Insider threats force fraud fighters to update their playbooks
In the past few years of fighting against cyberattacks, security teams have developed "kill chain" models that document what steps the bad guys take to infiltrate a network and how to thwart them. The problem is, a significant number of data breaches occur from insider threats, which these models often overlook.
The current kill chain model identifies seven steps that cyber criminals undertake once they are inside a company network, often by compromising a legitimate user. But 54% of companies have suffered an internal compromise, according to a 2017 survey by Forrester. The large proportion of insider breaches indicates that any type of kill chain model has to be flexible enough to apply to attackers who should normally be considered trusted users.
"There is a lot of good inside the concept of a kill chain, but it's just not a one-size-fits-all kind of thing," said Ryan Stolte, co-founder and chief technology officer at Bay Dynamics, a San Francisco-based cyber security firm. Bay Dynamics works with various firms to thwart insider threats.
A kill chain typically covers an attacker's reconnaissance, phishing, delivery, exploitation, command and control, execution and exfiltration. But companies have to think in terms of how they would recognize an insider threat and how to establish a model to counter it, Stolte said. Generally, those threats come under two large profiles. One is the "flight risk" employee, the person leaving the company soon who is simply taking data that could give a competitive edge — such as a sales person compiling customer lists, or an app developer taking source code.
"You want your security system looking for indications that these people are acting differently than they normally would, accessing things they normally wouldn't access," Stolte said. "In some cases you don't know when someone is quitting, but you can see them digging deeper into customer records, or going to competitors' websites or uploading files that are in cloud storage."
A person leaving the company may have no intention of hurting the company, but could unwittingly do so by taking sensitive data from work and placing it on home computers, which could more easily be hacked.
The other major category is the "persistent insider threat," or someone who has no intention of leaving but plans to get everything possible from the company. They tend to mysteriously delete files or upgrade their access to networks when possible. "This might be a person thinking of selling records to others," Stolte said.
This type of threat has also surfaced when criminal networks plant an employee at a company with the intention of getting deep into networks to steal data, he added.
The insider attacks can be concentrated on certain industries, Stolte said, with payments companies or retailers among the richest targets.
"If you have intellectual property or payments information, you have something to lose," he said. "Companies are realizing this, and they know people are attacking them, but also that they can get ahead of it."
Even though a kill chain focuses on external hackers, once those hackers get in, they can be viewed as insider threats as well, so parts of the kill chain model remains helpful, said Avivah Litan, a vice president and at Gartner Inc., a Stamford, Conn.-based market research company.
"The problem is that companies are not really equipped that well to deal with insider threats," Litan said.
Gartner cites four categories for insiders — a "pawn," or a person being manipulated by others; a "goof," or someone who makes many mistakes and is careless with company data; "collaborators" who work with criminals; and the "lone wolf" who is just a bad person seeking to do damage on their own.
"Overall, everyone has a different approach to insider threats," Litan said. Some companies want to simply use the controls they have in place, she said, while others worry about the governance and process of protection and who is responsible for security in the organization.
Some companies want protection to be part of a larger program with various checks and balances, Litan added. "They don't want the IT team to be the judge, jury and executioner (regarding employee insider threats)."
Gartner has recommended that companies start insider threat programs with a risk assessment to help prioritize efforts, and put technology in place that deters the risk in the first place. Non-technical controls such as ongoing employee training also mitigate insider threats.
On the technical side, Gartner says it is best for companies to start with basic data analytics to establish known patterns of malicious behavior, and graduate to more advanced analytics when the organization is able to manage the results.
In many ways, any systems or policies established to deter insider threats could also go a long way toward complying with the new General Data Protection Regulation that protects consumers in Europe.
Basically, GDPR says that companies dealing with European consumers must know where their sensitive data is stored and for what reason, and who has access to it and why — or face stiff penalties for not complying.
"The GDPR is a big thing," Bay Dynamics' Stolte said. "Even those companies that only do business in the U.S. are starting to think that these types of policies are going to be adopted domestically here."