Using Threat Deception to Thwart Malicious Insiders

It’s an innate human truth that some people are driven by negative attributes like revenge, greed and disregard for others and while it’s bad enough to be attacked by a stranger; suffering an attack at the hands of insiders adds an additional sting as well as greater complexity.

The risk for these types of incidents has risen during the pandemic. In this time of crisis when the explosion of remote work has weakened cybersecurity frameworks, insiders have become outsiders, employees are working from the privacy of home and often on their own devices, separated physically and emotionally from company and colleagues.

The strain of anticipated or actual layoffs, furloughs, pay cuts and plant closings raises stress levels and reduces loyalty. Those facing increased temptation due to financial hardship, greed, anger or disenfranchisement may be more emboldened to act.

At the organizational level, there are different types of malicious insiders when it comes to cybersecurity and it’s important to understand the differences in order to be able to defend against attacks of this kind. Let’s look at the types of malicious insiders and how organizations can find the balance between employee privacy and security using threat deception.

Understanding the nature of malicious insiders
Not all malicious insiders are created equal. There are some who want to cause damage for damage’s sake, for instance, while others are seeking to sell information for financial gain or export data that could help them at their next job. 

You need to protect your organization while also protecting your employees – you don’t want your employees feeling like they’re being scrutinized and continually tracked. Riding the line between privacy and security can be tricky, because as an employer, you have to instill trust within your employers. 

Insiders can operate more silently and inflict more damage than outsiders because they already have some trusted access and insight into an organization’s valuable assets, but in many cases, malicious insiders must also snoop around file systems and acquire credentials and connections to systems and applications they don’t have authorized access to. In other words, they must conduct lateral movement just as an external attacker would. 

How deception technology can help
Insiders are familiar with at least parts of the network and core applications, and advanced insiders often have privileged access to high-risk systems. Because they have an insider’s understanding of company culture and business processes, they can skillfully execute their activities without attracting attention. That’s why it’s critical to detect them early in the lateral movement phase of an attack.

Adding deception to your network environment can provide you with a significant advantage. Not only can deceptions detect lateral movement of an advanced insider, but they can also help root them out. 

Misleading an outsider requires authentic-looking deceptions, and it’s twice as hard to fool an insider. Start by reverse-engineering the insider’s thought process. Where would he or she go to find information about new merger and acquisition activity? How could he manipulate (and cover up) account activity in clearing or settlement processes? Then, design deceptions based on the insider’s perspective. 

For instance, in a wealth management environment, you might create deceptive file shares that mimic real shares that house quarterly portfolio reports. These deceptive shares must match the organization’s naming conventions, but to fool an insider, they must be structured to include the same types of data, such as aggregate account overviews, portfolio holdings, time-weighted performance data, asset allocation percentages and account activity—authentic-looking but fake. 

Taking the right steps for successful deployment
When an organization is evaluating their overall security strategy, it’s important to focus not just on keeping bad actors out but also reducing the potential risk that person could cause if they do get in.

So, the first step to successful deployment of deception technology involves making sure the organization is “clean” – that is, ensuring there are no leftover credentials or artifacts from previous users or systems. This will go a long way to getting your organization at a level of risk you can coexist with.

Once that’s accomplished, then you can start building the deceptions on top of it. However, before you get into the nitty-gritty of technical deployment, it’s essential to bring the various stakeholders together and inform them of the plan and what it entails. Education – that is, a lack thereof – is often the biggest source of friction when it comes to deception deployment. As part of this, CISOs and other senior security leaders should challenge their staff to think critically about what business and IT assets a potential attacker would be looking for if they got in. 

Strong defense against insiders
Like death and taxes, malicious insiders are a certainty of life. It’s crucial to safeguard your system from not just outside attacks, but those from the inside as well. The good news is that organizations are not defenseless against those who already have some level of access to the network and have nefarious intent. Because they need to make similar lateral movements that outside attackers make in their quest for data, organizations can set up distributed deception technology that spots this activity right away. This technology is also able to track down the perpetrator.

A deception-based platform is just one part of an insider threat program, but it’s a proven way that organizations can ensure they have the means to detect and deter the silent, malicious activity of trusted users.

What’s Hot on Infosecurity Magazine?