An indictment released earlier this week detailed a Russian national offering a worker, later confirmed to be a Tesla employee, $1 million to install malware on the corporate machines.
While there is a whole library of insider threat research dealing with employee discontent and other red flags, it's easy to imagine just about anyone taking the money. And the threat of big-money bribery might just affect a company’s threat model and the defense needed to stop those threats.
“We’ve had blended threats – insiders working with outsiders – but this seems new,” said Katie Nickels, director of intelligence at Red Canary.
A single, flashy incident doesn't make traditional threats go away, said Nickels. “When something like this comes out, it’s very easy to overweight its importance,” she warned. “Right now, they don’t need the Russian national to approach an employee to install malware.”
But, she said, companies should still “adjust the calculus” when weighing potential insider threats.
Organizations that have not invested resources in defending insider threats should integrate the people defending networks with the people who know the most about employees, Nickels and Justin Fier, director for cyber intelligence and analytics at Darktrace, both recommend integrating.
Nickels noted that the teams monitoring for internal threats are often separate from network defenders, even though either could inform the other.
Fier suggested keeping open communications between security and human resources.
“They have the list of who is going to be let go,” he said. “Those are the people most likely to accept money.”
Detecting insider threats often relies on automated system monitoring traffic for anomalous behavior. But Charles Henderson, head of IBM’s offensive security group X-Force Red, suggested beefing that up by regularly simulating what it would look like to those programs if an employee went rogue.
That can sometimes be difficult in organizations not predisposed to viewing employees as anything but loyal.
“We tell clients ‘Don’t look at the employees as a threat, look at the access you're providing as a threat,’” said Henderson. “‘Don’t look at Jane in accounting, look at the fact someone has access to the accounting network.’ Someone with Jane’s credentials might be stealing files.”