“The call is coming from inside the house!”
The most starry-eyed misconception about cybersecurity is that the good guys are inside and the bad guys are out there. Although this is not an unfair characterization: the “us vs. them” dichotomy; it is ultimately a false sense of security which many organizations fall victim to.
In our previous blog post about the role of social engineering in cybersecurity, we suggested that a company’s most valuable, yet most vulnerable, asset is its people. We also proposed some ways that we could gauge the likelihood that our people could be exploited in this post about vulnerability and risk management in cybersecurity.
We did not, however, consider whether it would be the case that our own people would do us in.
What are insider threats?
The term “insider threat” sounds so ominous because we want to believe that our own people are trustworthy. Devin in accounting doesn’t particularly seem shady. Ramsey, the new analyst, and Peyton, the second shift manager, both appear to be upstanding staff members.
It would be completely paranoid to think that any of them could steal from the company, right? The default is to inherently trust your company’s employment decisions. After all, we ran background checks, signed agreements, and invested in these individuals’ success through development and benefits.
Something to keep in mind when considering how dangerous our own people can be to our operations is that not every insider threat is intentional. A compromised credential could lead to exploitation of access by an opportunistic outsider, but the threat may have originated from a lapse in judgment by our trusted insider with no malicious intent.
Insider threats can also come in the form of policy evaders, users who take shortcuts to workaround tedious or inconvenient policies and procedures, or trusted third parties who may not have policies and procedures that coincide with your company’s safeguards. On the far end of the spectrum, we hear horror stories of compromised employees committing grand-scale larceny, defacement of property, or sabotage.
A perfect storm: ideal conditions for insider threats.
A depressed economy, increasing worker demands, low job satisfaction, and a high rate of turnover are all market conditions that create ideal conditions for insider threats.
In the wake of COVID-19, we have seen many employees seeking new opportunities and shifting to remote work. This mass exodus of workers, also known as “The Great Resignation,” has created a unique challenge for many companies, particularly during the employee termination process.
A disgruntled employee who has committed to an exit strategy may seek to exfiltrate data or company secrets with the goal of compromising the employer. Other employees may seek to export data such as contacts lists and work-related documents such that they can be leveraged for their job search or reused at their new organizations.
How cybersecurity tools help.
Contemporary cybersecurity tools provide organizations with a more diversified protection strategy to address issues related to insider threats or compromise of trusted credentials. These tools typically bolster the company’s detection capabilities by extending the monitoring scope.
With an advanced Endpoint Detect and Response (EDR) platform, a security operations center may use various techniques to determine whether a vulnerability is being exploited by examining systems for patterns that would be indicative of a compromise.
Some EDR products may analyze files on a system or allow administrators to peek in on running processes and services. Information from EDR platforms can be used to investigate potential incidents by enabling history and logging, and some EDR platforms can perform system and file-level recoveries.
Technical tools like an EDR, coupled with a Security Information and Event Management (SIEM) system, may analyze machine-generated data to help security administrators determine a system compromise.
To detect end-user compromise, User and Entity Behavior Analysis (UEBA) techniques must be employed. UEBA solutions will integrate external information on users including data from HR systems and exchanges between employees such as chat and email with SIEM data to analyze the behavior of users to identify potential threats.
Suspicious activity may include multiple simultaneous connections from two geographically dispersed locations, unusual login times, and changes in the behavior of users such as suspicious operations or requests, access to previously unused systems, and unusual data transfers. “It’s 2:00 am, do you know where your users are?”
Secure-by-design: Zero Trust Architecture (ZTA).
With the mainstream adoption of cloud-based tools and catering to a more mobile, remote workforce, many companies are moving their infrastructure operations toward a Zero Trust Architecture (ZTA).
ZTA is a security design paradigm that has gained a lot of traction since the 2010s. Unlike a traditional, perimeter-based security model built on protecting inside resources from the outside using firewalls, the primary tenant of ZTA suggests that there are no perimeters and that the network is already compromised.
Where a traditional approach may include a model that suggests “Trust but verify first,” a ZTA demands that we “Never trust, always verify,” and that we do so extensively.
This defensive strategy is the epitome of paranoia. It relies on the continual evaluation of trust throughout a working session. ZTA is primarily a security-by-design principle that integrates policy enforcement, driven by data from SIEM, UEBA, and EDR (among other sources), to determine whether the request and/or requestor meets certain criteria and whether access should ultimately be granted.
Executive Order 14028.
On May 12, 2021, President Biden signed Executive Order 14028 on Improving the Nation’s Cybersecurity in which federal agencies are charged with the implementation of technologies and best practices to move towards a Zero Trust Architecture (ZTA), and following suit, the Office of Management and Budget (OMB) released M-22-09 which outlines the federal zero trust architecture strategy requiring agencies to meet cybersecurity objectives by end of FY2024.
Boost your defensive strategy.
To learn more about how to improve your organization’s defensive capabilities against insider threats with robust technical controls, check out the Zero Trust Security course.
Learn more about other security practices, including designing a layered, defensible security architecture and implementing administrative controls, with the Security Analyst Nanodegree program.
