Securing Government Against Insider Threats

The uptick in recent years in cyber attacks by rival state actors, primarily Russia and China but not only, as well as criminal groups, have pushed the US government to step up its effort to defend against these malicious actors. 

While much of the focus has been on external actors, there has also been an ongoing effort to secure government organizations from internal threat actors.

Insiders present a serious risk because they have authorized access to be inside the organization. Without that access, they would be unable to do their jobs. 

But with that access also comes risk. These insiders already know where all the sensitive information is and how to get to it. Reaching a balance between granting enough access to function effectively while not exposing the organization to an unreasonable amount of risk is a significant challenge.

To understand this risk and how to mitigate it, let’s take a look at why government organizations are targeted, who the insiders are, and some steps that you can take to reduce that risk.

Why are Governments High Value Targets for Insiders

In the cases of targeting a private organization, the motivations for the insiders almost always revolve around financial gain, often mixed in with a dose of resentment against their organization. 

Greed can be a potent motivator for insiders targeting the government, but the stakes are often much higher due to the scale and sensitivity of data held by governments.

Here are a few of the reasons why a government agency can be such a valuable target.

Stealing Classified Information

Espionage is one of the oldest security challenges, and governments have some pretty important secrets. Everything from defense and diplomacy to economics, keeping information safe from prying eyes is critical to national security.

And there are plenty of other governments out there who are willing to pay top dollar for secrets or other information that will give them an advantage.

In many of the modern cases that we see, the targets are often government contractors working at companies like Lockheed Martin where the insider is looking to steal technology for a foreign government. 

One well known example is former CIA case officer Jerry Chun Shing Lee who sold defense secrets to the Chinese government for hundreds of thousands of dollars. He was caught and pleaded guilty to transferring sensitive information to Chinese intelligence on a thumb drive after being caught by the FBI. Lee was just one of a number of recent cases of former CIA officers cited by the US Justice Department that have been caught collaborating with the Chinese, a trend that is likely to continue as tensions rise between the two powers. 

The government holds a lot of people’s information 

Whether your purpose is espionage or simply looking to steal a ton of information for profit, the government is a treasure trove of personal data. 

Everything from addresses to social security numbers, the government has everything that a fraudster would need for carrying out illicit operations. 

Ideological motivations or personal greed

While Edward Snowden is probably the most famous case of the insider threat, there are plenty of others in recent memory like Reality Winner and Chelsea Manning that have stolen information from the government because of ideological motivations.

In both of these cases, they decided to leak information that they felt would influence public opinion and hopefully influence policy, perhaps hoping to imitate the Pentagon Papers affair where Daniel Elsberg helped to change public perception of the Vietnam War. However they both made the mistake of sending their stolen info to publishers that did little to protect their identities, the Intercept and Wikileaks respectively, and found themselves serving time in prison. 

Even if these two may have had idealistic purposes behind their illicit activities, there are still plenty of folks out there who may try to steal in standard, run of the mill corruption/crime that is likely far more common. 

One case that springs to mind is Charles K. Edwards, a former acting Department of Homeland Security Inspector General who pleaded guilty to stealing government software and data for use in his own product. He coordinated with his former employee at the agency to help him in his effort, but both were eventually caught.

Who are the Insiders?

Motivations aside, not every insider is alike. 

  1. Malicious Insiders

These folks know what they are doing in harming their organization. They pose a high level of risk because they are actively trying to be stealthy and are likely to attempt to cause significant damage with their thefts or destruction.

  1. Human Errors

The Verizon Data Breach Investigations Report refers to these people as having committed Miscellaneous Errors. Maybe they sent a file to the wrong person, misconfigured an access policy, or did something else to harm your security. 

The deciding factor here is that the move was unintentional. But they can still be destructive.

  1. Compromised Credentials

The best way for external attackers to navigate around your network is by using legitimate credentials from one of your unsuspecting yet authorized users. 

You should always consider that one of your users can have their credentials compromised, either because they were stolen or simply brute forced, and that you may have some wolves in sheeps clothing running around your network.

Make sure to use Multi-factor Authentication to help make it harder for your accounts to be compromised.

