John Boatman

Trusted insiders can harm an enterprise in all kinds of ways, including intellectual property theft, financial fraud, sabotage and even unwittingly allowing external actors to gain network access through account compromise. Among the more damaging acts is insider-assisted espionage, especially of the cyber variety.

Many people think of spying as being primarily between the foreign intelligence services of nation-state governments. One of the best-known examples is that of Robert Hanssen, a Federal Bureau of Investigation (FBI) agent who spied for Soviet and Russian intelligence against the U.S. from 1976 to 2001, and who is currently serving 15 consecutive life sentences without the possibility of parole.

But the threat of spying is a prevalent and growing threat in the private sector as well. China in particular reportedly manages what may well be the most systematic and pervasive program of corporate cyber-espionage in the world. It stands accused of stealing data across many sectors, from quantum computing and nanotechnology to agriculture and utilities, and then exploiting the information for military and commercial advantage.

The Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security has published a joint analysis with the National Security Agency (NSA) and FBI warning that China “leverages cyber operations to assert its political and economic development objectives.”

The CISA analysis notes that: “Chinese state-sponsored cyber actors aggressively target U.S. and Allied political, economic, military, educational, and critical infrastructure personnel and organizations to steal sensitive data, emerging and key technology, intellectual property, and personally identifiable information (PII).”

China regularly uses the social media career platform LinkedIn to recruit insiders as spies, and has hacked Marriott, United Airlines, Yahoo, Anthem, Equifax and clandestine dating sites like Ashley Madison to glean compromising travel, health, financial and other highly personal information that can then be used to blackmail individuals into spying.

Nor is China alone in the world of espionage. Iran, for example, has increasingly been targeting the suppliers and manufacturers of industrial control systems used in electric utilities, manufacturing and oil refineries. And Russian intelligence services have reportedly gone after everything from Swedish vehicle makers to American stock exchanges.

These examples illustrate how private industry has become one of the top espionage targets. Making matters worse, the huge increase in telework spawned by the coronavirus pandemic has opened vast new opportunities for foreign spying at every level of the workforce.

Often this espionage leverages the privileged access enjoyed by corporate insiders who attain positions of trust and then are exploited for their access to technology systems and data – either indirectly through coercion, blackmail or bribery, or directly as in the case of a foreign national or American with birth ties to another country.

Regardless of whether they are willing participants or have been forced into their roles, can these insider-spies be identified before they commit damaging acts of espionage?

At CYDERES, a business unit of cybersecurity pioneer Fishtech Group, we believe the answer is yes. Our 24/7 managed service, Insider Threat Detection & Response (ITDR), is optimized to pinpoint any insider behavior that is malicious, negligent or even unwitting. That includes potential spies as well as IP thieves, fraudsters, saboteurs and compromised accountholders.

At the heart of the ITDR service is a model that ‘reasons’ like a team of insider threat experts and uses statistical probability, machine learning and other AI techniques to proactively identify high-risk individuals.

The model analyzes a broad set of data sources, including network security logs, printer and badge records, performance evaluations, travel records and publicly available third-party information to paint a detailed and contextualized picture of insider workforce risk.

In the case of potential spies, ITDR applies data as evidence to the model to identify employees who, for example:

• Disregard company policies about installing personal software or hardware.
• Clear their security logs to hide actions taken.
• Attempt to find, alter or remove monitoring tools.
• Attempt to gain access to sensitive areas without authorization.
• Download unusually large files or print long documents.
• Conduct probing activity on networks.
• Work odd hours without authorization.
• Travel to high-threat countries, trade shows or border cities.
• Exhibit signs of financial stress.
• Appear to live beyond their means.
• Openly express anti-U.S. government sentiments or support known U.S. adversaries.

A few of these behaviors on their own can appear innocuous but, when combined with additional network or non-network data and run through the model, they create early indications of insider espionage.

ITDR’s model outputs are ingested, validated and triaged through the CYDERES Cloud Native Analytics Platform (CNAP) and the results are delivered to our customers in the form of detailed incident alerts and associated evidence, optionally coupled with recommendations for mitigation actions and policy or procedural changes.

