Cyber House of Horrors: The Insider Attack

Your CEO is in panic mode. The news of one breach after another has lit a fire under the entire board of directors. The Panama Papers fiasco was the last straw. The good news? You now have a generous budget for cybersecurity.

So you buy all the gear you can and update the rest, locking everything down. You also complete a full top-to-bottom sweep of every system to root out any existing compromises. You’ve even sent the entire company through anti-phishing training.

snowdenYou finally sit back and breathe a sigh of relief. You’ve got this covered. Right?

Not so fast. There’s one potential vulnerability that the latest technology and most advanced training can never prevent: the insider attack.

The insider attack occurs when a supposedly trusted person within the organization is the malefactor. When the attacker has special privileges within the IT organization – especially if they are responsible for configuring the security protections themselves – then preventing an insider attack is virtually impossible.

Some people refer to the insider attack as the Edward Snowden attack, after the NSA system administrator who decided to go public with NSA secrets. And if the United States National Security Agency, one of the most security-conscious and well-funded organizations on the planet, couldn’t prevent such an attack, then the chances a typical enterprise could do any better are virtually nil.

Understanding the Motivations behind the Insider Attack

The first step to combating inside attackers is to understand their motivation. Snowden was motivated by a sense of principle – but more likely than not, a more mundane underlying cause will be at work in your organization. Here are the most common:

  • Disgruntled employees acting out of anger – angry people typically act more emotionally than rationally, so don’t expect a well thought out plan from these people. They are also more likely to mount their attack on the way out of the organization, and in many cases they are only looking to cause damage.
  • Monetary gain – these attackers are run-of-the-mill embezzlers or general-purpose thieves, only now with enough knowledge of your internal systems to steal from you electronically. Note that these attackers may be after money directly, or indirectly by stealing trade secrets, customer credit card information, or other valuable data they can sell on the Dark Web.
  • Compromised employee – either through blackmail or some other means of extortion, a third party is coercing your insider. This third party may be motivated by either monetary gain or principle, but the compromised employee may simply be protecting their family or a closely-held secret.
  • External attacker with stolen credentials masquerading as an insider – strictly speaking, this situation isn’t a true insider attack – but from the perspective of your IT systems, this attacker appears to be an insider, and can thus mount the same kinds of attacks.

The reason it’s so important to understand the motivation of attackers is because it impacts their choice of target. Thieves will be looking for high value targets, while people acting out of principle (as well as some compromised employees) may simply be looking to wreak havoc.

Mitigating the Insider Attack

While there are no foolproof approaches to preventing insider attacks, the best approach to mitigating the damage of such attacks is compartmentalization. In fact, compartmentalization has been a part of traditional spycraft for centuries, as the principle of “need to know” enables clandestine organizations to divide up their secrets, so no one person can spill all the beans.

In the context of cybersecurity, it’s essential that no one person have root passwords to all critical systems, or even the ability to obtain them. Even the CEO should not be able to coerce direct reports to cough up their passwords.

Organizations should also implement mutual assurance policies. If you divide up your root passwords among, say, six trusted admins, then each of those admins is responsible for monitoring the behavior of the others. As a result, they would all have to be members of the same conspiracy for an attack to succeed – far more unlikely than the rogue insider scenario.

It’s also essential to establish tamperproof audit trails – or as tamperproof as possible. An audit trail won’t directly prevent insiders from mounting an attack, but if they know they can’t cover their tracks, then they are less likely to take action, especially if their attack strategy would take time.

Furthermore, be mindful of the “Catch-22” nature of securing your security systems themselves. Every security technology you are likely to implement depends upon the security of some other piece of technology – and at the end of this chain you are likely to find the technology that secures your private keys.

If insiders can compromise your private keys, then they literally have the keys to the kingdom. As a result, any security protocols you implement should be especially stringent when it comes to securing this particular treasure.

Finally, every enterprise should cryptographically segment their network. This crypto-segmentation from Certes Networks is an important compartmentalization tool that segments applications from one another while giving organizations the ability to control such segmentation at the application layer while also mitigating the insider attack – even if the attacker is responsible for installing or configuring the Certes software itself.

The Intellyx Take

When considering the first in the “Cyber House of Horrors” series of BrainBlog posts, I had many possibilities to choose from – phishing, ransomware, brute force and zero day attacks, and a frighteningly long list of others.

I decided to kick off the series, however, with the insider attack – as this particularly nefarious attack can defeat many of the protections an organization might put into place to address any of the other attacks on the list.

In fact, whenever I have a conversation with a cybersecurity vendor, I always put on my hypothetical “hacker hat” and ask them how I might break into their offering. Regardless of their answer, my next question is whether an insider would be able to defeat their product regardless.

Their answer to that question, alarmingly, is usually “yes” – which is why you should be asking the same questions.

Copyright © Intellyx LLC. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this paper. Image source: DonkeyHotey and Laura Poitras.

SHARE THIS:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.