Dealing with the insider threat on your network
Dealing with the insider threat on your network

The insider threat is real and happens on a too-often basis. Just recently, California's Department of Fish and Wildlife (CDFW) issued an internal memo warning that a former employee downloaded worker and vendor records to a personal device without authorization and took the records outside of the state's network.

Breaches such as this expose organizations to reputational damage, loss of employee and customer confidence and challenges to their legal, regulatory or contractual obligations. IT security teams are well-versed in dealing with external attacks, but the insider threat can be a massive blind spot to many organizations.

Enterprises increasingly faced with more sophisticated criminals

Cybercriminal organizations are evolving and morphing into enterprises not dissimilar in structure to legitimate ones. There is an increasing specialization of roles within cybercriminal gangs. These include: systems and network penetrators, phishing professionals, malicious attack vector developers, malware and botnet creators and marketing pros. They are also adept in circumnavigating investigatory powers and the varying standards of evidence across jurisdictions.  And, like many legitimate organizations, they are highly profitable and, therefore, well-funded.

Hackers will exploit human bias in order to gain access to systems and the internal network. According to this article, those with the poorest cyber security behavior in organizations won't bother with their company's cyber security training, believing themselves to already have the appropriate cybersecurity skills or just unwilling to spend time on training.

Cybercriminals are automating attacks, deploying new technologies, such as artificial intelligence and machine learning to mount increasingly sophisticated attacks.

Such technology could help a hacker “speak in a native language when carrying out a phishing attack”, helping to gain the trust of a victim and a way into the internal network.

Data breaches can do more damage than you think

Criminals are doing more damage to organizations than ever before. They are also becoming harder to detect. Once an attacker is inside the network, it can be very hard to detect them until it is too late.

By this time, once a breach has been detected, the relevant authorities need to be notified. Such breaches expose organizations to reputational damage, non-compliance and challenges to their legal, regulatory or contractual obligations.  

Among the largest breaches of 2017 was the Equifax breach which impacted the personal data of more than 145 million users.   However, this was dwarfed by Yahoo; it had to admit that all its user accounts (some three billion) were affected by a breach that took place in 2013, but only came to light last year.

Not only are data breaches becoming more common, the cost of them has also increased by around 11% in 2017. According to Ponemon, the average cost of a breach is around $3.67 million.  Based on a recent Equifax estimate, the cost of that breach was approaching $300M and at one point cost more than $4 billion in market cap.

The new  EU General Data Protection Regulation (GDPR), came into force in May this year which is aimed at strengthening and unifying data protection rules for all individuals within the European Union. Among the changes are stronger consumer consent and mandatory breach reporting within 72 hours where there is a significant risk to data subjects. Failure to comply could lead to hefty fines of up to four percent of global annual revenue.

For any U.S. company that has a web presence, it must treat any European residents' data in a way that ensures appropriate security, "including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures" to conform with the regulation.

Until now, a lot of the traditional investments for the CISO had been towards keeping the bad guys out, through enhancing firewall and perimeter capability and ensuring the secure configuration and hardening of their systems. These are still important steps to take from a security strategy standpoint, but hackers are now very familiar with those controls and they look to circumvent them.

One of the key ways they will do this is to hijack user accounts that are within the environment. Once they can masquerade as a user, they have access to that user's system privileges. The techniques that attackers use to hijack user accounts, may often be able to bypass the perimeter and more traditional security controls.

With data breaches, one of the common techniques used by attackers is the standard phishing email, whereby they will try to convince a victim to visit a website to which they wouldn't normally. Ultimately, it is about getting a foothold in the system. From there, there are a lot of tools available that essentially elevate their privilege. Tools can be used to see who has been on what systems and it is very trivial to hijack those user accounts, even system administrator accounts. Once administrative access has been obtained, attackers have free reign.

After that, security is not so much about monitoring the perimeter anymore; companies need to be looking on the inside -  how communications are happening on the network, how systems are talking to each other and most importantly what are the users doing on the network.

The insider risks

A report recently released by the Institute for Critical Infrastructure Technology found that most cybersecurity incidents (both intentional and accidental) are the result of insider action. Negligent employees are the primary cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK.

Attackers often have legitimate access to sensitive data and their actions may go completely unnoticed. It is pretty common for attacks to exist on the inside, with attackers on the internal network located there for four to five months before they are detected.

Firstly once an attacker infiltrates a company's network he/she will often deploy persistence mechanisms to retain a foothold.  This means that by the time you do find them, they have been there a long while. Inside, the attackers are mapping the network and understanding where the key resources are. They take the data and get it out of that environment. Through loss of data or damage to reputation, the cost to an organization can easily run into millions.

Another risk is from a disgruntled employee,  where perhaps someone leaving an organization takes it upon themselves to remove admin accounts, change passwords, and delete log files in order to cause havoc.

A third risk is where an employee makes an unintentional error that make systems vulnerable or expose attack surfaces without understanding what the consequences could be.

