How to deal with the insider threat

Originally published in IT Security Thing.

While the entire threat landscape is changing dramatically with the increased sophistication of adversaries, nation state and state-sponsored actors, and rapidly evolving attack surfaces, one of the few thing that hasn’t changed is that the insider threat is one of the most, if not the most, insidious threat in almost any environment.

That’s not FUD (fear, uncertainty and doubt) either, just look at the negative impact that Edward Snowden’s leak of thousands of files from the National Security Agency (NSA) has had on the US intelligence apparatus.

According to a Preliminary Model of Insider Theft of Intellectual Property, a paper published by Carnegie Mellon University, 75% of cases of insider IP thefts were performed by employees. Some 65% had already accepted a new job somewhere else while 35% stole to gain an immediate advantage at a new job. And 25% of cases resulted in the stolen information being given to a foreign government or company.

Today, external attacks are almost constant and less damaging (with the exception of high-profile attacks and near-total breaches, such as those against Sony and Ashley Madison). By contrast, insider attacks are more rare, but typically far more damaging.

It gets worse every day

As Willie Sutton, the infamous American bank robber said, when asked why he robbed banks, “That’s where the money is.” The insider threat is getting worse because that’s where the valuable information is, but there’s an additional component here – that’s also where the weakest controls are.

We lock down the external. As an industry, we’ve become better at that over the years. However, as long as there’s valuable information, someone’s willing to get access via the HVAC network like the case with retailer Target, recruit an unscrupulous employee, or in some of the worst cases – get a job at a company to gain access to information in order to steal it.

One of the most the most common mechanisms used to gain unauthorised access to systems from within is not a technical one; it’s asking a friend. In fact, according to the Carnegie Mellon University paper, 19% of intellectual property theft cases involved colluding with another insider.

Insider threat detection and prevention

In the case of malicious collusion, not much can be done. However, good security awareness training can be invaluable in preventing social engineering attacks; where an employee tricks another employee into providing sensitive information.

Another common technique is improper sharing permissions on drives, folders, and documents. Finally, and this seems to be rarer, is the use of technological exploitation techniques against internal systems.

The problem, from what I’m seeing in the field, is the majority of organisations are overlooking the insider threat. Very few organisations are actively posturing against, or frankly even considering, insider threats.

But, insider attacks can be detected, and avoided, by not only focusing security efforts on protecting the perimeter, but also internally too. Behavioural analysis on internal network traffic is one of the best defences against an ‘Edward Snowden-style’ insider attack. Users typically behave in certain ways. When that behaviour changes, it usually means something.

For example, according to Wired, Snowden spent a great deal of time scouring the private classified NSA network for documents and downloading them to his workstation, memory sticks and CDs – a dramatic shift from typical behaviour of someone in his role. This would have easily been detected with behavioural analysis.

Security technology isn’t just for the external threats

Data loss prevention (DLP), which typically scans outbound data for known sensitive information, can also help, although it’s not a replacement for good physical security. It wouldn’t have prevented either Snowden or Chelsea Manning from walking out with secrets burned onto CDs labelled, for example, “Lady Gaga.”

Unfortunately, none of these will detect or prevent the most dangerous insider threat: when an employee takes sensitive information they have been entrusted with to do their jobs. Unfortunately, this is less preventable via technology and requires insight into employees’ changing behaviour and attitudes.

In order to best protect an organisation from insider threat, CIOs and CISOs need to approach these attacks differently, compared to external attacks. First and foremost, they need to stop treating the internal network like it’s a safe or trusted zone. It’s not. BYOD environments realise this, but the more important lesson here is that non-BYOD networks aren’t safe either.

Regular internal vulnerability assessments and penetration testing are key to finding and remediating internal weaknesses. Remediation is the key. I can’t even tell you how many internal assessments we’ve performed to check a compliance box that it was done, but the results were never acted upon.

The addition of behavioural intrusion detections systems (IDS) sensors on the internal network will improve the situation drastically, as will regular evaluation of access rights and sharing permissions.

The theft of IP due to insider threats can be far more damaging than an external attack. A disgruntled employee is both hard to spot, and even harder to stop if they are determined to steal or maliciously use sensitive company information. But with the right technologies, controls and processes in place, it will be far easier to detect and stop insider threats than if none of the above were in place.

Ransomware: Why you mustn’t pay the ransom

Originally published in IDG Connect on June 30, 2016.

A recent report by ESET identified that around a quarter of cyber threats targeting UK businesses are ransomware attacks. This is backed up by findings from the US Federal Bureau of Investigation, which also confirmed there has been an escalation in these types of attacks.

Generally ransom amounts tend to be relatively low, a few hundred pounds. But, don’t pay up and that figure grows significantly, and quickly. Two hospitals in the US recently paid $17,000 each to get data back after not being able to use systems for 10 days.

But, paying up is never a good idea. Whilst paying may seem like an expedient remedy to those who are unprepared for a ransomware attack there are so many unknowns that it’s never worth it.

You are dealing with criminals who are holding your data and files hostage – pay them and there are simply no guarantees that you’ll actually get that information back. Furthermore, there are a number of underground hacker sites that keep track of, and share information, on companies that pay ransoms. Paying up paints a very big target across you and your company’s back.

As with any other IT security operations, planning in advance of an attack is the single best way to combat the ransomware threat.

How to plan for a ransomware attack

It’s pretty clear that your organisation should be ready to confront the ransomware threat, whether hackers target individual employees’ systems and the networks they have access to, or the company’s network at large. The first step, as with any security threat, is educating end users about how ransomware can creep up on them.

Employees should guard against these potential attacks as they would any other kind of malware, starting with common-sense steps – avoid clicking on suspicious links or attachments in emails, for instance.