Armed with this intelligence and insight, corporate security analysts and decision-makers can launch investigations, comply with the legal and auditing requirements associated with such activity and implement policy and control changes to bolster their insider risk mitigation programs – giving them a fresh advantage in the face of increasingly sophisticated threats of insider espionage.

#   #   #

Note: This post concludes our five-part series of CYDERES Insider Threat Profiles. Previous posts in the series can be found here:

The IP Thief

The Compromised Accountholder

The Fraudster

The Saboteur

In mid-June 2018, a process technician at electric vehicle-maker Tesla was fired and then immediately sued after allegedly committing sabotage and stealing proprietary data while working at the company’s Gigafactory in the Nevada desert.

Tesla CEO Elon Musk had written an all-hands email two days earlier claiming that an unnamed employee had been “making direct code changes to the Tesla Manufacturing Operating System under false usernames” and “exporting large amounts of highly sensitive Tesla data to unknown third parties.”

The technician, Martin Tripp, admitted in court to some of the allegations but portrayed himself as a whistleblower – highlighting production inefficiencies and delays at the Gigafactory and “lies [Musk] told to the public and investors” – rather than as an insider threat. But a Nevada district court judge sided with Tesla on most counts, even while brushing aside the company’s claim of $167 million in market capitalization damages resulting from the incident. Still, Tripp was ordered to pay $400,000 to Tesla.

The world’s most valuable car company is far from alone in suffering incidents of IT sabotage, with similar examples easily found in the finance, healthcare, technology, retail and hospitality industries, to name a few. (While some sabotage is physical in nature – damaging machinery at an assembly plant, for example – IT sabotage tends to be more prevalent, costly and difficult to recover from, and is the sole focus of this post.)

Experts at Carnegie Mellon University (CMU) have studied IT sabotage as a subset of their ongoing research into all things insider threat-related. CMU maintains a running list of cases like the following:

• A systems architect who received a termination notice after transmitting unauthorized material, then used remote access to delete data and reset servers, and then used on-site access to disable computer cooling systems. The employer, an energy firm, reported over $1 million in lost revenue and recovery fees.
• A systems administrator rendered their former employer’s network unusable in under 30 minutes. The employer, an IT firm, needed 30 days to recover from the attack. If the insider’s replacement hadn’t made additional system backups before the attack, the organization never would have been able to recover its network.
• Shortly before a major holiday, a recently promoted technical staff member received a poor performance review from their employer, a financial institution. In retaliation, the insider used their on-site, authorized access to transmit malicious code outside of normal business hours. In less than two minutes, the insider caused 90% of the employer’s domestic network to fail.
• An employee of a telecommunications company, when asked to resign, responded by sabotaging company IT systems, shutting down its telecommunication system and blocking 911 services in four major cities.

We can discern some consistent defining characteristics of IT saboteurs from CMU’s list and cases like Tesla’s. For example:

• They are mainly technical employees, including system and network administrators, software developers and programmers and some individuals with privileged access. That means they have both the access required to infiltrate an IT system and the technical skills needed to inflict damage once there.
• Their most frequent targets are the systems they already work on.
• Unlike their colleagues, they additionally harbor a desire to do harm. In fact the defining trait of the saboteur is disgruntlement, and the intent behind most acts of sabotage is revenge.
• Most saboteurs plan their activities in advance, and more than a quarter of the time others have information about their plans.
• The attack typically is arranged prior to their departure but executed after termination using remote access.

In 2016 CMU researchers studied over 100 IT sabotage incidents and found that of the malicious insiders who held technical positions, “19% held active administrator or privileged access at their organization at the time of the incident. An additional 20% of these technical insiders were former employees whose access had not be deactivated, enabling them to commit sabotage. The remaining insiders held authorized, unprivileged access (15%), unauthorized or revoked access (25%), or unknown access (21%).” The insiders who had unauthorized or revoked access in some instances compromised existing accounts to gain system access, as well as back doors and shared user accounts.

The actual attack may involve only a few lines of code and thus can be difficult to detect. Luckily for the corporate security team, however, a disgruntled employee generates higher-than-normal amounts of threat signals prior to an act of sabotage. On the network, unauthorized access attempts are one indicator, as is the mere fact that the employee is in IT.

