The In and Out of Insider Threats
‘Trust no one, verify everyone’ is a mantra commonly referred to when speaking about Zero Trust Architecture (1). Threat actors are not just out there but are very much within our own circle of operation. Take the case of the Waymo self-driving car project of Google’s parent company Alphabet. In 2015-16, engineer Anthony Levandowski, founding member of Google’s self-driving car project Waymo, stole some 14,000 files including Radar and Light Identification Detection and Ranging (LIDAR) technologies and videos of test drives pertaining to the car project and started his own self-driving car company Otto. Otto was subsequently bought by Uber, who ended up with the Waymo Intellectual Property (IP). Google then became aware of the breach and sued Uber / Levandowski.
In the judgment, US District Judge William Alsup in San Francisco said Anthony Levandowski had carried out the “biggest trade secret crime I have ever seen”. Levandowski has since been dismissed from Uber, and has received a prison sentence of 18 months. Waymo was awarded USD 245 million of Uber shares in the settlement.
The possibilities are endless
Just one of many cyber crimes perpetrated by insiders, the Waymo case makes the point of insider threats being a bane in the cyber landscape for CISOs and organizations looking to stem the cyber menace. Bane because insider thefts are attributable to employees, who for reasons ranging from disgruntlement to avariciousness are indulging in cyber theft with a consistency that is alarming. According to the 2021 Verizon Data Breach Investigations Report (2), insiders are responsible for 22% of all security incidents. In the Ponemon Institute’s 2020 Cost of Insider Threats study (3), researchers found that the internal data breach’s average annual cost was USD 11.45 million, with 63% of the incidents attributed to negligence. The report went on to identify(4) malicious insider threats as lower than accidental ones, but still significant at 23% of all cyberattacks.
The Waymo case however is just one of many. Noteworthy amongst others are the July 2020 case of Twitter where employees’ access was compromised to start a bitcoin scam involving high-profile users, the July 2019 Marriott International leak of more than 380 million hotel guests in the UK due to poor monitoring efforts and employee negligence, the 2019 MongoDB database theft where an estimated 275 million user database in India was compromised in a zero-day vulnerability attack attributed to administrator error, and the inadvertent 2018 IOS source code leak at Apple by an intern looking to reach out to an IOS community looking to find ways to unlock an IOS phone.
Finance and Insurance, Federal, State and Local Government, Healthcare, Manufacturing and Entertainment are said to be the main sectors for malicious actors and employees misusing their access privileges, with the Public Sectors suffering the most from lost or stolen assets, besides ranking in the top three for negligence errors, alongside Healthcare and Finance.
Defining the threat
A good definition comes from The Department of Homeland Security National Cybersecurity and Communications Integration Center (5). ‘An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misuses that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems.’
Broadly speaking, malicious actors and negligent insiders constitute the two main types of threats, based on their intention. A malicious actor could be an employee or an external entity with access to sensitive data who resorts to cybercrime for financial or other gains. Negligent insiders on the other hand are employees who inadvertently commit mistakes such as unsuspectingly falling for a social engineering scam or negligently dealing with a company device.
Where to look
Human nature being what it is, malicious actors and employees are responsible for cybercrime for reasons ranging from financial gain to sabotage, negligence, bribery, or affiliation to state-sponsored hacking.
CISA says that it is vital that organizations understand normal employee baseline behaviors and also ensure employees understand how they may be used as a conduit for others to obtain information. It lists the kind of behaviors one is likely to observe in the case of cyber theft for malicious reasons.
- Remotely accesses the network while on vacation, sick, or at odd timings
- Works odd hours without authorization
- Notable enthusiasm for overtime, weekend, or unusual work schedules
- Unnecessary copying of material, especially if it is proprietary or classified
- Interest in matters outside of the scope of duties
- Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health, or hostile behavior
- Acquisition of unexpected wealth, unusual foreign travel, irregular work hours, or unexpected absences
IT Governance (6) offers a list of disturbing employee tendencies that could point significantly to cybercrime in the making. These include but are not limited to:
- Using unauthorized storage devices (such as USB drives and the Cloud)
- Network crawling and searching for sensitive data
- Data hoarding
- Copying files from sensitive folders
- Emailing sensitive data to non-work-affiliated accounts
- Attempting to bypass security mechanisms
- Violating the organization’s security policies
Prevention
Gartner (7) offers a way to prevent or mitigate insider threats. In its opinion, CISOs need to know who is at risk, what the source of the risk is and what triggers can activate risky behavior. The article places the responsibility squarely on their shoulders, saying the endgame cannot be the mere deployment of a security product, but rather should involve ‘implementing a process, increasing user awareness and creating an incident response plan.’ – in short, a multifaceted, multidisciplinary approach.
It advises that CISOs can build threat scenarios and incident response plans focused on three key areas:
- Invest in capabilities for monitoring and surveillance to gain more visibility into assets and people
- Build profiles and personas of employees and associates specific to the organization to identify unusual and high-risk activity
- Build and maintain a database of past insider threats
IBM (8) says thoroughly knowing your users and their privileges, and your data are key in the prevention of insider threats. It advocates:
- a Privileged-Access-Management (PAM) solution with risk scores allocated to users
- creation of a security model with a baseline of normal behavior for each user, and a tracking mechanism for deviations from this model
- set up of systems like behavioral analytics to detect malicious or negligent behaviors
- establishing a Security Orchestration, Automation, and Response (SOAR) system for remediation in the nature of access revoking via an Identity Access Management (IAM) solution.
In Conclusion
The seriousness surrounding insider threats is being increasingly felt. Chris Krebs, previous CISA Director (9), recently put the matter in perspective when he called for legislation to crack down on this. He stated, “When you’re talking about companies that are providing a service to the federal government — not just the Department of Defense but the civilian agencies as well — I would expect to see enhanced requirements not just on the external threat management, but also insider threat management.”
His message was clear. Insiders and human interfaces represent a significant risk to any organization with sensitive data and consequently merit threat identification and remediation measures as a must-have component of their cybersecurity program.
Hopefully, these measures will mitigate if not eliminate the dangers of this type of cybercrime.
Aurora with its suite of cybersecurity solutions ranging from Zero Trust Architecture, Vulnerability Management, Identity Access Management (IAM), Mail Security, Security Information and Event Management (SIEM), and Incident Response makes it a complete cybersecurity partner for all your Insider Threats.
For more information, visit our website www.aurorait.com, or call us at +1 888 282 0696
References :
- The Importance of Implementing a Zero Trust Security Model | Aurora (aurorait.com)
- What is a Cyber Security Insider Threat? Definition and Examples | IT Governance
- What are insider threats? | IBM
- 8 of the world’s biggest insider threat security incidents | Infosec Resources (infosecinstitute.com)
- Insider Threat – Cyber | CISA
- What is a Cyber Security Insider Threat? Definition and Examples | IT Governance
- 3 Ways To Stop Insider Threats (gartner.com)
- What are insider threats? | IBM
- Insider Threats: An Age-Old Problem (forbes.com)