With all the discussions around the insider threat, where careless, compromised ormalicious insiders (people working in your company) may represent risk to your organization’s data or operations, there’s an underlying threat that still passes under the radar. One which we can speculate may have played a role in a number of recent breaches. We’ll call this the “outlier threat.” perhaps a statistic anomaly, but something that in the case of your organization’s security, should not be ignored.
The outlier threat is the logical extension of the insider threat. It’s a disgruntled or malicious employee who has left the company but still has the ability to cause damage to your organization. Examples may include programmers or architects who have designed or developed components of your product, support personnel who know your products’ weaknesses through managing support tickets and researching issues, and IT personnel who know the layout, technologies, and accounts used in your network. Outliers can leave a backdoor in your organization before walking out of your front door.
Once outside, any of these former employees can use their knowledge to personally steal or cause damage, or alternatively sell this knowledge to the highest bidder.
Some current examples of the outlier threat might include:
- A former TOR developer assisted the FBI in creating malware to unmask Tor users.Malicious? It depends on who you ask. But there’s no argument he’s helping a third party take advantage of vulnerabilities that only an insider would know about.
- The Bangladeshi bank breach. While we have no proof, looking at the Bae system analysis creates a strong suspicion that those behind it had insider knowledge of how SWIFT software works, that enabled them to develop targeted software that helped to cover their tracks after conducting illicit transactions.
- There are even claims that the Sony breach also involved an ex-insider referred to as Lena, an outlier who was supposedly disgruntled after having been laid off.
- And probably the best example of an outlier threat would be the hack at ShapeShift, a bitcoin exchange. This is a fascinating story that started out as an insider attack with the employee apparently stealing bitcoins from the company, then disappearing when suspicion turned on him. The story didn’t end there, after disappearing, the outlier sold his knowledge of the company’s systems on the Dark web to hackers.
So how do you Protect Yourself from Outlier Threats?
What can be done to prevent against outlier threats such as a former programmer or IT member who intimately knows your organization or code from using that knowledge to harm or steal from your organization? How can you prevent them from contributing to malware to target your software logic at its weakest point, obfuscate threat activity as with the SWIFT malware, or expertly navigate your network to spy or steal data?
For starters, you should be monitoring and protecting your sensitive and proprietary information so existing employees don’t take it with them when they walk out the door. For example, Imperva CounterBreach discovered an employee from the Technical Writing department in an organization copied more than 100,000 files from the file share that belonged to their department, in the weeks leading up to leaving the company. If that dump included product specs for feature written by architects then it could give a hand at discovering weaknesses, or as could have happened in the SWIFT breach, provided an understanding how to manipulate the software.
Discovering and blocking this activity is an important first step in preventing information from ending up for sale on the Dark Web. Monitoring access to your web applications,database activity, and cloud apps could also help identify malicious activity. While you can’t prevent a determined ex-employee from using their knowledge for malicious purposes, preventing them from taking documents or code, and identifying suspicious activity while they’re still in your organization can help reduce risk.
The Outlier threat is out there and always will be. And every organization should understand that any one of their trusted employees, in addition to being a potential insider threat, whether malicious or not, can also potentially become a malicious outlier.