When Outsiders Become Insiders

Written by

As CIOs strengthen their organizations’ perimeters, hackers will almost inevitably look for other ways in. And, like water dripping through a leaking roof, hackers and cyber-criminals always find the cracks.

One crack is the insider; another, the tools insiders use to manage their networks.

As brute-force technology attacks become harder to carry off, malicious groups are looking for people who can be bribed, cajoled, threatened or duped into letting them through the organization’s defenses.

Once inside, hackers all too often find a trove of useful information: passwords stored insecurely, user accounts with unnecessarily high levels of access, or single passwords used on multiple systems.

Once the attacker gains access to these assets, the outsider effectively becomes an insider and, in too many organizations, they can disrupt systems and steal data almost at will.

The power of the insider attack lies in making the hacker look like a trusted user, staying below the radar of all but the most sophisticated security systems. It is this power that is forcing insider attacks higher up CISO, CIO and even board agendas.

Insiders on the Rise

Reliable statistics on insider attacks are hard to find, not least because companies often prefer not to report incidents. However, consulting firm KPMG found that insider attacks increased from 4% of security incidents to 20% between 2007 and 2010. This largely coincides with improvements in companies’ perimeter security controls.

The Ponemon Institute’s Annual Cost of Data Breach report also ranks insider attacks, alongside criminal attacks, as the most costly form of breach.

“Our experience shows a significant growth in blended attacks, where the outsider attacker takes advantage of insiders who can be manipulated or who have been careless. That is the greatest risk for organizations,” says John Skipper, a cybersecurity expert at PA Consulting. “Deliberate malicious attacks are still rare, but very damaging.”

Just how damaging is shown by some recent insider attacks, from Sony Pictures to Morgan Stanley. But hackers do not need a collaborator on the inside to wreak havoc or to steal data. The range of routes into an organization is broad, and not helped by weaknesses in businesses’ security and IT administration controls.

“Insiders have been a soft target for a long time,” says Adam Schoeman, senior intelligence analyst at security consultants SecureData.

He adds: “We’ve seen advanced attackers moving from external attacks on boundary devices and using tools available to trusted insiders. These are people who know what they are hitting. Advanced attackers say, ‘I have access to this – what can I do with this access?’”

A lack of network monitoring by businesses also means that, once inside, attackers can go undetected for long periods of time.

The causes of insider breaches, though, are hardly new. Most ‘insider’ incidents can be traced to employees who have left the organization, suggests Laurance Dine, managing principal in investigative response at Verizon’s investigations unit: “People get disgruntled, you get misuse, people make mistakes.”

“Then there is social engineering: duping people into giving out information that becomes the ‘tip of the spear’ for spear-phishing attacks, or people giving out their own credentials. Then there are incidents where people are threatened or coerced,” he adds.

The right security systems, though, can pick up most attacks, Dine advises: “Have a good leavers’ policy. It is quite common for accounts to still be active six months after someone leaves.”

These ‘hygiene factors’ are increasingly important as hackers turn to insiders, and compromised privileged user accounts, rather than attempting to breach firewalls or other perimeter security systems.

Even relatively small weaknesses can leave a door open to attackers. At SecureData, Adam Schoeman warns that attackers have used OWA – Microsoft’s webmail for corporations – to gain access to networks.

Hackers can then break into the organization and plant malware, use their access to attack other systems, or even to carry out social engineering attacks on other privileged users or key personnel, such as members of the board. “Once you are on the network, escalating privilege is not too difficult,” Schoeman says.

This is not helped by poor security practices such as password sharing between users or systems, or keeping passwords unencrypted on the network in unprotected files.

“It is possible to take a primarily technological route and to hack in through the firewall and then capture credentials,” says Skipper. “This is either because they’re left in an insecure way, like passwords in Excel spreadsheets, or because of systems that are not properly configured and allow passwords to be captured.”

Most organizations have now closed those gaps, he suggests, prompting users to turn to spear-phishing and other forms of social media manipulation to “take advantage of unwitting behavior” and put a trojan or other malware onto the network.

“Use the highest levels of security for things that really matter, such as two-factor authentication. Don’t reuse admin passwords; don’t share passwords” Laurence Dine, Verizon

But there is a further factor that works in the outsider’s favor: organizations often rely too heavily on a single security measure or access control – again based on the assumption that once someone is on the network, they are trusted.

