This is the third in a series of four posts on insider risk.
Malicious insiders (which fall under the “insider misuse” category in the 2015 Verizon DBIR) are employees of your company that are out to steal information or cause damage. They have a legitimate reason to be in your network, often know where information is stored and have a significant window of opportunity. Because it’s tough for security teams to discern between legitimate data access and risky data access, malicious insiders operate under the radar and these incidents are rarely detected and reported.
An example of an insider attack would be the Wikileaks affair which involved Bradley Manning, an army private and US intelligence analyst with Top Secret security clearance. Private Manning had “access to an unprecedented amount of material” and was convicted of leaking 251,287 classified cables. The files were stolen over time. One time Private Manning bragged to a friend saying he would “come in with music on a CD-RW labelled with something like ‘Lady Gaga’ … erase the music … then write a compressed split file. No one suspected a thing.” He said that he had “unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months.”
Verizon’s report noted “the top action (55% of incidents) was privilege abuse—which is the defining characteristic of the internal actor breach.” Private Manning didn’t even require administrative credentials to do this damage, the most coveted possession of all.
With admin credentials, resourceful hackers can gain access to almost every server and piece of sensitive data in your organization. They can gain control of other computers, install malware at will, and steal or destroy data. Whether it be in databases hosting structured data like PII – including credit card numbers, social security numbers, and dates of birth – or unstructured data such as Excel spreadsheets, PDFs or images. It’s also important to keep in mind the proliferation of this type of sensitive data to cloud-based apps such as Salesforce.com, Microsoft 365 and Dropbox.
A bigger risk than a malicious insider is a malicious insider who is part of your IT team or is a system admin that legitimately possesses admin credentials, and can access any number of sensitive computer system.
An example of a malicious insider that is also a “power user” is Edward Snowden, a CIA employee and IT contractor for the NSA who had admin credentials to the US government’s IT infrastructure. He copied reams of sensitive and top secret documents of all types for years without raising suspicion, then released them to the public starting in 2013. The extent of the damage he caused isn’t fully known, and to this day he continues to regularly release top secret documents.
So looking back at Verizon’s Data Breach Investigations Report, we see that it focuses on malicious insiders in the “insider misuse” category, without placing enough emphasis here on the risks associated with careless or compromised insiders. They are tough to detect, but all types of insiders pose significant risk to your company’s data and reputation and should be taken seriously.
Safeguards focused on detection can help prevent insiders from causing some damage; but all too often, current technology isn’t sufficient to detect these threats. And, because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected.
Conventional solutions such as database activity monitoring and credential management work well when you know exactly what type of threat you want to prevent and can establish hard and fast rules to stop it. Insider threats look like legitimate data access, so it’s hard to find that dangerous “needle in the haystack” event, especially with the number of security alerts that SOC teams are inundated with day in and day out. When these solutions fall short, a major insider event could potentially cost your company tens, even hundreds of millions of dollars.
Imperva has been working on a product to help identify insider threats before they lead to serious damage, a proprietary technology with a unique twist – and it’s called Imperva CounterBreach.
We’ll take a look at CounterBreach in our next post.