#MayThe4thBeWithYou : The Insider Threat Awakens

Written by

The latest Star Wars film, Star Wars: The Force Awakens, is now available to own and if you have seen the movie and look forward to watching it all over again– you may agree that this version of the saga is strangely relevant to the world of data and information security that many of us live in.

Spoiler alert: If you are one of the few people in the galaxy who haven’t seen the movie yet, you may want to hold off on reading this.

Specifically, during the film, the First Order was facing an insider security threat in the person of Stormtrooper FN-2187, who we eventually come to know as Finn. While the insider in this case turns out to be the good guy - and his employer is a brutal authoritarian regime - we can easily flip the script and see many parallels to the situation faced by corporations and institutions today.

FN-2187 holds a low-level position, but one that gives him access to key physical assets, including the area where prisoners are detained, and information about the Starkiller base’s infrastructure. He has performed well under training and appears to be a loyal trooper. Initially, there is no indication that he might be a threat.

However, during the attack on Jakku, his superiors notice that he has failed to follow orders, a behavior change that results in Kylo Ren commanding Captain Phasma to have FN-2187 reevaluated and given additional training. At this point, his overlords could have immediately reduced FN-2187’s access levels, quarantined him, or even terminated his employment (or his life). But they give him the benefit of the doubt, a decision they will come to regret.

A similar situation is often found in the infosec world, where a great many users and virtually all threat actors bypass mandated security procedures, either out of ignorance, impatience, or malicious intent. Often, these security lapses go undiscovered until after a major breach has occurred.

But even when they are detected beforehand, there tend to be few consequences for the perpetrators. Typically, the offending users suffer no loss of access privileges and are rarely subject to heightened scrutiny.

Lack of adequate monitoring of authorized user access has other implications when malicious access to otherwise trusted user identities are considered. This may have been the case in the breach in Russia reported by Bloomberg in early 2015, where malicious actors used the Corkow Trojan to infect trading systems at Energobank, a regional bank based in the Russian city of Kazan. The attackers placed more than $500 million in illicit trades at non-market rates, moving the ruble/dollar exchange rate more than 15% in minutes and causing the bank to claim losses of $3.2 million.

In The Force Awakens, FN-2187 takes advantage of the second chance he has been given to escape to freedom. Using his insider knowledge, he pulls off the social engineering ruse of a “prisoner transfer” to free the rebel pilot Poe Dameron, steal a TIE fighter, and make a getaway.

Taking on a new identity as Finn, he further draws on his expertise to help the resistance disrupt the First Order by infiltrating and destroying its strategically important Starkiller base.

Depending on your perspective, Finn might be an unlikely hero or a treacherous insider.

Either way, his story offers an object lesson for those involved in endpoint defense and other aspects of infosec. Most defenders spend up to 80% of their time on external threats: studying attacker techniques and tools, analyzing malware behavior, and assessing the capabilities of our adversaries.

However, we need to be equally vigilant about insider threats. We can’t trust users, programs, or systems based solely on how they look or which ID badge they show us. We need to continually monitor behaviors and reassess our judgments based on the activity we’re seeing. When insider attacks are successful, we need to heed the lessons learned and improve processes and controls. In turn, we will be better prepared for future attacks, which (experience tells us) are neither far, far away nor a long, long time in the future.

What’s hot on Infosecurity Magazine?