‍The criminal inside - how employees can be the weakest cyber link

Human beings are both the greatest asset and perceived as the weakest link in the security of a business. That’s because of our fallibility which can leave us prone to error and susceptible to persuasion, which could see your trusted employees turn rogue. There’s plenty of evidence of insiders planting keyloggers in the past, for instance, but now the stakes are even higher due to less job security and the squeeze of the cost-of-living crisis.

A recent report from Unit 42 found that difficult economic times meant insiders were much more likely to abuse their access to valuable data and IT assets, with hybrid and remote working making it even easier. There are real concerns over the far reaching access privileges enjoyed by IT users and admins, third-party contractors and service providers, regular employees, and privileged business users, according to the 2023 Insider Threat Report, which listed these as the prime insider candidates identified by security teams.

There’s certainly evidence to suggest it’s a problem that’s getting worse. The 2022 Ponemon Institute Cost of Insider Threats: Global Report reveals that incidents have risen 44 percent over the past two years while the The Data Exposure Report 2023 (DER) found 82 percent of CISOs regarded data loss from insiders as a problem with 71 percent expecting the problem to increase over the next 12 months.

Moreover, the Q3 2022 Threat Landscape report observed that while ransomware attacks have declined and email compromise has plateaued, the insider threat reached its highest ever recorded quarterly level last year, with 35 percent of all unauthorised access and threat incidents attributed to insider attacks. That trajectory is also borne out by the 2023 Insider Threat Report, with 74 percent saying attacks had become more frequent. It found more than half of organisations reported experiencing an insider threat attack in the past year and eight percent reporting more than 20 such attacks.

Recruiting rogues

Insider threats can take various forms, from the malicious to the negligent, to the accidental or unintentional, but the propensity for attacks can fluctuate due to macro-economic conditions. The fluidity in the jobs market, for example, can see turnover rates increase leading to new starters making easy mistakes and then there’s the problem of widespread redundancies leading to disgruntled employees seeking to steal data for personal gain. But, perhaps most worryingly of all is the rise of insider recruitment by organised criminal gangs.

As of January last year, The Rising Insider Threat survey found 65 percent of executives and employees had been offered a financial incentive to assist in ransomware attacks, up 17 percent from the previous year. Fraudsters, ransomware operators and hacker groups are also now brazenly recruiting employees, by approaching them directly, via messaging platforms such as Telegraph and Reddit or through sending fake candidates in response to genuine job postings to secure placements in positions with high access level privileges.

The LAPSUS$ group, for instance, which had 45,000 subscribers to its Telegraph channel this time last year, openly advertised in English and Portuguese for candidates in specific global companies including Claro, Telefonica, ATT, Microsoft and Apple. It was able to successfully recruit staff with access to corporate VPNs and who could help it bypass Multi-Factor Authentication (MFA) controls from 15 companies, according to Flashpoint. Among the haul was source code from Microsoft, leading the tech giant to admit it “found instances where the group successfully gained access to target organisations through recruited employees (or employees of their suppliers or business partners)”.

‍

A wake-up call to defenders

The casualties that resulted from the LAPSUS$ recruitment campaign and the commercialisation of the insider threat have served as a much needed wake up call to defenders. While it’s always been a constant, there’s been a tendency to side-line the insider threat and this is partly because it can be so difficult to deter and detect. In fact, response to insider threats has got worse over time, with the Ponemon Report finding that the time taken to contain an insider threat has increased from 77 to 85 days, up 10 percent compared to two years ago. And, businesses are well aware of their exposure, with 74 percent of organisations saying they are moderately vulnerable or very vulnerable to insider attacks, according to the DER.

What’s interesting is that the same report found the vast majority (70 percent) already had in place Insider Risk Management (IRM) policies and that cybersecurity training had increased over time, with almost a third now conducting weekly rather than monthly sessions. Defences, however, remain limited with only 19 percent of the cybersecurity budget typically dedicated to IRM. With education not cutting through, what can businesses do to improve detection, investigation and response to mitigate this risk?

The things that make detection and prevention of insider attacks difficult include misuse of legitimate access credentials to apps, networks, and services, the increased use of SaaS apps that can leak data, and an increase in personal device use with access to corporate resources due to changing working practices, states the DER. Therefore, it stands to reason that businesses need to improve their visibility of network access and also their monitoring and analysis of employee and entity behaviour.

Baselining behaviour

One technology many organisations are using to help monitor for this behaviour is User and Entity Behaviour Analytics (UEBA), which derives from User Behaviour Analytics (UBA), a term first coined by Gartner back in 2015. This monitors activity and attempts to discover threats by looking for instances where behaviour on the network differs from the norm. To establish this, it needs to determine what normal looks like. This does of course vary from individual to individual, by team and by system. So, a behaviour-based risk model builds a baseline of normal user and group behaviour, with anything out of the ordinary triggering an alert.

Alerts are further supplemented with important environmental and situational information to help the security team more effectively investigate incidents. Environmental context could include details such as whether a user was an IT admin or highly privileged user, or if they owned the asset in question, for instance. In contrast, situational context would seek to answer critical questions such as; has this happened before and, is this normal for this user, the activity they are undertaking, the time of day etc.

Because UEBA is based on the actions of people and entities on the network, not IP addresses, it can connect the dots, analysing data from across network elements and using machine learning to identify suspicious or unusual behaviour.

Risk scoring can then be used to help prioritise alerts and determine the appropriate level of response, as well as preventing the occurrence of false positives, when an alert is triggered by the system but does not in fact present a legitimate threat. For example, if someone in a team accesses an unusual file for them, but the rest of their team accesses the file regularly, the behaviour is not flagged and does not become a false positive because it’s not abnormal for the team. 

Suspicious successful or failed logins, brute-force attacks, abnormal use of, or first-time access to programs, transactions and systems, or just unusual patterns in the overall activity of users, can all be spotted using this technology. Even if adversaries target cloud-based entities and third-party authentication systems, UEBA can detect these attempts and allow analysts to block them.

Moreover, because UEBA can be used to supplement more pedestrian security solutions. A Security Incident and Event Management (SIEM) solution, for example, relies on rules to identify patterns and trends which can be subverted. But as UEBA is not rules but behaviour-based, it can detect anomalies that might have been missed by the SIEM alone.

It’s this combined form of vigilance which is our best deterrent and defence against the insider threat. We may never be able to eradicate the threat completely but by using behaviour-based monitoring of people, processes and the technology they use, we can dissuade employees from going rogue and help prevent attackers from using innocent employees to gain a foothold on the network.

Tim Wallen is Regional Director for the UK, US and Emerging at Logpoint. With almost 20 years of cybersecurity experience, he has held senior sales and management positions within both high-growth and established vendors, including FireMon, ForeScout, Check Point, McAfee, and IBM. He is responsible for driving strategic growth in the regions and for leading the growing team of Logpoint sales, marketing, and technical professionals