The cyber enemy within: Rise of the insider threat
How to spot and prevent one of the most difficult threats to identify
Short of time?
Large-scale cyber attacks led by skilled hackers using ultra-sophisticated malware and zero day vulnerabilities are never far from the headlines at the moment.
High-profile breaches such as those at US retailers Home Depot and Target serve as an important reminder for IT security teams on the need to stay one step ahead of those trying to break through their perimeter.
Unfortunately, they also make it all too easy for organisations to focus their attention on the outside threats and overlook those a little closer to home.
However, insiders represent a significant problem for IT security teams. Indeed, a recent report by AlgoSec found that almost two-thirds of information security and IT professionals rate insiders as their greatest risk. So what are they doing about it?
Organisations have built up a huge array of network security systems and controls, such as data loss prevention (DLP) systems, encryption, firewalls, IDS and anti-virus packages – but these are failing to deliver total security.
Bill Anderson from Oculis Labs hit the nail on the head when he said that whilst a focus on network security might keep out the external attackers, it won’t be enough to prevent insider-driven breaches.
The problem is that the majority of network security solutions are only geared up to identify the known threats, which leaves organisations wide open to unknown threats, such as those from totally new attacks or insiders who have wider access.
Know your enemy
Before they can tackle insider threats effectively, organisations must first understand where the risks lie and why they’re created.
The obvious reason is that insiders have special privileges that external attackers do not.
They already have access to the network and systems, and can compromise sensitive data all too easily; often without intending to, through ignorance, negligence, or just plain carelessness.
The problem is exacerbated further by the decreasing number of dedicated resources that organisations now have, with many employees being replaced by contractors, third-party support personnel and service providers.
For example, cloud-based IT services are typically staffed by non-employees, who administer service platforms that are beyond both the control and visibility of the organisation.
Systems that depend solely on the cloud service provider for security can create very broad insider risks in this sense.
It is also a real challenge to address every eventuality in which an insider could be acting against the organisation.
Since different insiders have differing motives, skill sets, risk profiles and access privileges, the controls put in place to address one scenario may be completely ineffective in another.
For instance, IT security teams must choose effective controls to deal with a diverse range of situations that could include data breaches that are accidental or opportunistic, or made possible by misconfigured systems, an administrator circumventing stringent controls or inappropriate levels of privilege for insiders.
There have been many attempts to tackle this broad range of insider threats head-on. For example, the FBI tried to develop a tool that could predict insider behaviour and stop cybercriminals before they could do any harm, but the results met with little success.
It has since moved to a behavioural baselining methodology to detect anomalous insider activity as it occurs. This approach monitors how IT users are operating on the system and how that looks in a wider context to identify when they are behaving abnormally.
The FBI’s CSO claims that this approach is far more effective. When combined with machine learning and activity profiling, behaviour anomaly detection solutions such as this can quickly detect activity that would signpost a potential malicious insider threat and alert organisations, allowing them to take action before it is too late.
There are also more fundamental processes that can be implemented in order to reduce the threat from malicious insider activity.
For example, it is essential to set access rights based on user roles, so that only those employees that have a real need to access a given resource have the ability to do so.
Separating duties can also prevent subversion or collusion, and avoids implicating personnel in activities in which they had no part.
The most useful controls are those that provide evidence to support their operation, which is generated continuously through normal use; such as collection and regular analysis of event logs.
In most cases, victims of insider breaches could have found evidence of data breaches in their log files, if only they had looked.
For example, if a certain user is accessing hundreds of documents that aren’t reasonably justifiable as being within their remit, then the alarm should be triggered and the breach can be dealt with much sooner.
>See also: The 2014 cyber security roadmap
Imagine the hassle that this approach could potentially help to avoid by detecting insiders like Bradley Manning or even Edward Snowden before they were able to leak secret government documents.
What this all adds up to is the need for organisations to avoid over-reliance on network security systems and signature-based tools to focus on the early detection, investigation and verification of risks to the enterprise.
This will enable them to take the appropriate action to deal with any given threat, regardless of the source or motive.
In order to do so, they must have the ability to instantly detect when systems, processes or people are behaving abnormally, which is often the first and clearest indicator that something’s not as it should be.
Sourced from Piers Wilson, Tier-3 Huntsman