There was nothing in particular that should have drawn attention to the two individuals sitting for drinks at the bar in Reno. Just two old colleagues catching up over some drinks.
But if someone had paid close enough attention (and perhaps spoke Russian), then they might have overheard that one of the pair was attempting to recruit the other into what was possibly one of the biggest ransomware operations to date.
According to reports, Egor Igorevich Kriuchkov was allegedly there to recruit his former colleague into aiding his crew in implanting ransomware on his employer’s network via a USB drive or opening a malicious email. Once inside the network, Kriuchkov’s crew planned to take their victim for millions. For performing this one little favor for an old friend, Kriuchkov was going to offer his unnamed former colleague $500,000. This number supposedly eventually rose as high as a cool $1 million.
So who was the company that was worth that kind of bribe just to get their foot in the door?
It turns out that the old colleague worked at Tesla’s Gigafactory in nearby Sparks, NV. So it comes as no surprise that this story caught headlines given the combo of a million dollar bribe with the high profile target.
Luckily for Tesla, this story had a happy ending. Instead of taking Kriuchkov up on his offer, the Tesla employee reported the plot to their boss. Soon afterwards, Kriuchkov was picked up by the FBI attempting to leave the country.
While no details have been released about the person who reported the plot, we can only hope that they have been recognized as the employee of the decade.
Afterall, how many companies can confidently say that their workers would turn down $1 million to keep their company secure?
Normally when we think about how a ransomware attack is carried out, it involves an administrative employee unwittingly opening a phishing email that gives the attackers a foothold within the organization from which to launch their payload. Maybe it’s a malicious link, but more likely it’s a boobytrapped document that initiates the attack.
In most of these scenarios, we think of the attack coming from outside of our organization. In defending against them, we look to a combination of technologies to identify malicious emails and such, as well as education for our workforce on how to spot a threat when it enters their inbox.
While better awareness of the threats coming through your workforce’s email is a move in the right direction, many organizations are not taking steps to deal with insider threats.
An insider threat, as the name might indicate, is when your organization’s security is at risk of compromise by someone within the organization. In some cases, like the recent Twitter hack, the insider is not a knowing participant but has their user credentials taken over for use in the attack.
But in other cases like we often see in SIM card swapping-based attacks, the attackers work with an employee who is simply able to open the door for them, thus negating the need for complex hacking or using vulnerabilities (CVEs) in the software.
The Wall Street Journal Research Pro Survey recently released their findings that 67% of cybersecurity executives were worried about their risk from malicious insiders. This is disconcerting as it marks a jump from just over 50% pre-pandemic.
While additional research shows that only 14% of organizations reported having their data compromised by an insider (the real number may be much higher due to lack of reporting or successfully identifying the cause of the attack), the perception of the threat is most certainly there.
This higher level of concern is likely due to the fact that during the COVID-19 pandemic more employees are both uncertain about their financial future and working without their normal supervision. Under those circumstances, it is not unreasonable, if still illegal and immoral, to take a hacker gang up on a lucrative offer.
So how are security professionals supposed to defend against the insider threat? Getting to the right answer is harder than dealing with threats coming from the outside.
There is a constant tension between usability vs security.
On the one hand, you never want to grant access to too many people within your organization.
For every person that has access, your threat surface increases because either they might be tempted to compromise your data or they might have their account taken over by an attacker who steals their credentials.
On the other hand, locking down access too much can mean making it too difficult for employees to do their job. This can hurt productivity as well as morale, possibly leading attrition of your workforce over time.
In the post-Snowden days, employees at the NSA reported sinking morale due to the increased pressure placed on them by security, leading many to leave for much more lucrative jobs with less stringent security demands.
So while all security professionals will agree that access/permission management needs to be taken seriously, adhering to the Principle of Least Privilege, it is really easy to get the balance between security and usability wrong.
So how can your organization avoid being too hot or cold, but get it just right?
When dealing with external criminal hackers, it makes sense to work to make yourself a tough target that isn’t worth the effort.
However, when dealing with your own workforce, you have to be a little more nuanced. Think about it in terms of carrots and then if necessary, bring in the sticks.
Trust is Earned
For starters organizations can make sure that they are paying their employees fair to generous salaries that will disincentivize them from looking for other ways to make money.
The vast majority of employees are decent enough people that the thought of harming your organization probably isn’t something that they want to do. Treating them right can go a long way in making them want to reciprocate by staying loyal to their team.
Trust but Verify
Avoid putting too many roadblocks in front of your employees, but be clear that you are monitoring what they are doing, even when they are out of the office.
Employee monitoring software that can log activity can help to catch a malicious insider if they take actions that can compromise your organization’s security. It is important to be transparent with employees that they are being monitored because trust is something that needs to go both ways. Moreover, there is only a deterrent if they know that they might get caught.
Minimize Your Threat Surface
Take the time to think about which of your assets are the most in need of protection and who needs to have access to those assets.
Once you have mapped out your resources, be sure to make it relatively easy to get access to the low risk assets that your people need, and fairly hard to get to the more sensitive ones.
Minimizing the number of people with high level access can go a long way in shrinking your threat surface.
Make security versus usability an ongoing discussion. By keeping an open dialogue with your employees, they should understand that they have a shared responsibility in the security of the organization.
It also means listening to their concerns about when restrictions become untenable for them to work effectively, and engage with them on finding solutions that they will actually embrace.
Draconian measures might sound like the most effective solution, but remember that your people are your most important line of defense and that no amount of technology will protect you if they decide that you aren’t worth sticking by.
You never know when they might get a better offer.
This article was originally published on IT Security Central and reprinted with permission.