After the education piece, use technology and backups to put in place protective measures. The simplest and most effective way of combating a ransomware attack is by ensuring you have a regular and rigorous back up schedule. Keep backups off site, and make sure they’re not connected to your other systems, thus preventing your backups from also being infected.

Your plan should also include what to do if you have fallen victim to a ransomware attack – such as who would be in charge of managing the situation, involving external security companies to help mitigate any damage, and most of all, strict instructions not to pay the ransom.

A recent survey by HIMMS Analytics and Healthcare IT News of healthcare organisations in the US found that 73% had a business continuity plan in place, yet almost half said they were unsure if they would or would not pay a ransom demand. HIMMS Analytics’ research director points out that this calls into question how solid those plans really are when dealing with ransomware.

Don’t ignore the simple security tasks

IT’s part in combating attacks against both individual users and enterprise networks includes keeping up with core security tasks that sometimes aren’t as rigorously adhered to as they should be (in anarticle by Mary Branscombe on IDG Connect, she points to statistics that say it takes an average of 103 days for companies to patch known network and security vulnerabilities).

The job of a CIO is undeniably getting harder. Ransomware attacks that encrypt all the data they can access are a more attractive method to hackers in comparison to individual end user attacks.

Malware authors are intelligent coders – just as you would receive software updates for your programmes, so do ransomware tools.  That’s why anti-malware technology isn’t able to simply stop all the attacks – it may stop most, but new versions of ransomware tools are being designed to evade security technologies.

So, inevitably, there’s a chance that you may still fall victim to a ransomware attack. Sadly, this is all too common – UK Parliament, FastMail, police departments and healthcare providers have all been on the receiving end of a ransomware attack. It’s at this point that your business continuity plan will prove invaluable.

All too often, the ransom demand has a very short window for payment – it’s a typical tactic used by cyber criminals into panicking organisations into paying up. But with no guarantees that hacker will restore your data after payment, we would always advise you not to pay out.

There are a number of steps you can take in the wake of an attack – try to isolate the infection, disconnect systems from the internet, turn off Bluetooth and remove any peripherals as soon as you can to help stop the infection spreading further. Don’t pay up. And, unless you have a veritable ransomware expert of your own on staff, call in the experts.

If you’ve rigorously backed up systems on a regular basis then all of the data that’s being held to ransom is simply sitting in your backup waiting to be restored (apart from the data created since the last back up of course).

State-Sponsored Cybercrime: A Growing Business Threat

You don’t have to be the size of Sony – or even mock North Korea – to be a target.

Originally published in Information Week.

It’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime. Recent leaks and discoveries have revealed the existence of, and details about several government hacking organizations around the world. While many of them target governments for intelligence collection, we are starting to see more activity directed towards business. In fact, the private sector is every bit at risk. As recent attacks have shown, you don’t have to be the size of Sony – or even mock North Korea – to be a target.

Key players
Chinese cyber operations have typically been economically driven, often with a pure profit motive. Several top technology, aerospace, and defense companies have been breached by Chinese state-sponsored hackers, often in what appears to be an effort to steal intellectual property and identities. China’s approach follows the same guiding philosophy the Chinese Army uses: throw as many people at the problem as possible, regardless of talent or training, and eventually you’re bound to get something. These groups include Deep Panda, Putter Panda/PLA Unit 61398, Hidden Lynx, APT1/Comment Crew, Axiom, and many more.

Russian cyber operations enjoy a unique distinction from the other groups because they are more broadly used to collect intelligence, and like Chinese hackers are also involved in profit-motivated cyber crime. The Russians also have a history of aggressive offensive operations such as the Estonian cyber attacks of 2007 that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country’s disagreement with Russia about the relocation of a statue, and more recent cyber attacks directed at Poland.

Unlike Chinese counterparts, Russian hackers also like to spread ideological influence, a discipline known as “Information Operations” within the intelligence community. This includes “troll farms” staffed with hundreds whose job is to spread ideas and cause the appearance of consensus across online forums and social media. Russian state-sponsored cyber efforts are also unique in that they are known to provide training and mercenary-style hacker-for-hire services to other countries – possibly even North Korea’s Bureau 121 and Iran’s IRGC.

Some notorious non-state actors have been working hard to reach levels of sophistication similar to these state-sponsored groups. There have been many reports of mysteriously unattributed and extremely sophisticated hacker recruiting drives across the deep web. Meanwhile state-like organizations such as ISIS have been actively and openly recruiting hackers. To date, ISIS’s “Cyber Caliphate” has not exhibited this level of sophistication, but it’s probably just a matter of time until we start seeing stateless organizations reaching the same level of sophistication as state actors.

Not a theoretical threat
I recently discovered an unidentified Chinese APT group that breached a mid-sized multinational company. The breach was initially suspected when some employees found copies of their own internal documents online, and an investigation began.

The breach was accomplished via a spear-phishing attack targeting a secretary within the company. Clicking a link ultimately installed custom malware on the workstation, which allowed the APT group to use it as a pivot point from which they launched other attacks. Subsequently, they took control of almost every server and workstation within the company. From there, they began slowly exfiltrating sensitive data off their file servers, just a few small packets at a time, all encrypted.

It’s worth noting that this went completely undetected for months. The breach was finally confirmed through the use of a security audit that made use of adaptive behavioral analysis and threat intelligence combined with traditional vulnerability assessment methodologies.

State-sponsored attacks often demonstrate remarkable complexity. Fortunately, these attacks are detectable and preventable. Business must make use of layered defenses comprised of human-monitored intrusion detection with behavioral analysis integrated with routine security testing, predictive threat intelligence, and education in order to stay secure.