But even more signals come from non-network data. The saboteur tends to be ruled by emotion and thus is less likely than, say, a patient and self-possessed data thief to conceal their unhappiness and their intentions. This means that reports of prior disputes with staff or managers are relevant clues, especially if they escalate easily or become a pattern.

Further evidence of disgruntlement can be found in anonymous leaks to the press, public-facing social media posts and angry or accusatory communications from the employee to management. Clues also can be found by analyzing access badge logs for signs the employee is working shorter hours or attempting to gain unauthorized access to sensitive rooms at the facility or office.

From a procedural standpoint, it is equally important to heighten security awareness just before an employee receives a poor performance review or learns that a demotion or termination is imminent – and of course to immediately suspend all network and device access and change group-wide login passcodes once the employee learns what is about to happen.

Deploying a technology solution that casts a wide net for threat signals embedded in both network and non-network data is crucial to early detection of the would-be saboteur, since network detection systems alone may not identify the sabotage until it is too late.

That’s the reason CYDERES has equipped its Insider Threat Detection & Response (ITDR) managed service with the ability to analyze a diverse array of corporate data sources. ITDR detects unauthorized or suspicious data access and activity and makes key correlations on file actions and transfers, focusing on ‘crown-jewel’ data in the cloud, apps, databases, file-shares and disks. It also has the capability to analyze non-network data from incident reports, personnel reviews, badge and printer logs, travel records and much more.

By being able to regularly ingest new data and apply it as evidence to a probabilistic model of the major types of insider threat behavior, the ITDR services team can filter out the majority of false-positive or ‘noisy’ alerts that overwhelm so many SIEM and UEBA platforms, while prioritizing the high-risk individuals that do emerge from analysis of a broader range of behaviors.

This additional context can make all the difference between helping an enterprise secure itself against insider sabotage and forcing it to scramble after the fact to repair costly damage to systems, data, finances, operations and public reputation.

#   #   #

Note: ITDR is one component of CYDERES’s 24/7 security-as-a-service solution set. Learn about the full range of CYDERES offerings, including our Cloud Native Analytics Platform (CNAP), Enterprise Managed Detection & Response (EMDR), Global Security Operations Center (GSOC) and more by visiting our web page.

Not all insider threat activity occurs at the senior management or executive levels of an organization. In fact, risk from trusted employees exists at every level.

Take insider fraud as an example. In the vast majority of cases such fraud is committed by lower-level operational and administrative staff, such as those in customer service and data entry or on IT help desks, and also among low- and mid-level managers. In all cases the employee or manager has relatively unconstrained access to the company’s customer, billing and other sensitive data.

The CERT Guide to Insider Threats defines fraud as: “An insider’s use of IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft of information that leads to an identity crime (e.g., identity theft, credit card fraud).” Not included in CERT’s definition – or this profile – is the type of enterprise-scale accounting fraud perpetrated by Enron, WorldCom, Tyco and others over the past two decades.

According to the TechTarget blog, information targeted for employee-generated fraud covers a wide range of information about an individual, including:

• Personal identification data, such as driver’s licenses, medical identities, criminal histories and immigration applications;
• Personal financial data, such as credit cards, credit histories, utility bills and food stamp applications; and
• Personal medical data, such as medical records and disability claims.

For example, Anthem BlueCross and BlueShield in 2017 had to notify 18,000 of its customers who were Medicare members after an employee with one of its vendors sent their data to a personal email address and then allegedly misused the data.

Financial reasons drive most fraudsters. In some instances they are motivated by simple greed, while in others they’re facing financial stressors like mounting personal debt, medical bills or gambling losses. Another powerful predictor of workplace fraud is an employee’s dissatisfaction with his or her job, or with the work organization.

Besides the lower level of the employee, a number of other factors make fraud unique, according to the authors of the CERT guide and other insider threat experts. For one thing, it typically occurs over a much longer period of time when compared to sudden ‘big bang’ insider events like sabotage or intellectual property theft.

In the latter two cases the employee is usually headed for the exits or has already left when the attack occurs. But the fraudster tends to stay on the job for months or years, which means this type of insider can have a significant adverse financial impact on the organization.

