The Attack is Coming from Inside the House | The Insider Threat Persists

Looking back at the past year, there have been some downright spooky trends facing cyber security professionals. 

Ransomware attacks have skyrocketed, impacting organizations from healthcare to critical infrastructure to the suppliers of MSP suppliers and everyone in between. APT crews and criminal gangs have taken advantage of the pandemic that pushed everyone to remote work, making 2020/2021 the year that bad cybersecurity preparedness came home to roost.

But beyond the headlines, one significant threat has continued unabated, and in many ways, it is far scarier than the risk of foreign hackers because it is coming from inside your organization. 

The Insider Threat Persists

Way back in May, the annual Verizon Data Breach Investigations Report (DBIR) came out for 2021, highlighting the most pressing threats facing organizations. 

Unsurprisingly, Social Engineering topped the list. According to the FBI’s Internet Crime Report, Business Email Compromise (BEC) scams raked in over $1.8 billion in 2020, tricking people into handing the criminals their money. 

Verizon puts attacks on web apps in second place, emphasizing the need for better vulnerability management and coding practices. 

While the 1 and 2 spots on Verizon’s list are unsurprising, numbers 4 and 5 are definitely eye-catching as they point to incidents caused by organization insiders.

According to the report, Miscellaneous Errors and Privilege Misuse came in at the number 4 and 5 spots of the top causes of breaches, with the Verizon researchers finding that insiders were responsible for 99% of these incidents. 

Insider attacks are generally understood as incidents where someone inside the organization has either unintentionally or intentionally taken actions that put the organization at risk. In some Privilege Misuse cases, mismanagement of credentials can lead to an outsider becoming an insider, but more on that later. 

Let’s take a look at these two insider-related attacks that are common causes of data breaches and understand how they fit into the general security landscape.

Miscellaneous Errors

Far and away the more significant cause of breaches, Miscellaneous Errors are the non-malicious mistakes that people unwittingly make when configuring their systems or sending out data. 

The most common type of Miscellaneous Errors according to the folks at Verizon is unsurprisingly misconfigurations, often by system administrators. Was someone granted the wrong level of access? Was an S3 bucket not properly secured because the developer did not know how to write a security policy correctly? 

Any of these sorts of missteps can leave the organization exposed to data loss.

These folks don’t mean to cause a security incident that can put their organization at risk, but errare humanum est.

Privilege Misuse

If our previous category was caused by lack of knowledge or simple human error, Privilege Misuse is the other side of the coin. These are the malicious actors who are generally financially motivated and abuse their privileged accounts for their own gain. 

As many accounts are way over-privileged, meaning that they have access to more resources like company data than they have any real need to have, this is a considerable problem facing organizations. 

These sorts of incidents can be doubly damaging for an organization because it will likely erode customer trust. It’s bad enough when an honest mistake leads to data loss. It’s even worse when someone inside the organization knowingly abused their access to cause harm. 

As alluded to above, not all Privilege Misuse is necessarily carried out by an insider. If an attacker compromises a privileged account, then they can use those credentials to essentially act as a malicious insider and access valuable data. 

It is up to organizations to make sure that they do not make it easy for malicious insiders to take advantage of their privilege, putting in place protections to mitigate their risk.

3 Tips for Addressing Insider Threats

Organizations have to take significant steps to protect their data from these insider attacks and errors. 

Here below are a few good places to start shoring up your defenses from internal security risks.

1. Enforce Good Security Policies For Cloud Resources

While the transition to the cloud has been well underway for over a decade, many organizations are still playing catch up with how to keep their cloud resources secure. One of the most common misconfiguration mistakes is seen in AWS S3 buckets being left open to the public. 

These S3 buckets can have valuable customer data in them or one of a dozen other resources that are set up by developers. They can also be extremely leaky. 

Reduce your risk from leaky buckets by making sure that you are using secure policies for who can access your resources and with which kinds of access (read, write, edit). Many developers are not trained to write secure policies, so be sure to train them. 

One big tip is to avoid those *. While they can make things quite a bit easier by granting access to all, they leave the door open too wide and can lead to an unfortunate incident where the wrong person had the wrong level of access to valuable data.

2. Monitor Usage With The Right Tools

A malicious insider can abuse their privileges or have their account used to carry out an attack.

In a Zero Trust world where we assume that the attackers, or in this case malicious insiders, are already within our networks, then we need to work to detect them as quickly as possible if we want to kick them out and keep our resources secure.

User and Entity Behavior Analytics (UEBA) tools can help provide visibility over employee actions, detecting suspicious activities and creating a paper trail that can play a critical role for investigations.

Security teams should use their UEBA tools to look for out of character actions like accessing resources that normally wouldn’t be accessed by that person (even if they have the privileges that allow them to do so), downloading/exfiltrating large quantities of data, or other actions that may be indicative that something creepy is going on.

If employees know that they are/might be monitored, then they are far less likely to attempt to carry out an attack against the organization. Similarly, if a user’s credentials have been compromised, then security teams can harness UEBA for identifying the course of actions that may be indicative of an attack.

3. Minimize What Data You Hold

Back in August, the hack of T-Mobile showed that the company was holding onto large quantities of data about people who were no longer customers. 

While marketing teams may want to hold onto data that can help them reactivate former customers, keeping these unnecessary data records is a liability. If you are working with the EU market, then regulations like GDPR will likely prevent you from storing these records –– especially without user consent. 

From the insider attack perspective, the more data that is available for a disgruntled employee or compromised account to take, the higher the risk.

Getting back to T-Mobile, now not only do they find themselves on the hook for credit monitoring and potentially other damages for their current paying customers, but plenty of other folks as well.

The moral of this story is to just wipe customer data that you no longer need, thus reducing the risk of it falling into the hands of hackers later. 

Make clearing out data on a regular basis a policy. You’ll be happy that you did later.

Trust But Verify 

Guarding against insider threats has to be a balancing act. 

On the one hand, it is important to have tools and practices in place to prevent insiders from carrying out intentional and unintentional actions that can put the organization at risk. Having measures for monitoring employees and limiting their access to various resources are important steps that can mitigate the risk. 

At the same time, you need to trust your employees to do their job. If you hired them, then you have to treat them with transparency and respect. Make sure to explain why you have policies in place and that you will respect their space to the greatest extent possible. Be aware of the local laws concerning monitoring and consult with HR to make sure that you are in line with company policies. 

Source link

Isaac Kohen