Verizon's Data Breach Investigation Report for 2022 (DBIR) was recently released, and it has some good news and bad news when it comes to the risk of insider attacks.
First, the good news, (sort of) - According to the DBIR, the vast majority of breaches continue to come from external actors (80% vs. 18% of insiders). Hopefully, we can be a little less suspicious of Bob, who sits two offices down from you.
However, when an insider attack happens, it can be really, really destructive.
The DBIR found that the median number of records compromised from an insider breach last year was 80,000. This is not great, but it gets worse. When we look at the totals, the number of records breached by insider attacks surpassed 1,000,000,000 as opposed to far less than 250,000,000 from external actors.
So even while the percentage of breaches caused by insiders remains low, they continue to be an ongoing, serious concern for both the private and public sectors.
At its core, the concern is that a member of the organization will steal data and harm the organization, regardless of if you are in private industry or the government.
The big difference is one of sensitivity and the potential scale of the harm that can result from such an incident.
An insider incident can:
1. Damage National Security
By stealing or leaking sensitive information, an insider can cause harm - in the most extreme examples - defense or intelligence secrets can fall into the hands of rival nations.
The most (in)famous example - Edward Snowden. Without providing too many details, the intelligence community has stated that Snowden caused considerable damage to U.S. national security.
As great power competition continues to heat up between the United States and China, we see a steady stream of current and former government employees being uncovered and convicted for espionage.
2. Steal Gobs of Personal Information
The government holds lots of personally identifiable information (PII) that can be used by malicious actors for profit or to carry out additional attacks.
The Office of Personnel Management breach is a powerful example of when Chinese hackers stole 22.1 million records, including the personal information of many government employees in sensitive intelligence positions.
While that may have been an external attack, given the number of records that an internal actor would have, the potential for exposure of personal information is incredibly high.
3. Harm Public Trust
The public trusts the government with its data and expects them to take precautions to safeguard it.
Failing to do so erodes trust that the government is up to the task and may make more folks reticent to provide more data. As biometrics advances, especially for identification for access and services, many may ask if the organizations that cannot keep social security numbers or address secure can be trusted with the data points of faces.
These events, and the concerns behind them, have led to a ramping up of efforts over the years by the government to address insider threats.
This includes the release of useful guides from both the Cybersecurity and Infrastructure Security Agency and the National Insider Threat Task Force. These organizations understand that the risk to national security is not just faced by government organizations but also by government contractors.
Contractors, especially those working in the defense space such as aviation, face increased regulatory regimes such as the National Industrial Security Operating Manual (NISPOM)’s Change 2 to show that they are taking steps to defend themselves from insider threats.
Insiders, by default, have access to your sensitive information in order to do their jobs.
We do our best to ensure that we hire trustworthy people, but there is always the risk.
For better or worse, they know where the juicy data is. This makes them both potentially effective employees and a security risk.
An insider may be well placed to compromise your organization’s security from each and every one of the CIA triads that breakdown how we conceptualize security.
- Confidentiality - the data leaks out
- Integrity - we no longer trust the data
- Access - we cannot reach the data (think ransomware)
Insider threats are embarrassing and can be corrosive to an organization’s morale. Not only does it feel terrible to lose trust in other members of your team, but many organizations can overcompensate following a breach by clamping down with security measures that bring work to a grinding halt.
An insider may be helping outside hackers to carry out a ransomware attack. This happens in the private sector more often than you might think because it helps the malicious actors save time and effort by simply spending a little money.
Why bother going through a phishing campaign to social engineer their target when they can just slip someone a couple thousand bucks to leave the side door open?
An insider can be like an Advanced Persistent Threat (APT), aka foreign government hackers, in that they can be inside your network for ages before they are discovered.
This is often because they want to avoid any of the big splashes of a ransomware attack that draws lots of attention and brings the attack to a head. They want to stay in place for as long as possible, siphoning off data and maneuvering their way to the most valuable bits of their target.
The challenge for defenders is that this low simmer approach is very difficult to detect and can allow them to cause significant damage.
Hopefully, we do our best to segment access to sensitive information so that a single insider cannot cause too much damage on their own. Insiders can also be difficult to tackle because they are not employing malware or exploits to reach their target data. As often privileged members of the organization, they have legitimate credentials for accessing sizable amounts of data without anyone raising much of an eyebrow about it.
That said, as in the case of Snowden, in a segmented organization, no single employee should have enough privileges that they can access too much. Snowden had to “borrow” access from his colleagues, unwittingly pulling them into his deceit.
Just like with defense against external threat actors, we are unable to totally prevent insider attacks from happening in some instances.
What we can do though is put measures in place to reduce the risk of them happening by strengthening our posture and mitigating the damage that can happen if an incident occurs.
Here are a few useful tips.
1. Monitor user behavior for anomalies
Providing access to sensitive data is a necessity for your team to do their work, and in most cases, this is not an issue as most employees are not going to steal information.
But we still want to ensure that no one worker can have too much access beyond their needs. Ideally, you are restricting access on a need-to-know basis along the lines of Least Privilege.
The trick is in making sure that your employees are sticking to their lanes and not accessing files or other resources that fall outside of their purview.
Utilize User Behavior Analytics tools for monitoring if a user starts taking actions out of their normal range of routine. There may be legitimate reasons for uncharacteristic behavior, but it is still important to detect and investigate them.
Additionally, out-of-norm behavior from a user may be indicative that their account has been compromised by an external threat actor without their knowledge, giving even more reason to watch this space.
2. Keep your employees close and your soon-to-be-leavers even closer
Former employees should also be counted in our thinking about insider threats.
Make sure that soon-to-be-leaving workers do not take anything with them besides some fond memories. Monitor for downloads or transfers of data in the lead-up to their leaving.
One key threat to watch for is sitting right on their key chains. Flash drives can be a convenient way for an employee to download and walk out the door with your data. Advances in hardware have brought these nifty little hard drives to the point where they are both cheaper and more capable of massive storage than in years past.
If possible, prevent the use of these devices by blocking off ports on your machines. Another option is to ensure that your monitoring tools detect anytime a flash drive is connected and logs it for future forensic analysis.
3. Implement Rapid Investigations and Incident Response
If you see something, say something.
Due to the speed which these incidents can take place, if you suspect that something might be amiss, call in your investigative team as quickly as possible.
With any luck, you can prevent a massive leak from happening, catching the thief before they can go too far. But speed here is key.
Additionally, make sure that you bring in folks who are not directly connected with your system to do the investigation and response.
Don’t forget to balance security with usability/operational effectiveness.
Strong security does not equal locking down your department’s IT like Fort Knox. The purpose of a good security strategy is to enable your organization to do its work while minimizing the risk.
Slowing work down by putting too much friction in place is going to only lead to frustration in your workforce. Implementing measures that are overly intrusive, with that level depending on factors like levels of sensitivity, can even lead to resentment that may push your people to take another look at the private sector.
Remember also that you have to maintain a level of trust with your employees. Without it, their ability to work as a cohesive unit will impact their ability to reach collective goals.
Hopefully, with the right mix of security monitoring and best practices, your team will be able to trust and verify, leading the way for a secure and productive work environment.