As it becomes more difficult and expensive to infiltrate environments via malware, cybercriminals may start turning in the future to a more viable and less costly alternative: Insider threats.
Threatpost talks to Tim Brown, vice president of security at SolarWinds, about various trends he’s seeing around insider threats – including the potential for insider threats to be seen as a more viable option in the cybercrime world than malware. “One of the things that a number of folks in the security industry see is that malware’s continuing its exponential climb, we expect to see a drop off, right? And that drop off is going to be when it’s more economically feasible to hire an insider than it is to utilize malware to infiltrate data and infiltrate systems,” he told Threatpost. “So at some point in time, we believe that that’s going to occur.”
Brown also talked about how to spot telltale signs behind notorious insider threats such as Edward Snowden, what the top insider threats are, and why departing employees as a threat are increasingly pushing companies to update their offboarding policies.
For the full podcast, see below or download here.
Below is a lightly-edited transcript of the podcast.
Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost. Welcome back to the Threatpost podcast. And I’m joined today with Tim Brown, the Vice President of Security at SolarWinds. And we’re going to talk today about insider threats. So Tim, how’s it going today?
Tim Brown: Great. Thanks, Lindsey. Great topic. Insider threat is something that’s very real and important for everybody to kind of understand and understand where it’s going and how it’s evolved.
LO: Right. Yeah, this is definitely kind of a big issue. And I think I saw that SolarWinds actually came out with a report a few months ago, that was about insider threats. And it found that insider threats was a leading cause of security incidents. So it’s nothing that can be undermined, very important.
TB: Yeah, and I think when we think about the insider, right, it’s important to think about both the general user in the company, them making mistakes, them doing things that cause harm to the company. Now our survey showed, I think that 62% said that users making mistakes is one of the biggest issues that they had within their environment. But then of course, we have the malicious insider, right? Those people that are acting maliciously, to infiltrate a company. We have both of those types.
LO: Well, yeah, that’s a really good point. And I personally, when I think of insider threats, what comes to mind is kind of those situations where malicious actors are abusing their position within the company to steal data. And we’ve seen that I mean, if you remember, what comes to mind for me is Anthem. If you remember, in April 2017, they had an employee that was stealing and misusing Medicaid member data. So situations like that is usually what I think of, but like you say, I mean, insider threats aren’t always just a malicious actor, right? It can be a user who just makes a mistake that puts the company at risk. It can be exposures caused by poor system security. So what did your survey find in that regard? I mean, can you kind of break down different examples of insider threats?
TB: Yeah, absolutely. Absolutely. So let’s see, 62% cite that users making mistakes were the biggest thing that put them at risk. Fewer than half the survey that responded cited external bad actors as their major problem. And of the insider threats more than 50 percent surveyed claimed that regular employees, not privileged users, pose severe threats. That’s interesting, right that regular employees, not privileged users. And you know, I think the key is sometimes that we don’t necessarily classify users in the right way. And we think of privileged users as just those IT system administrator folks. But in many cases, the ones that can do a lot of harm are the ones that have access to your customer data. So marketing people, the ones who have access to your sales data, sales people, so the ones that have access to your source code, or engineers, but it’s really not just who we consider privileged, in the face of, you know, privileged IT users that can cause the biggest threat. Because sometimes it’s others in the organization.
LO: Right, for sure. And I mean, when you look at the different types of employees too – I mean, you mentioned the marketing department, which is certainly interesting. I mean, it’s definitely a lot more than IT administrators. And I think that that your survey mentioned it was also, it could even be partners, it could be –
TB: – Vendors, yep, absolutely. Now just runs the gamut of who you’re providing that access to and what that access allows you to do. Now if we look back a little while; Target, right Target’s whole breach started because of the HVAC vendor having too much access into the environment. So that HVAC vendor should have been considered an insider, should have been reviewed for the access that they were granted. And yes, there were mistakes made that that access gave them all the way to the access to the point of sale terminal. But the fact that they were a partner with access should have put them into an insider threat model.
LO: The Target example is a really good one for sure. And I’m curious to I mean, with all these types of threats across the board, from like contractors to partners to like as we’re talking about, third party vendors, how can you manage all that and how can you kind of try to mitigate the risks there when it comes to insider threats?
