The cyber-risk from insiders — employees and contractors who have valid access to enterprise networks, a la Edward Snowden—is on the rise, in part due to cybercriminals recruiting them to help steal data, make illegal trades or otherwise profit.
According to a report from RedOwl and IntSights, the recruitment of insiders within the Dark Web is active and growing, with forum discussions and insider outreach nearly doubling from 2015 to 2016.
Sophisticated threat actors use the Dark Web to find and engage insiders to help place malware behind an organization’s perimeter security. Insiders then use these underground forums to “cash out” on their services through insider trading and payment for stolen credit card information.
The puppet-masters are also able to arm insiders with the tools and knowledge necessary to help steal data and commit fraud, among other acts, and also to cover any tracks. In one instance, a hacker solicited bank insiders to plant malware directly onto the bank’s network. This approach significantly reduces the cost of action as the hacker doesn’t have to conduct phishing exercises and can raise success rates by bypassing many of the organization’s technical defenses (e.g. anti-virus or sandboxing).
The lures are significant. On one forum, the attacker explained the approach to a potential collaborator, indicating that he needs direct access to computers that access accounts and handle wire transfers, and that he offers to pay “7 figures on a weekly basis” for continued access.
What is means for businesses is that any insider with access to the internal network, regardless of technical capability or seniority, presents a risk. The report recommends that risk management teams should join the growing number of organizations that are actively building insider threat programs. Ironically, 80% of security initiatives today focus on perimeter defenses, while fewer than half of organizations budget for insider threat programs.
Another powerful lever that organizations have to mitigate the threat from insiders is culture.
“Enterprises should create, train and enforce consistent corporate security policies while protecting employee privacy,” the report recommends. “Ensuring that employees and contractors understand the rules—and penalties—of engaging in insider behavior carries tremendous impact.”
Also, treating insiders as a technology problem ignores the human aspects of motivation and behavior.
“Security teams must monitor employee behavior across a broad array of channels that identify suspicious employee activity, but also help understand negative employee sentiment,” the report added. “Building an effective insider threat program requires a robust security ecosystem built on a foundational capability to see across all employee activity and spotlight unwanted behavior while respecting employee privacy.”