“Insiders generally have too much access around a single control,” says Phil Huggins, vice president of security science at security and risk consultancy Stroz Friedberg. “If the only thing that stops them breaching is a single control, even if control is strong, that may not be enough.”

Dine advises organizations to “use the highest levels of security for things that really matter, such as two-factor authentication. Don’t reuse admin passwords for each system; don’t share passwords – we still see that a lot.”

Keeping desktops and other IT systems up to date – including applying patches – is also vital; recent breaches such as Poodle rely largely on unpatched vulnerabilities to gain access.

But organizations also need to move away from the assumption that all users are trusted users, and plan for the chance that a trusted user might – unwittingly or deliberately – go rogue. This is likely to also mean more restrictions on who can access IT systems, when and where.

“Give access rights to people who need rights, give people access to what they need,” says Dine. “If your security policy lets everyone down to reception have everything, you need to do that today.”

When the Good Go Bad

For CISOs, this means moving beyond a purely technical approach to information security, to one that involves culture, policy and procedures, and even a measure of psychology.

Firstly, IT security teams need to be able to detect unusual or suspicious activity that might indicate an insider attack is taking place. But other parts of the organization, including legal and HR, need to develop techniques to spot changes in behavior and even pick up traits in employees that suggest they might turn to cybercrime.

By no means do all organizations have the real-time network monitoring tools which can detect unusual activity by employees or IT users, as well as attacks such as APTs. Nor do all organizations have data loss prevention (DLP) software, a tool which – though effective – experts say is expensive and can be difficult to deploy.

“Tracing what people are doing is more difficult [than detecting intrusions],” says Dine. “There are systems you can put in to monitor data usage – we recommend using those if you can afford to.”

Huggins cautions that DLP is hard to deploy: “The idea that a computer understands what is a secret – and what is not – is laughable. What we are seeing is much more deployment of analytics – moving from setting off an alarm or something going red to pointing out individuals’ high risk activities.”

This, though, takes insider threat prevention squarely into the realm of the human factor. Often, the tell-tale signs are similar, whether someone’s behavior changes because they have been duped, threatened, or are looking for financial gain.

“Is someone downloading huge amounts of data, or changing their working hours, or undertaking activity out of sight of co-workers?” All these can be signs of an insider at work, he suggests.

Notable Insider Incidents

South Carolina Department of Revenue (2012) – Data on 3.8m taxpayers lost following phishing attack.

Swiss Intelligence Service (NDB) (2012) – Employee downloaded sensitive files onto portable hard drives.

Target (2013) – Network breached by using refrigeration vendors’ credentials.

Edward Snowden (2013) – NSA contractor used his credentials to steal state secrets.

Sony Pictures Entertainment (2014) – Major breach of intellectual property and company data now attributed to hacking group including former employee.

Morgan Stanley (2015) – Customer data stolen; first blamed on an employee of the firm, but hacking is now also suspected.

Advanced organizations, including security agencies, are looking at behavioral analytics and psycho-linguistic analytics to pick up unusual patterns of activity. Whether all organizations can use these tools is open to question, however. Governments might be able to apply restrictive policies to computer use; a start-up may not.

Companies also need to be aware of labor laws. In some countries, such as Germany, these place severe limits on employee monitoring. And businesses, says SecureData’s Adam Schoeman, also need to lead from the top.

“The key thing is leadership behavior,” he says. “If the board can bypass access controls it devalues those controls for the rest of the business. You need a consistent policy.”

No policy, though, is foolproof. Edward Snowden – perhaps the highest profile insider of recent times – used legitimate access to NSA systems to download data. Organizations should bolster their protection against insiders by improving their incident response, so they are ready for when, not if, an insider breach occurs.  As Schoeman points out, organizations can “bank time” by having a well-prepared incident response plan.

This is likely to be increasingly important, as more hackers turn to the insider route to stealing information.

“Relatively few CIOs have their heads around this completely,” says Skipper. “They’re becoming aware that it’s a key area to think about.

“The majority of CIOs we work with are reasonably confident in boundary security. But few can monitor what is going on in their networks. That’s where the focus is now. Most sophisticated organizations are making the assumption that some bad stuff will get in, and some already is in, and the ability to respond is at the top of the agenda.”

What’s hot on Infosecurity Magazine?