Insider threat is not a new topic, as many technical and non-technical people talk about it every day. Sometimes people will link it up directly with solutions of user security awareness training and Data Loss Prevention (DLP) implementation. That is not an incorrect way to work, but is that all of the story?
In early August, in an insider threat at the Tesla Gigafactory, a Russian man allegedly offered to pay $1 million to one of Tesla's employees to deploy malware into the company network to ransom Tesla's data for millions of dollars. This incident has a happy ending, in that the Tesla employee notified Tesla instead of accepting the bribe or doing nothing.
Let's try to simulate the scenario that if the ransomware was successfully installed to one of the file servers by a privileged system administrator? Would it become a sad ending eventually? The answer is “It depends.”
- What if there was an anti-malware solution deployed on every applicable host, the insider may need to disable the anti-malware solution by using privileged access on a particular host to execute the malware in the first place, which triggered an high alert alarm in the Security Information and Event Management (SIEM) system. Is there any separate team or Security Operations Centre to monitor the SIEM alerts and investigate what is happening to disable the host level security control?
- What if the malware is very sophisticated and could not be detected by the host based anti-malware solution, and attempts to inject malicious macros into every MS documents and excel spreadsheets stored on the file server. Is there any SIEM logic/event correlation that could identify such abnormal file access behavior?
- What if the malware attempts to perform HTTPS beaconing to a “legitimate” external destination, e.g. AWS ec2 instance or MS Azure virtual machine. Is there any mechanism to flag out such network connectivity patterns?
- What if the malware simply performs data exfiltration during network traffic peak hours to hide its tracks. Is there any mechanism to detect that?
If your organization could confidently answer the above questions with proven breach attack simulation results, it could imply your organization has good security controls to a certain extent.
There is no one-size-fits-all security solution, implementing many expensive security tools does not mean it must become more secure. It is always good to have regular red teaming/purple teaming exercises/breach attack simulation (BAS) to test your cybersecurity readiness of your current organization in detect and respond.
One of the popular frameworks that could be used is MITRE ATT&CK, it is very useful to understand the tactics and techniques of real-world threats that targeting the industry of your organization, so as to assist your planning in simulating relevant breach attacks. The outcome of the simulation could then be used to contribute to the continuous improvement planning of security controls.
Organizations could choose to “believe” they have good enough security controls, or they could examine and find the loophole periodically. Furthermore, we should always assume security incidents and be always ready to respond in a planned way. Be vigilant and be ready to respond to security incidents, whatever how good you think your security controls are.
Listen again to our webinar "What an Insider Threat Strategy Should Consist of for Effective Detection" here.