What Happens When Hackers Compromise Insiders
This is the second in a series of posts on insider risk.
Compromised insiders are employees in your organization who have clicked on malicious links or opened malicious files and as a result have infected their computers with malware. Targeted spear phishing emails are often the initial method of attack. For example, a hacker prepares a PDF disguised as an applicant’s resume, loads it with malware such as a Remote Access Trojan (RAT), and then sends it to a member of your company’s HR department under the guise of a job application. When opened, the RAT installs itself on the target’s PC. Alternatively, an employee might have unknowingly clicked on a malicious link while surfing on the web, which then downloads and installs malware on their PC.
Once installed, hackers use your employee’s credentials to access network resources. They open up recently used files from the computer’s start menu, and identify mapped network drives in the file explorer, which is their starting point for discovering your network and servers.
Ideally for the attacker, the targets are unaware they’ve been infected. Advanced persistent threats, (APT) for example, can result in hackers lurking undetected in your network for long periods of time. Once they gain access, they begin to collect information about your company’s network infrastructure and users. They attempt to identify the location of valuable data including databases, file servers, code base repositories, cloud apps and additional resources with the goal of stealing data. Hackers may operate undetected for years, waiting for the right moment, and the damage they do can be significant.
In our next post, we’ll examine malicious insiders.