A 2019 Cybersecurity Insiders report found that 55 percent of all malicious insider threat cases are fraud-related, a larger percentage than IP theft, sabotage or espionage. While other insider threat cases may grab more headlines, the frequency, scope and monetary impact of fraud make it a major risk factor – one requiring sustained C-suite attention and company-wide mitigation programs.

Some of the best remedies are procedural in nature. These can include regular and well-publicized audits of critical or irregular processes, stringent background checks for new staff, routine reviews of privileged access lists, training programs that educate staff on how to spot signs of fraud and employee assistance programs that try to support those exhibiting signs of financial stress.

But processes, procedures and controls alone are not enough – which is where fraud detection tools come in.

Popular technologies include SIEM and UEBA platforms that analyze network and device activity for signs of any kind of insider threat. However, the effectiveness of such tools is hampered by the fact that fraudsters are engaged in the same online activities they perform in their assigned roles, and they carry out their fraud on-site and during normal working hours. In other words, they behave like they’re just doing their jobs.

Given that fraud is a malicious act – as opposed to one caused by unwitting or negligent behavior – an effective technology solution should include data sources with information that relates to financial stressors, employee dissatisfaction and other behavioral indicators of risk that can’t be detected on networks.

The CYDERES Insider Threat Detection & Response (ITDR) managed service is a case in point, because it relies on a combination of analyzing network security data through the CYDERES Cloud Native Analytics Platform (CNAP) and also on a patented model-based approach that supplements the network signals with diverse non-network data from HR and other internal sources. The result is a more contextualized view of individual fraud risk.

Once data is applied as evidence the probabilistic model produces a list of potential fraud actors, prioritized by risk score. CYDERES then ingests, validates and triages the results and delivers detailed incident alerts to its customers along with the related evidence needed to launch an investigation.

It is this context-driven ‘whole-person’ approach that sets ITDR apart from other detection solutions. Because it’s a managed service, there’s no software to buy and no need to hire more SOC analysts to find the riskiest insiders among a mountain of noisy alerts.

And because ITDR takes a more proactive approach to fraud detection, organizations have the opportunity to intervene in time to prevent the fraud from escalating – and perhaps help an employee in financial distress.

#    #    #

Note: CYDERES’s Insider Threat Detection & Response managed service was launched in July 2021. Click here to listen to our introductory webinar detailing the features and capabilities of the service, including an in-depth demo of the operational system.

Across the spectrum of insider threat scenarios, account compromise is in a category by itself. Unlike data theft or fraud or sabotage, employees whose email accounts have been hacked are widely considered to be negligent or unwitting victims rather than malicious perpetrators.

Still, the harm such compromises can cause is significant since they’re usually precursors to instances of actual data theft, fraud, sabotage or other malfeasance once the attacker has gained access to the network.

And when the account in question belongs to the organization’s most trusted employees, their privileged access to systems and corporate ‘crown jewels’ means the financial, legal and reputational damage will be altogether worse.

The FBI has extensively studied what it calls “business email compromise” and has created a web page with detailed definitions of the problem, a list of information resources and a section called “How To Protect Yourself.” It’s worth a read.

What’s important to keep in mind is that account compromise is not a one-dimensional problem – and nor is the solution. Instead, mitigation involves a combination of measures involving people, process and technology. Here are some tried and true recommendations for each area.

People

Account compromises are a growing problem mainly because of the weakest link: people. According to IBM’s Cyber Security Intelligence Index report, 95% of all successful cyber breaches are caused by human error. And with more employees now working remotely using a hodge-podge of devices and non-secure networks, the chances of an attack against an unwitting or negligent user will increase proportionally.

The most impactful way to reduce account compromise risk, therefore, is to focus on the human element, ensuring all staff and management remain vigilant and can recognize potential compromise attempts – for instance a spear-phishing attack. Much can be accomplished through continuous training and education programs. And practicing good security hygiene, such as strengthening passwords and keeping software up to date, will pay immediate dividends.

Process

Security policies must be clear, and repeatedly messaged across all departments. Then, the right processes must be implemented to support those policies, and relevant staff trained to carry them out. Implementing and enforcing strong access control procedures and conducting regular penetration testing and red-teaming simulations are good practices, as are requiring multi-factor authentication and even old-school phone confirmations to verify fund transfers. And a key requirement is ensuring that the security team knows how to respond to potential account compromise incidents as they emerge, since time is of the essence.