TB: Yeah, I mean, I think the first one is if we look at the general users, right, training is critical. Getting people aware of the threats that they face. Getting people to understand that hey, you know, use the right accounts for the right things. Just ways to be able to help people start thinking about security as a day to day part of their job helps stop some of the general general misconceptions around security. So training the general population is kind of job one, right and then carving off those 20% of folks that actually have access to data or systems or applications that could be doing material harm to your company. You know, those 20% at the top, you really do need to treat specially, right, you need to be able to monitor them more, you need to be able to watch them more closely. We need to be able to make sure that they’re acting, not under duress, but acting by themselves. So we really need to have both, you know, a couple levels of control. One is for the everybody and one is for that 20% that may be actually subject to either an attempt to be cut from an insider course or they could be an insider themselves.
LO: Yeah, I mean, when you talk about monitoring, what are kind of the telltale signs to really look out for when it comes to insider threats, how can you kind of spot insider threats before they happen? And then also kind of after they occur as well? Because I feel like there have to be some red flags either in terms of who employees are, what’s motivating them.
TB: Yeah, it’s not an easy problem, right? So you can look at behavior that they’re doing, look at behavior that they’ve done in the past, you can look at, you know, deviations from that behavior. You can look to see input controls in place that don’t allow people to get to, you know, essentially materially specific data or systems without having two keys, right you can put protections in place that say, Hey, this is going on. You can also test them. So you can put honey pots into systems and allow people try to connect to those honey pots. You know, some of the interesting work that I did a while ago was looking at the patterns of individuals outside of the computer systems, right? How do they look? What have they been doing on the outside?
For one example, how we would have we used Snowden as an example. And you know, what we looked at Snowden he had rights, he could access all the data that he had wanted to get access to. It wasn’t like he was trying to circumvent security controls. And they touched a lot of data, right. They normally touched a lot of data. So we may have been a little pick up on volume that would have gotten but what actually was a telltale sign for a Snowden was that he didn’t follow a normal path of career. He looked at his career path. He took jobs that gave him less money and less power. So that was very different than his peer. His motivation was data, his motivation wasn’t power or money. So when we look at that, that’s a way to really catch the high level kind of spy types.
LO: The behavioral aspect of it, too, is a really interesting kind of angle of the employee insider threat. I mean, is there anything personality wise that you could kind of look out for either, you know, discontent with company or, you know, when you look at kind of the grudging employee?
TB: Yeah, there’s some great there’s some great studies that have been done on on essentially spies, right. If you look at all the spy novels, and if you look at the spy books and the studies that are on the spot, right, they in general are discontent, in general believe that they haven’t been paid enough. They generally believe that they are, you know, a lot better than other people. They generally believe that they’ve been passed over for certain things. There’s a lot of those generalities that if you apply to an insider set profile, you can actually get to a profile for who is either coercible or who has been coerced. It’s pretty interesting.
LO: Yeah, no that brings me to another question I had as well when you talk about kind of coercion is what’s kind of the common motivation for a lot of these insider threat; is it discontent with company or anger against company is it outside nation state factors I know that we had like you have like kind of that dramatic example of I think his name was Greg Chung who spied for China you know, for like more than a decade while employed Rockwell and Boeing and things like that. So what do you see with those types of motivations there?
TB: Yeah. So if you look at if you look at just, you know; nation states, absolutely, but if you look at organized crime, right motivation being money, if you look at their progression, and what you progress towards is more efficient business models all along the way, right? Why ransomware became more popular is because we took out the middleman to get paid, right now I can just take over system or set of systems and ask for direct payment, as opposed to taking over systems, selling that online and then getting paid. We see that insider threat is going to be a much more effective way to be able to circumvent security controls, and both more effective as well as less costly, right? So there’ll be economic benefits to do it. But you know, one of the things that a number of folks in the security industry see is that malware’s continuing its exponential climb, we expect to see a drop off, right? And that drop off is going to be when it’s more economically feasible to hire an insider than it is to utilize malware to infiltrate data and infiltrate systems. So at some point in time, we believe that that’s going to occur. So motivation is money. Motivation is control, power and stealth. And motivation is simply that when you’re looking at systems, protections around them have gotten better and better and better. So when you look at how would I infiltrate this environment, how would I get to my end goal? Malware is one way, infiltrating systems from the outside is one way, but the insiders absolutely in that arsenal of weapons that somebody has to be able to do it and you look at systems you say, well, maybe it’s just easier for me to get hired, right or have somebody hired. So it’s absolutely brought up as a new potential model to be able to infiltrate that.
