5 steps organizations can take to thwart insider security threats
A few years ago, if someone had asked me to talk about insider threats, I might have been less-than-excited about the subject.
We all hear news about credit card or healthcare data being stolen, or lately, election-related hacking. Images come to mind of darkly clothed people sitting in the shadows somewhere far away—perhaps working with a foreign government or a sophisticated cybercrime group. Few of us consider that the person sitting in the cubicle down the hall could be a cyberattacker.
But in my recent conversations with security leaders, the subject of insider threats has been voiced as a top reason that organizations are seeking new approaches to cybersecurity. Among our customers, we have also seen an increase in the number of actual malicious insider events.
So the question comes up: What are the steps my organization should be taking to stop malicious insiders?
Here are five top things to consider:
Ordinary people have a cybercrime arsenal at their fingertips
Cybersecurity starts by understanding the threat. The fact is that sophisticated cyberattack tools are available on the Internet that enable anyone with malicious intent and a modest understanding of computers to become hackers. For example, to get ahold of someone else’s credentials, you don’t have to know how to dump LSASS processes, scrape and parse the data, figure out the credential structure, and extract password hashes.
You only need to go to GitHub and download Mimikatz, a software tool that will do it for you. Depending on what is at risk within your organization, you may need to change a number of things—from what you’re monitoring to how you’re hiring. But it’s important to understand that a broader range of people can execute attacks.
Build a strong relationship with the Human Resources department
In business, an environment of openness and trust is an important business asset. So security controls and monitoring can’t be invasive, and can’t be administered prejudicially, but IT security should be alerted if an employee exhibits hostile behavior toward the company or coworkers. There may be an opportunity to proactively identify suspicious use of IT resources before a serious compromise occurs.
Also, if an incident occurs and action needs to be taken quickly, that’s not the time when you’ll want to be having your first discussion with HR about cybersecurity.
Know where your credentials are
Credential hygiene is critical whether dealing with external attackers or malicious insiders. Insiders, such as IT administrators, sometimes have very high levels of authorized access to valuable systems directly. But normally, a central task for a cyberattacker is to expand their sphere of access by moving laterally from the system they’re on to the systems they ultimately want to reach.
To conduct lateral movement, they need credentials. Every organization has at least basic ways of controlling access to IT resources—and of course many have sophisticated layered defenses. But be careful not to adopt a false sense of security. Through normal business activity, user credentials end up hidden in places where they don’t belong. For example, they get stored in browser history or embedded within applications for convenience. Remote IT support can accidentally result in admin credentials being left behind if a session is not closed properly.
The spread of credentials changes constantly, so is virtually impossible to control manually. Until recently, technology vendors have left a gaping hole here—in fact attackers have been more efficient at finding hidden credentials than the average corporate security team, but it’s a crucial issue for reducing the risk of malicious insider incidents.
Early detection requires new approaches
One of our customers, almost immediately after installing Illusive, detected suspicious insider activity. The person was caught when he tried to access a fake file share. Forensic data enabled very targeted data mining, and the customer soon determined that the employee had been exfiltrating customer IP for almost six months. Other related alerts had fired over that time, but they were overlooked among the thousands of other alerts in the SOC.
Traditional monitoring can work against insider detection. Deception as an approach is worth considering because it provides a streamlined way to detect malicious snooping and lateral movement without adding noise in the SOC.
Early detection is critical but hasty reaction can be costly. I recently heard of another situation in which an IT person, immediately after detecting suspicious activity, took the individual’s computer offline. Unfortunately, by acting so quickly, the organization lost an opportunity to continue observing the user’s behavior and was never able to determine whether the activity was truly malicious.
To strike the right balance, organizations need technologies that provide the forensic evidence, and also broad risk visibility. Was that suspicious person close enough to critical databases or other assets to cause significant damage? If not, rather than pull the plug, you’d probably want to spend more time observing.
Unfortunately, because insiders have deeper knowledge of the organization than outsiders, they can often move faster. The onus is on defenders to shorten detection and response times—without acting hastily.