Technology

Even businesses with the most prepared workforce and sound security processes will suffer account breaches, but the right cybersecurity tools will add much-needed layers of defense. For those account compromise attempts that do succeed, however, early detection and response are crucial.

Many of the same technologies organizations use to detect external threats and malicious insiders – like user entity behavior analysis (UEBA) and security information and event management (SIEM) tools – can be employed to find compromised accounts as well.

The CYDERES Insider Threat Detection & Response (ITDR) solution is one recent entry into the field. Through the ingestion of security data into our CYDERES Cloud Native Analytics Platform (CNAP), ITDR can analyze a wealth of network and user telemetry for signals of insider threat activity, including account compromise.

Like other tools, ITDR detects the behaviors most commonly associated with credential takeovers (or insiders being managed) by outside parties, including unusual login volumes, logins from pre-defined high-risk locations and geographically/temporally impossible login sequences. These cases often lead to data exfiltration, sabotage or ransom attempts.

But ITDR takes detection and response several steps further than traditional SIEM, UEBA and SOC combinations. For one thing, it’s a 24/7 managed service, so there’s no software to buy and no learning curve for SOC staff. Another key differentiator is CYDERES’s use of so-called Bayesian models to provide additional analytic context – thus filtering out many of the false-positive alerts and other noise generated by most SIEMs. It’s the model that does the risk scoring and prioritizing, not the SOC analyst.

ITDR additionally can ingest and analyze any number of non-network data sources, enabling it to, for example, give more weight to events involving privileged vs. non-privileged users, reveal additional types of employee attitudes and stressors and even assess seemingly mundane information such as the dates an employee is out of the office – a prime time for being impersonated.

Since there is rarely malicious intent on the part of the compromised accountholder, the ITDR model also was designed to ingest and analyze more qualitative data that could reveal other potentially risky shortcomings, such as a tendency towards carelessness or even outright negligence. Such information is applied to model nodes with names like [Unwillingness to comply with established rules and procedures].

ITDR analytic results are risk-scored and prioritized using this additional context, and then triaged further by a CYDERES analyst, so that the customer knows exactly which incident alerts need the most immediate attention.

The alerts and related evidence can be used to launch investigations and recover from breaches, but they also form the basis for complying with legal and audit requirements associated with such activity – and for reducing future account compromise risk via policy and control changes.

#   #   #

Note: This blog post is one in a series of CYDERES insider threat profiles. We recently covered IP theft, and will address fraud and sabotage in future posts. For more information, please click on this link to view our two-minute ITDR intro video.

What motivates an individual to steal intellectual property from an organization? What types of employees are most likely to commit IP theft? How do they pull it off? And, most importantly, can they be detected and stopped by the security team before something bad happens?

CYDERES, the security-as-a-service division of Fishtech Group, thinks the answer to the last question is yes. But to succeed, the security team must first have a detailed understanding of the Who-What-When-Why-How of IP theft.

An excellent resource for understanding insider threats in all their various forms was published nearly decade ago, when researchers at Carnegie Mellon University’s Computer Emergency Response Team (CERT) Coordination Center published The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud).

The CERT authors delved deeply into the actions, attitudes and intentions of different kinds of insiders and came up with useful insights that have admirably stood the test of time. Along with the contributions of other experts in the field, these insights have influenced the design of our insider threat mitigation solutions and services.

Below is a summary of CERT’s profile of an IP thief.

• Who: Insiders who steal IP are usually current employees who are scientists, engineers, software programmers and sales personnel. The widespread perception that system administrators are among the biggest culprits, CERT found, is not supported by the research results.
• What: These individuals steal information they worked on directly, such as proprietary software and source code; business plans, proposals and strategic plans; customer information; and product information such as designs, formular and schematics.
• When: CERT found that most insiders stole at least some information within 30 days of resignation. That time frame actually encompasses a 60-day window: 30 days before leaving and 30 days after having left.
• Why: The reasons behind stealing IP can vary widely. One-third of IP thieves are looking to start their own business. Another 40% are starting a new job at a competing business. Most of the remainder represent instances of foreign governments or organizations compromising or enticing insiders to gain access to technologically- or commercially-valuable IP. Interestingly, according to CERT, very few insiders steal intellectual property in order to sell it. Rather, they seek business advantage.
• How: Exfiltration of intellectual property follows one of several tried-and-true pathways, including email, USB drives and removal of physical documents.

