any dwell time of an intrusion and neutralize any successful compromises that have taken place, and effectively managing the company’s assets in knowing where your most sensitive data resides and implementing additional safeguards around those systems.
(Tim Bandos is VP of Cybersecurity at Digital Guardian)