LO: Right. Yeah, that’s really interesting. I feel like one thing that is an interesting aspect of it too is this concept of departing employees and how they’re kind of becoming a big insider threat for organizations. Have you seen that as well? I mean, what can we kind of do to mitigate this risk too?
TB: Yeah, I wish. I wish I could say that companies were perfect when employees left, right? But there’s way too many cases of people still having credentials years after they left. And with the proliferation of cloud services, and the proliferation have multiple identities that means that you know, an employee going away may have 10, 20, 30, 40, 50 accounts right in their cloud service, that are completely separate from their corporate identity. Now, they may have been sponsored by the corporate identity but are not linked.
So one of the things that we have to understand is how each one of these applications gets acquired, how those applications get identities assigned to them. And make sure that we have a process to be able to track all the instances of Tim Brown that exist over an environment and clean them up when someone leaves. And that problem has not gotten better. It’s really gotten worse and the fact that the number of identities that we have ends up being more difficult. So it’s critical for people to put into place, both onboarding models, off boarding models and changing role models, because we’re always trying to limit the attack service. So what we want to do is make sure that people have what they need, but no more than necessary to do their job.
LO: Right, for sure. I feel like the offboarding process is going to be a lot more important for kind of that data, privacy and management aspect of it.
TB: Yeah, absolutely.
LO: I feel like also, it’s what’s interesting is when you look at insider threats too you’re seeing kind of these new insider threats pop up, I think I read a report the other week about how the newer generation of workers are posing threats like, inadvertently but you know, posting sensitive information about their companies on social media, things like that, that may not be malicious, but they’re definitely leaking data. So, do you see kind of these types of insider threats becoming a bigger issue within the future?
TB: Yeah, absolutely. And you know, it’s become easier because of social to be able to come up with really predictable and meaningful scenarios to utilize right; you look up who say who’s at a company you look at, you know, where they’re posting you understand kind if they’re on vacation this week. So you can come up with a valid reason to come into a company and request them. So the whole social idea gives the bad guys a whole lot of information in order to perpetrate crime, right. It give them enough information to be able to come up with scenarios that are real, and gives them enough information to profile companies and people and individuals within the organization. So all the social posting – it is what it is. It’s just the way that we live today, but it just opens up a great deal of information that can be utilized by the bad guy.
LO: Yeah, for sure. Well, something to be looking out for in the future. You know, I just want to end with just a question on kind of where you see insider threats going in the future. Do you think that this is going to grow as a threat, or do you think that companies are going to get more of a handle on the various types of insider threats, or both, I mean, where do you see this going in 2020?
TB: Yeah, so I think that, hopefully we’ll see people taking the general people, in the general population seriously, so training the general population, give them information so that they understand where they’re at, where they’re at risk, give them, you know, appropriate knowledge so that they know what’s acceptable to do what’s not acceptable to do and help them through that process.
Then on the other side, I think as we move forward, we’re going to realize that the best way to infiltrate certain environments is through an insider, if that ends up being the case, you know, companies can put specialized controls on those most important assets that would be an attack surface, that would just make sense from an insider. Right and be able to put checks and balances in there so that people can act alone, right people need to have essentially two keys to perform actions equal need to be able to have validated access, people need to have more monitoring associated with that. So essentially making the insider threat model as hard as the external threat model. And I expect that insider will become more and more and more of a threat. And, you know, over time companies will take appropriate actions to be able to combat it. But it is one that I think we’re a little bit behind on the action.
LO: Tim, thank you so much for coming onto the Threatpost podcast today to talk about insider threats and kind of give us more information there.
TB: Thank you very much, Lindsey. Good talk.
LO: Great. Sounds good. And once again, this is Lindsey O’Donnell with Threatpost talking with Tim Brown of SolarWinds. Catch us next week on the Threatpost podcast.