How to deal with insider security blind spots

In order to meet the insider threat, you need to understand what is going on in the internal network. This means continuous network monitoring and visibility. Traditional security relied solely on looking at activity coming from the outside, largely ignoring the happenings inside the firewall.

Monitoring the activity inside the network exposes malicious behavior, allowing for faster detection and response. With ubiquitous connectivity and new device types making environments more complicated, understanding and monitoring user and machine behavior is imperative.  Being able to identify, correlate and understand anomalies and risky activity is paramount for maintaining a strong security posture.

Security is a continuous effort where you keep out as much of the bad stuff as you can but you should always prepare for and be ready for the situations where things get through. You need a well proven process for how you find the things that get through and how you deal with them.

To make sure you are monitoring on the inside you need to look at what user accounts are doing, such as when they are logging in, and where from. You also need to be looking at their behavior on the network and what they are accessing.

Some of the blind spots here are lateral movements when an attacker moves from one machine to another, avoiding a firewall.

Privileged access is another blind spot. If a systems administrator has been on a user's system to troubleshoot an issue, and this system has been hijacked, it is trivial for the attacker to access the systems administrator's account due to the way that Windows stores that information.

Behavioural analytics can meet the need for security teams to rapidly see, understand and act on user and machine activity on the network which are the means attackers use to deploy evasive techniques (such as Lateral Movement, Privileged Access, System Tools and Rogue Hosts) to reach high-value assets.  

Machine learning can also help by matching user identity to L2-L7 network activity in real-time. Having enriched all the network traffic with a user-context, streaming security analytics can be used to look at what is on the network, detect known indicators of attack (within that traffic) and then monitor specific hosts and users that are acting suspiciously, attributing a risk score to each user associated host.

The great security versus privacy debate: can we have both?

New technologies equip security pros with visibilities into their colleagues' behaviors, but what non-tech support is required to avoid a negative impact on corporate culture? And what is the right way for organizations to deploy surveillance technologies?

With regulations such as GDPR, the rights of the individual become more pronounced. The thing here is to frame security in an organization as something that is proactive and positive rather than regressive and defensive in nature with regards to the employee.

The organization needs to position its responsibility towards protecting its data, its brand and its employees. To leverage this best, continuous monitoring needs to be carried out but with the full knowledge of the employees in order to adhere to regulations.

It has to be clear to employees that they are being monitored at such times as when they access the corporate network for the purposes of keeping the organization's and employee's data safe.

This then leads to the question: are security pros and incident response teams equipped for the organizational impact of monitoring employee activities? This is still a challenge for most organizations, as to monitor from the inside is non-trivial. It takes a combination of technology, people, and process to do it right. To monitor certain types of attacks generates tons of data. This data needs to be made sense of. Even if you just look at IP data, you will miss what the users are doing and who could be impacted.

You need to look at the intersection between the user, the systems, and the network. Technology needs to be in place to make sense of all this and to integrate with the existing workflows of IT security teams to help them see what's on the network, quickly understand it and respond as the need arises.

Minding the cyberskills gap in the enterprise

There is skills shortage in the cybersecurity industry, and while efforts to combat this via various recruitment programs are laudable, technology and automation will play an increasing part in solving the lack of adequately skilled professionals. According to research by ESG, 45 percent of organizations said they have a problematic shortage of cybersecurity skills. Another survey, this time by EY, found that on 12 percent or organizations are likely to detect a sophisticated cyber-attack.

In a lot of organizations, cybersecurity professionals work in a help desk-like fashion with tiered levels to escalate incidents. The big challenge is that for most of the time they are working very inefficiently with lots of manual work to achieve the right outcomes.

These teams measure themselves by mean time to detect and respond to cybersecurity incidents. But the problems here are that while they have a lot of security tools at their disposal, these tools do not integrate well with each other. Also, there is a lot of data generated by security events and not a lot of time to make sense of what is happening in the network. Staff can be overwhelmed.

Automation looks set to be the solution to this. Automation of some of these processes to take some of the thinking out of this work or to help surface the most valuable and relevant information to focus a team's time on is preferable. Some argue that as the objective to cybersecurity is to ensure the business is resilient, the way to achieve this is to be more efficient.

Better automation can help bridge the skills gap most organizations face.

Conclusion

There is an acceptance within most organizations to the CISO level that security is not just a matter of blocking and tackling at the perimeter; security is defense in depth. We have to expect and plan for things that that may slip through and we need to have a robust, proven process for how we deal with that.

Insider threats are common but difficult to deal with. Organizations need the right instrumentation and lens to look at what users are doing in their environment.

If you want to look at the network you have to apply the lens of the user. You have to apply user context to everything that is happening on the network.

You also need some help to sift through data to find those users that are the riskiest. You need the right technology to tell the signal from the noise and assist you in taking action and resolving the problem.

Increasingly, organizations need to invest in monitoring to detect anomalous activity and deal with it effectively.