SBN

Evolving Threat series— Understanding Insider Attacks (Part 1)

Majority of security solutions focus on externally triggered unauthorized and illegitimate access to systems and information. Unfortunately, the most damaging malicious activity is the result of internal misuse within an organization, perhaps since far less attention has been focused inward.

Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. It is also one of the most challenging attack models to deal with in practice.

In general, insiders are authorized users that have legitimate access to sensitive/confidential material, and they may know the vulnerabilities of the deployed applications and business processes. Many attacks caused by malicious insiders are more difficult to detect compared to those of external attackers whose footprints are harder to hide.

Twitter threads can usually make for irresistible reading. This particular one from respected cybersecurity veteran Phil Venables is an invitation to shake off Twitter’s rapid-fire rhythm and focus on this critical yet unspoken topic — Insider Threats.

These threads are little essays in miniature. I’d encourage you to read the entire thread that is linked here.

Lets kick off this article with Phil’s formal definition

As Phil states in his twitter thread — grossly simplifying, there are 3 types of threats:

  • Trusted insiders who go bad over time due to disgruntlement or other (Progressive Insider Risks).
  • Trusted insiders who go bad immediately from some cue like coercion from an external actor (Instantaneous Insider Risk)
  • Infiltrators, i.e. external attackers who infiltrate the organization. Infiltrators can often look like Instantaneous Insider Risks

In all cases, the legitimate user within an organization who has been granted access to systems and information resources, but whose actions are counter to policy, and whose goal is to negatively affect confidentiality, integrity or availability of critical information assets.

In recent years, famous whistle-blowers have made their way into the media, such as the high profile data exfiltration cases involving Edward Snowden or Chelsea Manning. Although such cases may be viewed as security issues breaking the confidentiality of secret information, they may also be viewed as human loyalty manifested to the country or the society

The state-of-the-art seems to be still driven by forensics analysis after an attack, rather than technologies that prevent, detect, and deter insider attack.

One would have to thread together many indicators within context in order to provide conclusive evidence of an insider attack. Some examples are

  • Markers: Insiders sometimes leave deliberate markers to make a “statement.” Markers can vary in magnitude and obviousness. Finding the smaller, less obvious markers earlier — before the “big attack” occurs — should be a major goal of those faced with the task of detecting such attacks.
  • Errors: Perpetrators, like anyone else, make mistakes in the process of preparing for and carrying out attacks. The perpetrator will then erase the relevant log files and the command history.
  • Behavior: The perpetrator may, for instance, attempt to gain as much awareness about the potential victim system as possible. The use of commands such as ping, nslookup, finger, whois, rwho, git log, git-dorking, and others is only one of many potential types of preparatory behavior.

Scoping Assessment to detecting insider attacks would require continuous assessment of integrated business and technology software. In order to understand how to detect malicious insider actions, we have to understand the many forms of attack that have been reported

  • Tampering with data (unauthorized changes of data or records)
  • Unauthorized extraction, duplication, or ex-filtration of data
  • Destruction and deletion of critical assets
  • Downloading from unauthorized sources or use of pirated software which might contain backdoors or malicious code
  • Eavesdropping, packet replication and sniffing
  • Purposefully installing malicious patches, modules, rootkits
  • Spoofing and impersonating other users
  • Misuse of resources for non-business related or unauthorized activities
  • Social engineering attacks
  • Software supply chain infiltration
  • Backdoors introduced for debugging purposes that intentionally gets deployed into production to bypass compliance

In the next part of this series we will illustrate few case studies of insider attacks.


Evolving Threat series— Understanding Insider Attacks (Part 1) was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.


*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/evolving-threat-series-understanding-insider-attacks-part-1-f72c97801e53?source=rss----86a4f941c7da---4