In the previous post of this blog series, we discussed highly publicized whistleblower cases such as Chelsea Manning and Edward Snowden. While government agencies are ramping up their protections of data and infrastructure against these cases, what danger do malicious or negligent insiders constitute for organizations, including corporations and small businesses, and what kind of insider threats exist? Is your organization safe?
Let’s first look at a more formal definition of the malicious insider. According to the computer emergency response team (CERT) at CMU, a malicious insider is a current or former employee or contractor who deliberately exploited or exceeded his or her authorized level of network, system or data access in a way that affected the security of the organization’s data, systems, or daily business operations.
Only a fraction of insider incidents is intentionally planned and executed by a malicious insider. Many incidents are caused by negligence such as a current employee or contactor whounintentionally exceeds his authorized level of access, possibly enabling others to act on their behalf, and thus harming the organization. An outside (or malicious inside) party can then be behind the final incident.
In the case of a malicious insider, the goal is very often destruction, corruption or theft. While theft has monetary or other beneficiary interests behind it, destruction and corruption can originate from highly disgruntled employees and can be directed against the organization as a whole or against specific co-workers. To make things more concrete, I’ll give two examples.
A disgruntled employee decides to steal the credentials of a co-worker he has a conflict with, and log on with these credentials visiting questionable websites. His ultimate goal is to discredit the co-worker by having IT notice the violations and report them to human resources or the co-worker’s manager.
As simple as this example seems, it contains a number of common patterns of preparation and execution that can be found in many insider threat cases, and that can often be observed by employing technology. The first stage is exploration and experimentation during which the disgruntled employee figures out how to steal the credentials (e.g., through Google web searches), and then tries out several “extraction” methods to make sure they work in the local environment. Once he’s chosen a method that seems to work, he goes into execution mode, stealing and using the co-worker’s credentials. The final step is escape or evasion, where the disgruntled employee deletes all traces that could lead back to him.
An outside party solicits the system administrator of a small technology company to install monitoring software inside the organization’s network in exchange for money. As the system administrator was recently demoted, he decides to install the software before leaving the company.
Again, the insider first explores and experiments by installing the software he received on a test machine and monitoring its network footprint and detectability inside the network. Once convinced that the software will not be easily uncovered – or traceable – he installs it inside the network using a co-worker’s account, and finally erases all traces leading back to him. This example shows that a disgruntled insider can act on behalf of an outside party, potentially inflicting substantial damage to a company.
How serious is the threat coming from inside organizations? According to the2013 US State of Cybercrime Survey, over 50% of participating organizations experienced an insider incident in 2012. And 53% of the affected organizations stated that the damage caused by insider cyberattacks was greater than that by outsider attacks. Interestingly, the most frequent categories of insider incidents involved unintentional exposure of sensitive data by a negligent insider and the theft of intellectual property by a malicious insider. The insider threat incidents accounted for roughly one quarter of all electronic crime events encountered by organizations in the United States.
In the light of these numbers, if you still think your organization is safe, keep in mind thathalf of all office workers will take data with them when they switch jobs, and organizations typically have ayearly turn-over rate of 3.3%.
To learn more about how Vectra is different. Watch this two minute video.
Oliver Brdiczka is an AI Architect at Adobe. He has led R&D teams and designed/build AI systems that understand and respond to human behavior, relying on data from various sensors and deployments.