CYDERES Insider Threat Profiles: The Saboteur

In mid-June 2018, a process technician at electric vehicle-maker Tesla was fired and then immediately sued after allegedly committing sabotage and stealing proprietary data while working at the company’s Gigafactory in the Nevada desert.

Tesla CEO Elon Musk had written an all-hands email two days earlier claiming that an unnamed employee had been “making direct code changes to the Tesla Manufacturing Operating System under false usernames” and “exporting large amounts of highly sensitive Tesla data to unknown third parties.”

The technician, Martin Tripp, admitted in court to some of the allegations but portrayed himself as a whistleblower – highlighting production inefficiencies and delays at the Gigafactory and “lies [Musk] told to the public and investors” – rather than as an insider threat. But a Nevada district court judge sided with Tesla on most counts, even while brushing aside the company’s claim of $167 million in market capitalization damages resulting from the incident. Still, Tripp was ordered to pay $400,000 to Tesla.

The world’s most valuable car company is far from alone in suffering incidents of IT sabotage, with similar examples easily found in the finance, healthcare, technology, retail and hospitality industries, to name a few. (While some sabotage is physical in nature – damaging machinery at an assembly plant, for example – IT sabotage tends to be more prevalent, costly and difficult to recover from, and is the sole focus of this post.)

Experts at Carnegie Mellon University (CMU) have studied IT sabotage as a subset of their ongoing research into all things insider threat-related. CMU maintains a running list of cases like the following:

  • A systems architect who received a termination notice after transmitting unauthorized material, then used remote access to delete data and reset servers, and then used on-site access to disable computer cooling systems. The employer, an energy firm, reported over $1 million in lost revenue and recovery fees.
  • A systems administrator rendered their former employer’s network unusable in under 30 minutes. The employer, an IT firm, needed 30 days to recover from the attack. If the insider’s replacement hadn’t made additional system backups before the attack, the organization never would have been able to recover its network.
  • Shortly before a major holiday, a recently promoted technical staff member received a poor performance review from their employer, a financial institution. In retaliation, the insider used their on-site, authorized access to transmit malicious code outside of normal business hours. In less than two minutes, the insider caused 90% of the employer’s domestic network to fail.
  • An employee of a telecommunications company, when asked to resign, responded by sabotaging company IT systems, shutting down its telecommunication system and blocking 911 services in four major cities.

We can discern some consistent defining characteristics of IT saboteurs from CMU’s list and cases like Tesla’s. For example:

  • They are mainly technical employees, including system and network administrators, software developers and programmers and some individuals with privileged access. That means they have both the access required to infiltrate an IT system and the technical skills needed to inflict damage once there.
  • Their most frequent targets are the systems they already work on.
  • Unlike their colleagues, they additionally harbor a desire to do harm. In fact the defining trait of the saboteur is disgruntlement, and the intent behind most acts of sabotage is revenge.
  • Most saboteurs plan their activities in advance, and more than a quarter of the time others have information about their plans.
  • The attack typically is arranged prior to their departure but executed after termination using remote access.

In 2016 CMU researchers studied over 100 IT sabotage incidents and found that of the malicious insiders who held technical positions, “19% held active administrator or privileged access at their organization at the time of the incident. An additional 20% of these technical insiders were former employees whose access had not be deactivated, enabling them to commit sabotage. The remaining insiders held authorized, unprivileged access (15%), unauthorized or revoked access (25%), or unknown access (21%).” The insiders who had unauthorized or revoked access in some instances compromised existing accounts to gain system access, as well as back doors and shared user accounts.

The actual attack may involve only a few lines of code and thus can be difficult to detect. Luckily for the corporate security team, however, a disgruntled employee generates higher-than-normal amounts of threat signals prior to an act of sabotage. On the network, unauthorized access attempts are one indicator, as is the mere fact that the employee is in IT.

But even more signals come from non-network data. The saboteur tends to be ruled by emotion and thus is less likely than, say, a patient and self-possessed data thief to conceal their unhappiness and their intentions. This means that reports of prior disputes with staff or managers are relevant clues, especially if they escalate easily or become a pattern.

Further evidence of disgruntlement can be found in anonymous leaks to the press, public-facing social media posts and angry or accusatory communications from the employee to management. Clues also can be found by analyzing access badge logs for signs the employee is working shorter hours or attempting to gain unauthorized access to sensitive rooms at the facility or office.

From a procedural standpoint, it is equally important to heighten security awareness just before an employee receives a poor performance review or learns that a demotion or termination is imminent – and of course to immediately suspend all network and device access and change group-wide login passcodes once the employee learns what is about to happen.

Deploying a technology solution that casts a wide net for threat signals embedded in both network and non-network data is crucial to early detection of the would-be saboteur, since network detection systems alone may not identify the sabotage until it is too late.

That’s the reason CYDERES has equipped its Insider Threat Detection & Response (ITDR) managed service with the ability to analyze a diverse array of corporate data sources. ITDR detects unauthorized or suspicious data access and activity and makes key correlations on file actions and transfers, focusing on ‘crown-jewel’ data in the cloud, apps, databases, file-shares and disks. It also has the capability to analyze non-network data from incident reports, personnel reviews, badge and printer logs, travel records and much more.

By being able to regularly ingest new data and apply it as evidence to a probabilistic model of the major types of insider threat behavior, the ITDR services team can filter out the majority of false-positive or ‘noisy’ alerts that overwhelm so many SIEM and UEBA platforms, while prioritizing the high-risk individuals that do emerge from analysis of a broader range of behaviors.

This additional context can make all the difference between helping an enterprise secure itself against insider sabotage and forcing it to scramble after the fact to repair costly damage to systems, data, finances, operations and public reputation.

 

#   #   #

 

Note: ITDR is one component of CYDERES’s 24/7 security-as-a-service solution set. Learn about the full range of CYDERES offerings, including our Cloud Native Analytics Platform (CNAP), Enterprise Managed Detection & Response (EMDR), Global Security Operations Center (GSOC) and more by visiting our web page.