For companies worried they may have an IP theft problem but hesitant to launch their own insider threat program, CYDERES provides a range of capabilities through our first of its kind Insider Threat Detection & Response (ITDR) managed service.

ITDR analyzes an organization’s existing trove of user and network telemetry to find clues that an employee is behaving in a potentially adverse manner. It then uses operationally proven AI-based modeling techniques to filter out the excess noise from the data to identify the riskiest players, including IP thieves.

Buried in that telemetry is a wealth of intelligence on the insider’s circumstances and actions, which are an ideal proxy for gauging intent. The probabilistic model underlying our ITDR analytics turns each data point into a model concept and then builds a Bayesian inference network (image below) that captures the relationships between each concept as well as the relative strengths (low/medium/high) and polarities (true/false) between them.

In simple terms, ITDR applies diverse data sources to the model. The data contains indicators of impactful personal or professional events plus a record of day-to-day actions – such as accessing the web or sending an email – and uses the results to assess and prioritize risk from an individual.

There are separate model indicators for behavioral characteristics, network and device activity and more. For the risk modeling component addressing use cases for ‘IP Theft,’ the strong indications relate to financial stress or impending threats to continued employment.

Medium-strength indicators can range from unwillingness to comply with established rules and procedures to anti-malware alerts. Low-strength indicators include an active social media presence or database content changes.

Our CYDERES Cloud Native Analytics Platform (CNAP) ingests the model results and a CYDERES analyst validates and triages them, delivering the results to organizations in the form of detailed incident alerts and the related evidence needed to launch an investigation, comply with legal and audit requirements associated with such activity and enhance future risk mitigation via policy and control changes.

Because it is a managed service, ITDR can be implemented far more quickly than conventional insider threat mitigation solutions, meaning organizations can start mitigating risk via their employees and contractors much sooner.

The Commission on the Theft of American Intellectual Property estimates that annual costs from the loss of IP range from $225 billion to $600 billion. And the 2021 edition of Verizon’s widely respected Data Breach Investigations Report (DBIR) says that around 22% of such incidents are attributable to an assist from or the unilateral act of a trusted insider.

Industry sectors most often targeted, according to a separate CERT blog post, are information technology (35 percent of cases), banking and finance (13 percent) and chemicals (12 percent). But few sectors have escaped the attention of IP thieves.

Given those stakes, mitigating even one act of IP theft could pay huge dividends to an organization, not just financially but also legally, operationally and reputationally.

#   #   #

Note: Future posts in this series will examine other types of insider threat actors, such as The Fraudster and The Saboteur. To learn more about how ITDR can help your organization rapidly deploy an insider threat capability, download our fact sheet here.

National Insider Threat Awareness Month, which wraps up today, has given the cybersecurity community an opportunity to reflect on how the threat landscape has evolved in the past 12 months – and what lessons about detection, deterrence and mitigation can be learned from those changes.

As we did a year ago, let’s examine three of the key lessons.

Lesson #1: Threats Are Quickly Evolving

Disregarding the nearly 50 percent of insider events that can be ascribed to negligent and careless insiders, there are still plenty of malicious actors out there preparing the next insider attack. And they’ve been coming up with novel ways to succeed. Why bother hacking your way into an organization when, for example, you can simply bribe an insider to do it for you? That’s what recent reports say ransomware gangs have been attempting, offering a generous share of ransom payments to the insider who ‘unlocks the back door.’ Most organizations are not yet equipped to detect this and other emerging cyber-attack vectors.

Lesson #2: Vulnerabilities Have Increased

After Covid-19 arrived in early 2020, remote work took firm hold – especially among knowledge workers across a wide swath of industry sectors. With it came a dizzying array of new cybersecurity attack vectors. Along with the more plentiful ‘conventional’ external threat actors, insiders now have better odds of breaching network defenses and stealing intellectual property and sensitive data from the privacy of their own homes. Meanwhile, security teams are scrambling to secure new devices and monitor workers outside the traditional perimeter. Their latest unenviable risk management challenge: the double whammy of a rapidly evolving threat (see Lesson #1) and drastically increased vulnerabilities.

