Combating the Insider Threat
© 2015 Lancope, Inc.
Table of Contents
Chapter One
WHO IS ATTACKING YOUR NETWORK?
Chapter Two
INSIDER THREAT MOTIVES AND METHODS
Chapter Three
DETERRING INSIDER THREATS WITH TECHNOLOGY
Chapter Four
USING NETWORK LOGS TO THWART INSIDER THREATS
Chapter Five
BEYOND TECHNOLOGY
Chapter Six
SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS
Chapter Two
Insider Threat Motives & Methods
What is muleware?
Unlike malware, muleware solicits the
participation of the user and offers incentives to play a small
role in the attack campaign. “Up
until this point, cybercriminals have attained their resources by
exploiting and compromising devices,”
said Lancope CTO, TK Keanini. “But wouldn’t it be more
efficient and much more profitable to
pay for these resources and turn thousands o f would-be victims into part of the attacker’s supply
chain? I envision that this new form of muleware will be based on the anonymity of Tor networking, and
commerce conducted via cryptocurrency such as Bitcoin. Marketplaces will connect the demand
with the supply, and cybercrime will rise to an entirely new level, a level that we are not
prepared to defend against.”
Negligent Insiders
Negligent insiders are insiders who accidentally expose data.
They don’t mean to do anything wrong
– they are just employees who have access to sensitive data and
inadvertently lose control of it. A large number of security incidents and data breaches fit this
description.
Also fitting into this category are insiders who take IT
shortcuts or ignore security policies simply to make their jobs easier – for example, downloading unauthorized
software, using unsecured wireless networks, or the developer who decides to set up a test site on the
Internet with real data.
Malicious Insiders
Malicious insiders are employees who intentionally set out to
harm the organization either by stealing data or damaging systems.
Research by the CERT Insider Threat Center at Carnegie Mellon
University surrounding hundreds of real-world cases of attack by malicious
insiders has shown that most incidents fit into one of three categories:
• IT Sabotage - Someone destroys data or systems on the network
• Fraud - Someone
is stealing confidential data from the network for financial gain
• Theft of Intellectual Property - Someone is stealing intellectual property for
competitive
advantage or business gain
Motivations for Betrayal
The motivations that turn insiders against their organizations
are diverse, and can include:
Job/Career Dissatisfaction
When someone is extremely dissatisfied with their current work
or career situation, they may attempt to harm their employer by destroying or stealing data.
Monetary Gain
When exposed to valuable data that could make them money on the
black market, some employees will be unable to resist the temptation to steal and sell it. Others
will be coerced to do so by malicious outsiders.
Espionage
Both nations and corporations have been known to plant insiders
within organizations for the sole purpose of stealing trade secrets and intellectual property for
espionage.
Activism
Activists are associated with a particular ideological movement,
and can use the theft and exposure of confidential data to bring attention to their cause. The cases
of Bradley Manning and Edward Snowden likely fall into this realm.
Compromised Insiders
A compromised insider is an employee whose access credentials or
computer have been compromised by an outside attacker. According to the Cisco 2014 Annual
Security Report, “Threats designed to take advantage of users’ trust in systems, applications, and the
people and businesses they know are now permanent fixtures in the cyber world.” And according to the
Verizon 2014 Data Breach Investigations Report, two out of three breaches exploit weak or stolen
passwords.
A compromised insider is really an outsider – it is someone who
has access to your network as an
authorized user, but they aren’t who they are supposed to be.
Today’s attackers are frequently employing social engineering tactics to infiltrate corporate networks and
execute attacks under the radar, posing as legitimate users.
Lessons Learned From Manning and
Snowden
Security breaches surrounding Bradley
Manning and WikiLeaks, as well as Edward Snowden and the
NSA, have made it painfully obvious
that even the most seemingly impenetrable networks can fall
victim to insider threats. If nothing
else, these two major incidents have finally brought the issue of the
insider threat to the foreground for
many businesses.
However, it is important to realize
that for every Snowden or Manning out there looking to expose
confidential secrets in the name of hacktivism,
there are literally hundreds of others planning to steal data from their employer’s network simply
for revenge or to make a buck.
It is not enough to think, “Well, our
company isn’t doing anything wrong, so we don’t have to worry about insiders exposing our data,” or “We
are just a small company so no one is after our information.” The truth is, any company’s data can be
valuable when put in the right hands – whether it’s PII, credit card data, medical records or even just
intellectual property – and you better believe that the attackers know this!
Няма коментари:
Публикуване на коментар