Defending in the Age of Advanced Insiders

Written by

Data breaches and ransomware attacks make news headlines almost daily. While cyber-criminal groups take the spotlight, the insider threat from full-time employees, consultants, contractors and even former employees can be just as dangerous and can’t be ignored.

Some attackers are driven by money and seek out confidential information to sell, others want revenge by modifying or deleting data without a trace. Some may want to expose secrets.

Insiders targeting corporate data have become more sophisticated and they’re only getting smarter. Unlike external attackers that must take time to perform reconnaissance and search through file shares to pinpoint information, insiders often already know where your company’s most critical data is stored, or they know the likely ways to find it.

Insiders will also have a working understanding of many of the security tools and processes in place to detect an attack. They can take their time, do research, and plan attacks carefully to avoid detection.

While a subset of insiders will continue to use tried and true techniques -- loading up a USB drive or saving documents to private email or personal cloud shares – many will employ newer approaches to avoid getting caught. A few dynamics are making it easier for informed insiders to access your sensitive data.

Tools and tricks can transform insiders into amateur hackers. Insiders can easily do a quick internet search for hacking tools to use against your organization. Many effective open-source tools and the instructions to use them are freely available. With a little technical know-how, most employees can become amateur hackers, aka “script kiddies.”

They can try out Mimikatz to uncover passwords and PINs stored on a device, or test-drive John the Ripper to crack a password. They can learn from other’s failings and missteps on hacking forums and pick up new tricks to remain hidden and avoid detection.

Wide-open access places information at insiders’ fingertips. Organizations want to trust their employees and give them the information they need to do their jobs. Unfettered access to information has its drawbacks, however. Many times, data is left wide open to all employees with little to no security measures in place. An insider can poke around shared data stores and open sensitive files at their leisure.

In a survey of data risk exposure, we found, on average, 22% of all folders are open to everyone in a company. It might seem hard to imagine, but most companies have at least a small percentage of sensitive files, or even email accounts, open and available to anyone on the network. We found 53% of companies have over 1,000 sensitive files open to everyone. That’s data that should be locked down but isn’t, often with no monitoring in place to detect when something goes wrong.

Malware-less attack techniques help insiders go undetected. Because insiders are already on the network for legitimate reasons, they don’t need to install malware, which can be detected, to gain access. Next-level insiders can fly under your security radar by leveraging PowerShell, a network admin tool baked into Windows, in the exploitation phase of an attack.

Unlike typical malware that’s likely to be caught by your firewall and endpoint defenses, PowerShell exploits are fileless and therefore less likely to raise alarms unless you’re specifically monitoring for this activity. Using Powershell, an attacker can trigger Windows credential requests and capture network login passwords for users and network admins.

Insiders can sidestep security controls and cover their tracks: Employees know their cyber moves are likely monitored by their employers and will take pains to avoid being caught. They know to be careful, and will avoid tripping alarms. With the right access, they can use a service account or create a temporary, fake account to gain access to protected information or emails.

After they have the data that they are after, they will hide their activities by marking emails as unread, changing access controls or accounts back to their previous settings, and removing temporary accounts. Insiders may also create just enough noise (activity) to hide their activity on the network.

Attacker tools and techniques are changing all the time. Level up your security stance to watch for the latest exploits.

As a defender, you have to reduce your uncertainty with visibility and context to be able to connect-the-dots on the subtle signs of a potential attack. Monitor users, devices, files stores and data to catch hostile insiders that hide in plain sight. Remove sensitive data you no longer need for everyday work and limit access to least-privilege by clamping down on data that’s open to everyone in your company.

When data is kept where it’s supposed to be, only the right people have access, and everything is monitored with the right context to spot abnormal behavior, your data and networks will be safer from not just outside attackers, but the insiders that are already there.

What’s hot on Infosecurity Magazine?