How to Mitigate Risk

Risk from insiders like that from external actors is never going to be 100% preventable. Thankfully there are steps that can be taken to reduce your risk and make your team more responsive to a cybersecurity incident.

Limit Access to a Minimum

A malicious actor cannot get to resources that they do not have access to. 

Organizations need to fight the temptation to simply grant wide reaching access to everyone in an attempt to improve efficiency. Sure requesting access can be a friction-filled frustration, but limiting everyone’s access to the minimal levels plays a critical role in hardening your posture against exploitation. 

The Principle of Least Privilege calls for granting the lowest level of privilege required for folks to get their work done. There is no good reason why a developer on your team needs ongoing admin access to financial records, and vice versa.  

Monitor Behavior for Anomalous Activity 

Watching for and understanding your users’ behavior is an essential element of keeping your organization secure. 

The first step here is to know your baseline of normal user activity. That way you can judge when someone deviates from their normal behavior.

Factors to consider here are the user’s role in the organization. Does it make sense that someone who never normally touches personal identifiable information (PII) is all of a sudden searching around in files that list people’s social security numbers and addresses?

Other questionable behavior that may pop up is why is Sally downloading large quantities of files and working at strange hours? Many organizations appreciate it when employees put in extra time in their off hours, but you do not want them walking out the door with sensitive information. 

Use tools to monitor for anomalous behavior that may be indicative of unauthorized activity and investigate quickly to understand if you just have overly eager workers or a potential security incident on your hands. 

Monitor Your Contractors

Looking at the Verizon Data Breach Investigations Report for this year, 62% of system intrusions were the result of supply chain attacks. 

If you are working with a contractor that feeds into your organization, either via some sort of access or by supplying software, then their security becomes your responsibility.

This issue actually breaks down into two components.

First is that you should monitor their behavior in interacting with your systems like you would an employee. Because of their relationship with your department/organization, they have more access and familiarity with your environments than an outsider would. This increases their potential threat level and makes them deserving of that additional attention.

Second is that they should be able to prove to you that they are keeping to the same high standards that your organization is held to. Think about the CMMC, NISTs, etc. If they are compromised, then the attackers can worm their way over to you like we have seen in plenty of other attacks like SolarWinds among others.  

So if they want to do business with you, then they need to be held to your standards. 

Segregate Access Between Roles

Cooperation from colleagues was essential in Snowden’s success because on his own, he did not have the necessary access to steal everything on his own set of credentials. In this case, the system of keeping a wall of separation between employees and departments broke down from human error, but the concept is still the right one.

Think of it like not putting too many eggs in one basket. If one person either decides to become an insider threat or has their account compromised, then you will want to make sure that they can only do limited damage. 

Train your people to be nice, friendly team players, but that the limit to their helpfulness should end at sharing credentials.

Record Sessions 

Similar to how we keep track of activity logs for monitoring and forensics in the case of an incident, session recording can play an important role in both investigating a breach as well as a potential deterrent to an insider. 

Effective use of this tool requires knowledge of where to look because sending a human to just run through hours/weeks/months of instant replay is not a good use of anyone’s time. This is why you need to use recordings in coordination with other monitoring and detection tools, helping to provide some much needed context to our story in the event of an incident. 

You also need to be selective from a privacy standpoint, making sure that everyone is informed that they are being recorded. Especially if communications are involved. Check the laws on this in your state as they can vary from place to place.  

Strong Culture as a Defense Against Malicious Insiders

While greed is often a motivating factor in driving an insider to become malicious, disaffection with their organization is definitely up at the top of that list. If your people are disconnected, disillusioned, and generally dissatisfied, then they will have fewer inhibitions about turning against their colleagues.

It is admittedly difficult to create a real positive esprit de corps during periods of remote and hybrid work, but it is during these times that creating a sense of community is most critical. 

It is a common mistake when companies refer to themselves as a family — which they clearly are not. As much as we may wish, we cannot fire our family members. But creating an atmosphere where people feel appreciated and affinity can be strong factors in defending against temptation to defect. Perhaps even more than any one security solution.

Strengthen security and protect against insider threats with Teramind

Source link

Isaac Kohen