Lesson #3: Don’t Wait to Launch Your Program

Launching an insider threat mitigation program can be a long and complex affair. Detection systems must be selected and deployed, data sources must be connected and staff and management need training in governance and operations. The required commitment in dollars and labor hours before concrete results are obtained can discourage all but the most committed leaders from green-lighting such a program. That said, incidents involving insider threats increased by 47 percent between 2018 and 2020, and no is one predicting the pace will slow. Considering that statistic, coupled with the high cost of cleaning up the mess left behind by an insider attack, the best time to launch an insider threat program was yesterday.

Fortunately, CYDERES Insider Threat Managed Detection & Response managed service is empowering organizations to launch or mature their Insider Threat program very quickly, delivering immediate visibility and results. Learn more in our latest video:

Ransomware gangs continue to find creative new ways of exploiting weaknesses in corporate networks. Now they’ve added a dangerous twist that is sure to make the insider threat problem noticeably worse.

In this latest move, gangs like LockBit are actively recruiting corporate insiders to help them breach and encrypt networks in return for what can amount to million-dollar payouts.

According to a recent article in BleepingComputer, ransomware gangs have traditionally consisted of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims’ networks and encrypt devices, with the affiliate usually receiving 70 to 80 percent of the ransom paid. But LockBit and its counterparts are now “trying to remove the middle-man” by messaging trusted insiders directly rather than using affiliates. The article’s author speculates that while it may seem “counterintuitive to recruit an insider for a network [that’s] already been breached… this message is likely targeting external IT consultants who may see the message while responding to an attack.”

Separately, Brian Krebs of Krebs on Security reports on one gang that offers insiders payouts of 40 percent of the ransom payment. The gangs “seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks,” he adds.

This latest recruitment drive does two things: 1) It increases the pool of likely threats by turning otherwise hesitant insiders into enthusiastic ones; and 2) It significantly heightens the risk that an organization will suffer a major (as opposed to minor) data breach, since the recruits will be seeking the largest possible payout for the unique risk they are taking.

Insider recruitment for pay is the latest in a growing list of use cases for which Fishtech Group business unit CYDERES has designed its new Insider Threat Detection and Response (ITDR) managed service (pictured below).

ITDR, which uses models and other AI-based analytics to process user and network telemetry for early indications of insider intent, is optimized for three specific use cases:

• Data Exfiltration/Sabotage: Detection of excessive file deletions or movements, unusual e-mail activities and consumer web application uploads is critical to preventing the exfiltration or sabotage of data – one of the more prevalent insider threat events. ITDR detects unauthorized or suspicious data access and activity and makes key correlations on file actions and transfers, focusing on ‘crown-jewel’ data in the cloud, apps, databases, file-shares and disks.
• Departing Employees: Individuals who plan to leave the organization or learn they are about to be off-boarded pose a substantial risk to corporate systems and data. ITDR focuses on detecting network and application access patterns that indicate job searches, outreach to competitors and data exfil intent. Response capabilities include proactive alerts on these activities plus changes in behavior and productivity, and forensic reports for use during post-termination reviews.
• Account Compromise: With the right tools, it’s possible to pinpoint behaviors that indicate a potential takeover of credentials by third-party actors via negligent or malicious insiders, at speed and at scale. By detecting unusual login volumes, logins from high-risk locations, or geographically/ temporally impossible login sequences, ITDR excels at alerting investigative teams to instances of potential account compromise – before a data exfil attempt happens.

One could argue that by offering trusted insiders a piece of the action, the LockBits of the world are touching on all three of those use cases.

Whatever the event type, it’s been clear for some time that the insider threat landscape is evolving rapidly. Organizations will need to evolve with it. And even as they address their adversaries’ current innovations, they also should count on even more insidious exploits in the future.

#      #      #

Note: Tune in to our recent ITDR introductory webinar to learn more about the powerful capabilities this managed service can deliver to your organization. Or simply reach out here to schedule a live ITDR demo.