Insiders who leak information about classified government practices and decision-making has a huge impact on public opinion and policies. Throughout time, whistleblowers have exposed alleged misconduct, dishonesty or illegal activity occurring in organizations. The alleged misconduct includes the violation of a law, rule, regulation and/or a direct threat to public interest, such as fraud, health and safety violations, and corruption. The history of whistleblowing in the United States is almost as old as the country itself. The first case dates back to 1777 when Samuel Shaw and Richard Marven blew the whistle on the torturing of British prisoners of war. As consequence, the Continental Congress enacted the whistleblower protection law on July 30, 1778, by an unanimous vote and dismissed the responsible commander-in-chief of the Continental Navy. A modern version of this protection law exists today, including special versions for employees in intelligence services.
Modern day insiders are employees or contractors that entered a trusted relationship with an organization for which they work. Trust here means that by entering into a work relationship, the insiders accept and abide by the rules and obligations that come with the role. However, this relationship of trust does not, and should not, include alleged dishonest, unethical or illegal activity. The insider must obey laws and hold to ethical practices, despite the trusted relationship.
While cases of whistleblowers have dominated the news, less light has been shed on malicious insiders that do harm to their organization for personal gain, out of disgruntlement, or simple neglect. The overwhelming majority of insider threat cases reported by the computer emergency response team (CERT) at Carnegie Mellon University fall into these categories and inflict enormous damages on government organizations and companies every year worldwide. According to the FBI and U.S. Department of Homeland Security, these kinds of insider threat cases are on the rise and pose a significant cybersecurity threat to U.S. businesses. One incident can further incur costs of up to $3 million, according to recent FBI cases.
The ultimate goal of most insider attacks is to steal data. Depending on the insiders needs and skill level, attackers can use a variety of approaches to smuggle data out of an organization. The most obvious approach involves moving data in bulk, either directly to the internet or to an intermediate staging area in the campus network. Subtle attackers may attempt to stay low-and-slow by patiently exfiltrating data at rates that are less likely to be noticed or arouse suspicion. Efforts can also be made to obscure data exfiltration in hidden tunnels within allowed traffic, such as web or DNS traffic.
The Vectra solution
Cognito Detect delivers a variety of intelligence to detect data exfiltration, both fast, high-volume as well as the slow, low-volume approaches. While this will help organizations stop insiders who leak data for personal profit, whistleblowers can still report wrongdoings in a secure and anonymous way through a wide variety of tools designed for this.
Marcus Hartwig is a director of product marketing manager at Vectra. Has been active in the areas of IAM, PKI and enterprise security for more than two decades. His past experience includes product marketing at Okta, co-funding a company in cybersecurity professional services, as well as managing a security product company – a combination that has left him passionate about all parts of product marketing, design and delivery.