Businesses have become so preoccupied with large-scale data breaches and threats from cyber criminals that we're forgetting to look inside our perimeter to where the most devastating attacks can originate: the insider threat.
Last week, Queensland’s Crime and Corruption Commission issued a warning to the state government about the threats coming from malicious insiders.
The state's police force learned its lesson the hard way, after one of its cops was convicted of using the agency's secure crimes database to check the history of people he met via a phone dating service.
We can't afford to lose the focus on where the most insidious attacks arise - the trusted, privileged staffers who are abusing their positions for their own gain - by getting distracted by the high-profile breach of the day.
What can we do to address this imbalance and gain a fuller picture of our threat environment?
The concept of an insider threat has been around as long as the security industry. It generally refers to any current or former member of staff, contractor or partner with authorised access to your systems, network, and information.
Many businesses pride themselves on the integrity of their people, with executives and managers saying things like, “We trust our people, so in our business there is no such thing as the insider threat.”
However, when you consider what motivates an attack, where a trusted employee turns against you, there are myriad reasons why that person’s allegiance might have changed.
The kind of insider threats that we face includes espionage, fraud, sabotage, and theft, all of which are typically linked back to a variety of reasons relating to an employee vulnerability or altered state of reality. It may be that a previously loyal employee is now disgruntled since being passed over for promotion, or maybe they have a personal vulnerability, such as a gambling or drugs habit, where someone has realised this and uses it against them.
This vulnerability is exploited by an external threat actor, coercing this once-trusted employee into doing something out of character. For example, a competitor might target a network administrator after finding out they have a large gambling debt they are struggling to clear.
The competitor befriends the vulnerable administrator and asks them to take a few packet captures and pass them on for a significant sum of money. What seems like a simple, potentially even benign act can soon lead to more and more daring thefts, for more and more significant bounty, quickly spiralling out of control.
The other kind of insider threat, which is even more disturbing than a vulnerable employee being turned, is the seemingly dependable, loyal member of staff who has taken the job for no other reason than to attack the organisation. You can easily relate to this kind of attack since it’s the essence of any good spy story.
Countering the threat
The question is what can you do to protect yourself? Identifying behavioural patterns of staff who are acting against your company is often extremely difficult.
Government agencies try to mitigate the risks of rogue insiders through their clearance process, where anyone who needs access to sensitive material must endure a series of invasive interviews and background checks, which go into increasingly more and more depth the further up the classification ladder the job requires them to operate at.
However, clearance is really only as useful as the day it is granted. The risk decision as to whether they should be granted clearance (and hence granted access to your sensitive information) is based on what has happened in the employee’s life prior to employment. This is a great way to determine if they may be vulnerable because of the company they keep, their family origins or simply because there is a skeleton in their closet that they want to be kept hidden.
If it’s discovered that they are simply too risky for access to your most sensitive information, you can stop the employment process at that stage and recruit someone else. No hard feelings.
However, what if they look squeaky clean on the surface of it and they pass the investigation with flying colours? The only way to reduce the risk of them beginning to pose a threat during their tenure is to ensure you don’t give them (or anyone) carte blanche over your systems.
Even the most prominent of your security employees, the guys who should be protecting your systems, need to be audited to make sure they are defending the castle and not digging a tunnel when your back is turned.
Protective monitoring is the service of collecting security events from all of your systems and making sense of them outside the normal operations teams that look after your security onsite. The most successful of these kinds of services are run from offsite security operations centres, where the network administrators and engineers who have privileged access to systems have no rights at all.
If one of your C-suite executives, for example, is up to no good, then the last thing you want should an investigation be imminent is his telling the firewall guy to wipe all the logs just before the investigation starts.
The insider threat is a clear and present problem for Australian businesses today. It’s also the most complex security issue to build a solution to mitigate.
Our focus in the security industry has shifted too much towards external data breaches, with the myriad technical solutions that can help us spot attacks and block malware and attack patterns.
It’s time to start looking again at where the most dangerous attacks can come from and build a comprehensive auditing solution based on behavioural patterns, not just what’s going on in your perimeter.