Comment: Insider threats complicate the cyber-security challenge
The insider threat represents one of the greatest challenges to businesses trying to stave off a constant barrage of cybersecurity attacks.
Cybercriminals are no longer mere teenagers programming a virus here and there in their own time. Cybercrime has become an industry, one that is ingenious when it comes to exploiting human weaknesses. Cybercriminals often use insiders as part of their malicious ‘toolset’, to help breach the perimeter of an organisation and perpetrate their crimes. Research by Kaspersky Lab and B2B International has found that 28 per cent of all cyber attacks and 38 per cent of targeted attacks now involve malicious activity by insiders.
Even if an organisation considers its critical systems and devices protected and safe, it is difficult to defend against some adversaries. Employees rank at the very top of this list. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. While insider-assisted attacks are uncommon, their impact can be devastating as they provide a direct route to the most valuable information. Employees are, by definition, trusted and therefore have access to knowledge and information that could be used by an attacker who is able to subvert the employer-employee trust relationship.
Examples of insider attacks in recent years include a rogue telecoms employee who leaked 70 million prison inmate calls, many breaching client-attorney privilege, and an SMS centre support engineer who had intercepted messages containing one-time passwords for the two-step authentication required to log in to customer accounts at a popular fintech company. The engineer was freely offering his services on a popular Darknet forum.
For attackers, infiltrating networks requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider. Employees of mobile service providers are in demand for access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for internet service providers are needed for network mapping and man-in-the-middle attacks.
There are many ways attackers engage or entrap their targets. The attacker will often use publicly available or stolen data sources to find compromising information on employees of the company they want to hack. Then they blackmail targeted individuals – forcing them to hand over their business credentials, provide information on internal systems or distribute spear-phishing attacks on their behalf. Willing insiders can be recruited through underground message boards or using the services of ‘underground recruiters’ who receive pay for their services and may identify co-workers for the criminals to proposition or blackmail.
Blackmail has become a promising and successful attack vector for recruiting an insider. Data breaches like the 2015 Ashley Madison leak reveal information that attackers can compare with other publicly available information to track down where people work and compromise them accordingly. Very often, these leaked databases contain business email addresses.
The threat landscape shows that vulnerabilities exist on many levels –hardware, software and human – and that attacks can come from many directions. Compromising subscribers with social engineering, phishing or malware remains popular and can easily be mastered by entry-level criminals. Cybercriminals also now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes. Kaspersky Lab intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks.
Organisations need to start regarding security as a process that encompasses threat prediction, prevention, detection, response and investigation. A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, employee education and shared intelligence.
Organisational behaviour is also an essential part of the process. For instance, if an organisation is encouraging its staff not to click on suspicious attachments, then it should also consider revising its internal email policy, and consider stamping out internal emails that have attachments.
Finally, there are steps organisations can take to protect themselves. Start by educating staff, and introduce robust policies about the use of business email addresses. Restrict access to sensitive information and systems, carry out regular security audits of the IT infrastructure, and remove access rights as soon as someone leaves.
David Emm is a principal security researcher in the Global Research & Analysis Team at Kaspersky Lab