Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing critical roles in incidents over the past year, according to Cisco Talos research released Thursday.
In a blog post, Cisco Talos researchers said organizations can mitigate these types of risks via education, user-access control, and ensuring proper processes and procedures are in place when and if employees leave the organization.
“There are a variety of reasons a user may choose to become a malicious insider, and unfortunately many of them are occurring today,” said the researchers. “Let’s start with the most obvious: financial distress. When a user has a lot of debt, selling the ability to infect their employer can be a tempting avenue. We’ve seen examples of users trying to sell access into employer networks for more than a decade, having spotted them on dark web forums. The current climate, [with the economy tilting toward recession] is ripe for this type of abuse.”
Michael DeBolt, chief intelligence officer at Intel 471, said the cybercrime underground remains a hot spot for insider threat recruitment efforts because of the relative anonymity, accessibility, and low barrier of entry it affords. DeBolt said malicious actors use forums and instant messaging platforms to advertise their insider services or, vice versa, to recruit accomplices for specific schemes that require insider access or knowledge.
“By far, the most popular motivation for insider threats is financial gain,” DeBolt said. “We have seen examples of financially-motivated threat actors seeking employees at companies to provide data and access to sell in the underground or leverage against the organization or its customers. We also have noted instances where individuals turn to underground forums and instant messaging platforms claiming to be employees at notable organizations to sell company information.”
Dave Gerry, chief operating officer at Bugcrowd, added that while security technology has gotten more sophisticated at attempting to foil attacks, attackers have continued to find the weak link in the security stack. Gerry said this weak link can often be the employees who operate business critical software as they are increasingly under pressure to do more, faster, with fewer resources.
“As a security industry, we often see the fundamentals as obvious. However, focusing on training, empowering and encouraging employees to ‘get back to the basics’ is something that continues to be increasingly important,” Gerry said. “Urgent, unusual, or unknown requests for employee records, financial data, or any other type of sensitive information should be flagged with the appropriate security teams for investigation. The simplest way to prevent these types of attacks from being successful is encouraging employees to slow down and ask questions before providing any sort of information that could be used immediately or used in the future to garner more information from someone else.”
Hank Schless, senior manager, security solutions at Lookout, said insider threats have always been an issue, and with the rapid expansion of corporate infrastructure as reliance on the cloud increases the problem has only gotten more complex. Schless said historically, traditional data loss prevention solutions would sit at a defined security perimeter and monitor all inbound and outbound traffic. The difficulty, explained Schless, is that these tools didn’t have any visibility into how users were interacting with data inside that perimeter, so if a user downloaded a file locally or made certain modifications, the security team might not be alerted.
“Some organizations implemented file integrity monitoring solutions that would keep an eye out for file-level changes, but there were even ways to circumvent that,” Schless said. “While the cloud has enabled us to take massive leaps and bounds in collaboration, scalability, and data access from anywhere it has also introduced more risk. Insiders often have access to far more resources than they actually need to get their job done, which is why attackers have focused so much on phishing employee credentials to kick off their attacks.”
Also of note: September is Insider Threat Awareness Month.