Insider Threats From External Events

March 15, 2022
Jonathan Barrett
MXDR Security Analyst
Insider Threats From External Events

It’s only human to focus on external threats to your well-being. This often applies to organizations and their approaches to security as well; which is why so much energy is typically put into perimeter security. Yet, this approach is antithetical to the zero-trust methodology: Organizations must also pay attention to internal-to-internal and internal-to-external traffic just as much as traffic coming in. 

The mission of the Sidekick MDR team is to monitor for threats on all three of these axes. The impact on the reputation of an organization caught being a source of malicious activity is every bit as bad as being the target. Organizations can quickly find themselves put on blacklists that block communication, impeding their ability to conduct business. And if the attack is successful, they may be exposed to legal liability or technical retaliation. These situations call for a quick response. 


How External Events Become Insider Threats 

Recently, the Vectra Sidekick MDR team discovered internal traffic that led to just such a finding. An employee of a services company, let’s call them Acme Inc., took it upon themselves to involve Acme in the Russia/Ukraine conflict. The employee used Acme infrastructure to conduct a denial of service (DoS) attack against Belarusian and Russian organizations. The targets of the attack were a financial services company and a shipping and logistics company. The Sidekick team identified this activity and notified Acme, which promptly shut down the outbound attack. 

Many are quick to point out that the human element is the weakest link in the security chain, but they fail to see things from the perspective that people are also the strongest tool they (or their adversaries) have. In this instance, a single rogue user could have had a very significant impact. In these conflicts, employees are likely to have very strong emotions. And because of these emotions, their actions can be stronger than a company’s policy or existing security measures. 

Even before the recent conflict, Sidekick MDR identified multiple instances of users (sometimes even administrators) installing cryptominers on corporate assets. This is typically seen at universities and lab environments with shared and open machines. Financial motivation, with the perception of only using free resources, moved users to abuse these resources. So what will users be willing to do if they feel an actual moral obligation and have access to “free resources?” 


Learn About Your Network and Follow the Basics 

We need a holistic understanding of and approach to proper threat mitigation. News reports, high-fidelity threat feeds, and blog posts are still the best way to stay aware of external threats. However, just like unsupervised learning is required to learn specifics about your network, these news sources cannot tell you how individuals will respond. 

Following basic steps, like those outlined by CISA, can go a long way toward protecting organizations from cyberattacks. But we must remember that not all threats happen outside the organization, and that threats emanating from the inside your environment are still very real. It is all too easy to focus entirely on external threats in times such as this and see the large DDoS campaigns as something that happens only to other people. But the networks we protect can – willing or otherwise – become tools in such a campaign. Ensuring we have reliable monitoring to deliver the best possible coverage is paramount.