Most companies focus on external attackers in the fight against cybercrime. But there is also a growing threat lurking within our own ranks. The IT security experts at FireEye Mandiant predict that 33 percent of all security incidents will be caused by insider threats in 2021. What can companies do to protect themselves?
Legitimate access is essential - the employees have it and the attackers want it. The best security lock on the door is useless if the criminal is already in the house. Every crime fanatic knows that. The situation is similar with cyber attacks that come from within our own ranks. They are particularly dangerous because the perpetrators are people we actually trust. It is all the more worrying that the number of insider threats is increasing significantly. In 2019 and 2020, the Mandiant teams recorded more cases than ever in which insiders compromised business-critical systems, disclosed confidential data or blackmailed their employers. Such incidents can cause considerable financial damage and endanger the company's reputation.
Who is behind insider attacks
Most insider threats can be traced back to negligent employees who have no evil in mind, but rather offer hackers a gateway out of carelessness. However, there are also targeted attacks by insiders. Just like attacks from external actors, these often take place over a long period of time. The attackers usually try to remain unnoticed and to cover up their activities. In some cases, they even use other employee accounts to distract attention from themselves.
Insider attacks have long since ceased to be just the disgruntled ex-employee who wants to take revenge on his former employer or steal from him. Basically everyone who has access to networks, systems and data poses a potential risk. This can be your own employee, as well as your business or supply chain partner. Organizations with significant intellectual property, companies that are merging or being acquired, or undergoing major changes and challenges, are at increased risk of being the victim of malicious insiders.
Contrary to what you might think, actors nowadays often do not act alone, but in groups that also include IT administrators and insider threat team members who prevent warnings and investigations. Sometimes members of this group are outside the company, such as criminal and even government-related organizations, who carry out technical activities to enable data access and theft.
The four most common insider threats
The Mandiant investigators have investigated various types of insider attacks in the field. Four trends are emerging:
Digital extortion
The malicious insider threatens to reveal stolen data and may pretend to be an outside hacker. Usually the insider demands a ransom in a digital currency such as Bitcoin.
Industrial espionage
In this scenario, the malicious insider steals intellectual property and shares the data with third parties, including government actors, in order to obtain compensation or a job opportunity.
Asset destruction
The malicious insider tries to disrupt business-critical systems, cause business failure or destroy important data.
Stalking
Jon Ford, Managing Director of Global Government Services & Insider Threat Security Solutions at Mandiant (Image: FireEye).
The malicious insider gains access to sensitive employee data or user accounts of colleagues in order to obtain personal information.
Companies are under enormous pressure, especially when it comes to blackmail attempts: Should they comply with the demands or should they try to identify the insider as quickly as possible? What if that doesn't happen in time? Understanding attack scenarios and tracking down perpetrators is complex. The main challenges security teams face in an extortion attempt are: 1) determining whether data has actually been stolen, and 2) distinguishing between an inside incident and an attack by a malicious third party. This requires a combination of technical forensics, threat intelligence and traditional investigative methods. External specialists provide independent analyzes and significant expertise for this.
In this way, companies can protect themselves against insider risks
Companies must combine technology and vigilance and educate their employees about the dangers of insider threats through regular training in order to efficiently identify insider attacks. So that it doesn't get that far in the first place, companies should be aware of the danger posed by insider threats and take appropriate protective measures. Five tips to minimize risks:
- Invest in an Insider Threat Data Loss Prevention solution. It detects malicious behavior, sounds an alarm and can block actions if necessary. The solution should work both with and without an Internet connection.
- Protect all environments in your networks with access controls. Every user, developer and administrator should only be given the rights that they absolutely need for their daily work. Keep the number of employees who are allowed to create new accounts in on-premises and cloud environments to a minimum.
- Send log data and event aggregation to a SIEM (Security Information and Event Management). This ensures the authenticity of logs and prevents an attacker from deleting or manipulating them.
- Implement network segmentation. By separating network areas with security controls, you prevent an attacker from spreading freely. You should also limit unnecessary traffic between highly sensitive and less trustworthy environments. All systems that do not necessarily have to be publicly accessible should be separated from public access.
- Make sure you offboard safely. If an employee leaves the company, you should immediately block their network access. All SSH keys, PEM files, and passwords that the person had access to should be changed for all environments. Multifactor authentication (MFA) should also be deactivated immediately.
Regular assessments are important
To minimize the risk of insider threats, companies need data loss prevention processes, SIEM functionality, behavioral analysis and a dedicated team. The three core areas of people, processes and tools should be taken into account here. Investigations into insider threats should be based on evidence that refutes profiling and stands up to legal scrutiny. Outside specialists can review existing skills to maximize investment, expedite the creation of a new insider threat program, or improve an existing program based on years of cataloging best practices across the industry. Since conditions can change quickly, it is important to carry out security assessments regularly. They make it possible to uncover weak points and continuously improve the security structure. This gives companies an individual roadmap to effectively protect themselves against insider attacks and their effects.
More at FireEye.com
About Trellix Trellix is a global company redefining the future of cybersecurity. The company's open and native Extended Detection and Response (XDR) platform helps organizations facing today's most advanced threats gain confidence that their operations are protected and resilient. Trellix security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to support over 40.000 business and government customers.