The act of grooming internal sources with access to highly sensitive information has been likened to the practices of Cold War spymasters, and MI5 has used the analogy to urge more companies to boost their overall IT defenses.
“This warning confirms something that we’ve been saying for a while now – that the abuse of privileged credentials is the next frontier for cyber-crime against enterprises,” said Paul Ayers, vice president of EMEA at enterprise data security firm Vormetric, in a comment to Infosecurity. “It is clear that businesses are still struggling to defend their most critical assets from those legitimately within the perimeter.”
Even junior staff can be targeted and groomed, MI5 warned, as reported by the Financial Times--adding a deeper layer of confusion to how to address the issue. Paul Stockton, a former US assistant secretary of defence for the UK, told the FT that so-called insider threats are certainly a growing challenge.
"They're not necessarily those at the highest levels of an organization," he said. "Rather it is the systems administrators and others who hold the keys to the IT kingdom that pose such significant potential threats."
Ayers added that part of the complexity stems from the changing nature and definition of a privileged user: “What was once a traditional insider with legitimate access rights has now become almost anybody with appropriate credentials to view and modify data across corporate networks – from contractors to system engineers to network-maintenance workers.”
Regardless of how they’re defined, privileged user accounts are increasingly lucrative targets. MI5 warned that, once hijacked, these credentials can be used as a way for outside hackers to infiltrate corporate networks—which is exactly what happened in the Target data breach case.
Ross Brewer, vice president and managing director for international markets at LogRhythm, warned of potentially “catastrophic” consequences. “By traditionally focusing on external hackers, businesses have often ended up overlooking the significant security threat posed by those on the inside,” he said via email. “Used to nameless, faceless perpetrators, it’s understandably more difficult to accept that the culprit may be sat right next to them, however continuing to ignore this could now lead to catastrophic consequences.”
He added, “Indeed, employees of all levels – from the CEO all the way down to the junior IT assistant – are in the frame and could potentially expose data that threatens not just the company, but the entire nation’s secrets.”
Unfortunately, insider threats often go undetected. Infosecurity Europe Hall of Fame inductee Dr Eric Cole,chief scientist at Secure Anchor, said that organizations often underestimate the volume of attacks being directed against them.
"So many organizations are broken into, but they are not detecting adversaries," he said. Attackers are using tools such as encryption to stay below the radar. "We have set up crypto-free zones for customers. Now we can pick up a breach in 11 seconds, not 11 months, because we see the crypto. Over the last 10 years, attackers have 'cranked up' the threat, moving from opportunistic, to much more deliberate attacks. Attackers have become more stealthy, but also more targeted".
Cole continued:"Most organizations and most businesses are focused on functionality and making money, not on security. Vulnerabilities such as Heartbleed, or Windows XP going end of life, are 'game changers'. We have to assume no software is secure. It is about awareness. Recognize you will get broken into minimize the frequency and impact of attacks. If [think] you haven't had an incident in last 12 month as it's because you've not detected them."