The Insider Threat Spectrum

By October 20, 2015 Insider Threat

At the surface level, enhancing an organization’s cybersecurity posture typically consists of strengthening network defenses with the goal of preventing, detecting, and responding to attacks. Too often, however, the human element is overlooked by network specialists. This potentially harms the efficiency of other security measures and undermines an organization’s information integrity. The existence of insider threats is one such worrisome problem. As a first installment in a series covering cyber basics, this article explores the risk posed by malicious and untrained insiders within an organization.

Malicious insiders stand on one end of the insider threat spectrum. Although the least common threat actors within an organization, malicious insiders can act quickly and inconspicuously, and therefore pose the highest direct risk at compromising an organization’s information security. Exploiting the great complexity of the computer systems within their organizations, malicious insiders are able to hide discrepancies in plain sight. While fraud from within can begin as small diversions of funds and minor procurement inconsistencies, a motivated employee who understands the inner workings of an organization’s network may eventually move on to target much larger and more valuable business assets and operations.

In order to go after this sensitive information, malicious insiders may resort to one of two avenues of privilege escalation. If patient and technically able, they may aim to gain access to higher-level restricted files through use of their technical savvy. This could include any of a number of methods such as brute force attacks to guess passwords, spear phishing, and digital certificate tampering. If impatient or pressured by a third party (i.e., blackmailed or bribed), these actors may seek to speed the process by simply stealing credentials from their colleagues or managers. A number of different measures exist for this as well, from physically stealing security badges to installing keystroke logging malware. Ultimately, their choice between these two avenues depends on what they intend to do with the information or what their end objectives are.

The 2013 Edward Snowden case provides an illustrative example. While contracting for the National Security Agency (NSA), Snowden accessed and leaked classified information which revealed details of US government surveillance programs. According to an unclassified NSA memo, a civilian NSA employee provided Snowden with his public key infrastructure (PKI) certificate, and entered his login password on Snowden’s computer terminal, allowing him access to the agency’s classified network. The memo reads: “Unbeknownst to the civilian, Mr. Snowden was able to capture [his] password, allowing him even greater access to classified information.”

Benign untrained insiders stand at the opposite end of the spectrum. Numerous studies have proven these actors to be the greatest source of information security threats within an organization. While untrained insiders can be characterized as carelessly committing errors such as accidentally deleting or modifying critical information, these individuals may also easily fall victim to socially-engineered exploits. These exploits, which include phishing and Trojan malware, trick untrained insiders into submitting sensitive personal data or authentication credentials to malicious actors. These mistakes and exploits can not only lead to a gradual decline of an organization’s information integrity, but also to a substantial loss of business—if not bankruptcy.

Such threats are not only limited to individual employees. Partner organizations, such as commercial vendors, can also fall under the category of untrained insiders. For example, in the 2013 Target hack, intruders gained entry to the company’s systems by using credentials from one of the company’s refrigeration vendors. This represents yet another layer of risks, particularly for large companies that deal with hundreds, if not thousands of corporate and commercial partners on a regular basis.

While insider threats may never cease to exist, they can be substantially mitigated. First and foremost, enhanced identity-based controls and proactive network monitoring should be at the frontline of every threat prevention strategy. Moreover, organizations should gradually but firmly establish a cybersecurity culture through training programs that address fundamental risks and provide appropriate guidelines. This will not only substantially reduce the risks resulting from human error, but will also counter socially-engineered exploits from the ground up.