Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers

Insiders pose the most substantial threat to organizations everywhere, a recent across-the-board study conducted by IBM demonstrates. Although in the majority of the cases, the insider is an employee of the company, he could also be a third party, such as an external contractor, a consultant or a business partner. An insider generally has all the necessary credentials and legitimate access to huge batches of data, along with a wide window of opportunity. For this reason, attacks initiated by insiders have proven to be extremely damaging for any kind of organization.

Cyber security incident origins, 2015. Source: IBM
Cyber security incident origins, 2015. Source: IBM

Activity of Insider Threat Actors in the Darknet

Research performed by SenseCy analysts has revealed a high demand for insiders in the Darknet. We have identified Darknet forum members seeking out insiders in the banking industry. Most of the demands are focused on bank employees able to cash out stolen information, such as credit card data and bank accounts. Such threat actors are considered highly valuable, with members willing to pay up to $120,000 for bank insider cooperation.

A post by a forum member seeking a bank insider in return for $120,000
A post by a forum member seeking a bank insider in return for $120,000
A member of a Russian underground forum searches for employees of Tinkoff Bank in Russia
A member of a Russian underground forum searches for employees of Tinkoff Bank in Russia

While the majority of the threads we detected dealt with insider threat actors in the banking industry, there is evidence of threat actors in other sectors as well, such as telecommunications and online trading companies. In one case, a forum member suggested the services of employees at an Amazon warehouse. Such insiders can be used to steal company goods, ship illegal merchandise using Amazon world shipping services, take part in large-scale scams, etc.

Forum member suggests using the services of Amazon insiders
Forum member suggests using the services of Amazon insiders

Detecting and Acting against the Insider Threat

Effective detection of insider threats necessitates a proper monitoring system of all data access activity on a regular basis. Concurrently, the company should integrate an anomaly detection system based on behavioral analysis in its IT security architecture, capable of identifying abusive access patterns or abnormal extraction patterns.

The following organizational patterns and user behaviors could represent indicators that your organization is exposed to a potential risk:

  • The presence of orphaned accounts – organizations rarely implement an adequate credentials deprovision policy when a user is moved to a different role or leaves the company. This provides disgruntled employees with the means and the opportunity, to retaliate against the company, for instance by stealing proprietary data. Keeping track of the changes within the company’s human resources body, and systematically deprovisioning access credentials accordingly, is of utmost importance as a preventative measure against insider threats.
  • Business operations involving ‘Shadow IT’ – information technology solutions are sometimes implemented inside organizations without the prior knowledge and approval of the company’s IT management. For example, an employee decides to sign up for a service with his personal payment methods and credentials, without informing the IT department of the initiative. As a consequence, the IT personnel cannot ensure that the appropriate access control measures are put in place, thus generating an opening for potentially harmful scenarios.
  • Inappropriate authentication mechanism – Corporate access credentials protected by an inappropriate level of authentication, only with usernames and passwords for instance, can easily be stolen or somehow lost by the legitimate proprietor. For instance, this year’s mega data breaches that exposed billions of users to all sort of malicious schemes occurred mainly because of the implementation of poor authentication factors. A consistent access control policy, based on multifactor authentication (MFA) mechanism must be devised and then implemented at all levels of the organization.

    What else can be Done?

    In order to create a sound insider threat program, the Software Engineering Institute of the Carnegie Mellon University identified five categories of tools that organizations can deploy, though not all of them are required:

    • User Activity Monitoring (UAM) – “the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing the information in order to detect insider threats and to support authorized investigations.”
    • Data Loss Prevention (DLP) – “products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use, through deep content analysis.”
    • Security Information and Event Management (SIEM) – “provides an additional method for collection, aggregation, and consolidation of logs from many types of devices. The SIEM leverages baselining and configurable rules to correlate the logs and provide real-time incident-based alerting.”
    • Analytics tools – expand the warning functionality of the SIEM, by leveraging cutting-edge technologies such as machine learning to detect anomalous activity.
    • Digital Forensics tools – assist the organization in conducting investigations by appropriately preserving, collecting, and analyzing digital items present on a system or particular device.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s