Malicious Insiders- Bogeymen or Legitimate Threats?
Insider threats currently account for about 66% of all data breaches. The majority of these breaches are due to employee negligence or credentials being stolen through phishing attempts. In many cases the two of these go hand in hand. These kinds of threats increased with the switch to remote work, as remote work brought with it an increase in vulnerability to, and an increased volume in, phishing attacks.
However, another kind of insider threat exists. Of insider threats, only about a quarter of security professionals’ worry most about malicious insiders. While malicious insiders may not be most peoples’ biggest concern, the number of attacks that are due to these bad actors may surprise you. In this article we will show that malicious insiders should not be ignored, explain why the switch to remote work has only amplified this problem, and offer improvements that should be made to security systems and company policies to combat this threat.
Malicious Insiders- Costs and Stats
A 2022 report by the Ponemon Institute reports that 26% of all insider incidents involved criminal and malicious insiders. In total, this means that about 17% of all data breaches involve malicious insiders. The average cost of a data breach involving malicious insiders came out to $648,000. The costs of the breaches vary depending on the headcount of the company. Looking at the cost of all insider threats, larger companies spend more on average than smaller companies.
Sourced from Ponemon Institute Cost of Insider Threats Global Report 2022
What’s more, many companies suffered from multiple insider incidents a year. While not all of these were due to malicious insiders, the fact that about a quarter of all insider incidents are malicious insiders suggest that a company may suffer from multiple malicious insider incidents a year. Of the companies that suffered from an insider-related incident, 67% experienced between 21 and over 40 incidents per year. This would translate to between 5 to 10 malicious insider attacks per year.
Malicious Activities
There are a variety of malicious activities an insider can perform. They can be summarized as: IT sabotage, data theft, and insider fraud. IT sabotage involves accessing systems and intentionally sabotaging them. The sabotage can either be deleting critical data or uploading harmful material into these systems. IT employees are often the most dangerous when it comes to malicious insiders as they most often have access to critical systems. System administrators and programmers in the IT sector are most likely to perpetrate IT sabotage. While other malicious activity generally has a financial motivation, this kind is generally perpetrated by a disgruntled employee. In particular, an employee who has recently been terminated, or otherwise subject to conditions they deem unfair.
Data theft and insider fraud are committed in hopes of financial gain by the bad actor. Financial gain can occur in two ways. First, an insider can steal data to use in the future for their own benefit. One example of this we will discuss is stealing data to then start a company with. Another example is selling data to another entity. This could be a competitor. Finally, employees can be hired by an external entity to subject a system to a cyberattack. Malware is frequently used in this instance.
Case Studies
Real life examples of malicious insiders can act as insightful case studies as to how and why these employees damage their companies. These examples also can help show that these insiders are not bogeymen at all, but are in fact very real threats. On the surface the malicious insider can look like any other employee.
The first example shows how much damage a disgruntled employee can do. In early March 2020 an employee of a medical packaging company was fired. While employed he had administrator access to computer systems. On March 29th, three days after receiving his final paycheck, the employee used a fake user account to log into the company’s computer systems. He had created this fake account while he was still employed at the company. Using this account, he edited over 100,000 records and deleted thousands. These deleted files delayed shipping processes of many PPEs to healthcare providers. This is an instance of IT sabotage perpetrated by a disgruntled employee. There was clearly premeditation in his plan, as he had created the fake user accounts before getting terminated. Better monitoring activity of administrative access could have raised red flags and prevented the sabotage.
The next case study provides an example of data theft. In 2015 a Google executive downloaded 14,000 files from a Google server, which he transferred from a company issued laptop to a personal laptop. The data pertained to the Waymo self-driving program. After he left Google the next year, he immediately began creating a self-driving truck company. Within months this company was purchased by Uber. This is another case we can see premeditation. This time, the employee’s malicious plan spanned over a whole year.
After the malicious insider was discovered, Waymo ended up being awarded $245 million in uber shares. A question raised from this case is how much data should an employee have access to? As an executive, did he really need to access over ten thousand files regularly, or would the more managerial aspect of an executive job mean that he likely did not need this data access?
The third case study shows an example of an entity trying to hire an insider to infect a system with malware. From July 16, 2020, to August 22, 2020, a Russian national conspired to recruit an insider employee. They were hoping to infect the company’s system with malware that would allow them to extract data. They wanted to then hold the data for ransom, threatening to make it public if the company did not pay.
A final case study shows an infiltration of the cloud. In 2020 an ex-employee of Cisco was sentenced to two years in prison for damages caused to Cisco’s network. He accessed a protected computer without authorization and got into cloud infrastructure hosted by AWS. He deployed a code that deleted 456 virtual machines for Cisco’s WebEx Teams application. The result of this was 16,000 WebEx Teams accounts shutting down temporarily, costing $1.4 million in employee time and requiring over $1 million in customer refunds.
Infiltration Methods and Suspicious Activity
The ways in which insiders infiltrate can shed light on where security should turn its attention. The four most common ways to infiltrate and steal/corrupt data are: emailing sensitive data to outside companies, scanning for open ports and vulnerabilities, accessing and downloading sensitive data not associated with the employee’s role or function, and using unauthorized external storage devices like USBs.
Sourced from Ponemon Institute Cost of Insider Threats Global Report 2022
Keeping these infiltration points in mind, let’s discuss suspicious activity. If you see any of these, it may be a sign a malicious insider is infiltrating company systems. As seen with the medical packaging employee, creation of backdoor accounts is a red flag. These allow people to access systems when they are no longer authorized to do so. Disabling system logs and removing history files also point to suspicious activity relating to malicious insiders. Any time you see what you thought was a secure system exposed to malware, or employee negligence that goes beyond a simple mistake (such as repeated failure to restore data backups), it is worth investigating for malicious activity. It is also important to keep an eye on where any data goes. Emails going to non-work addresses, especially with large attachments, are suspicious. Any time a mass amount of sensitive data is downloaded, unless with clear intentions, is another red flag.
Most of these red flags revolve around transparency. If something seems off, it is worth looking into. Sensitive data is valuable. It should be guarded as closely as possible. Most of these red flags are reasons to start investigating, but by the time you seem them, it may be too late. Certain preventative measures, which we will discuss soon, should be taken before any malicious insider can act.
How Remote Work Increased Risks of Malicious Insiders
The frequency of attacks by malicious insider has increased by 40% since 2018. While not all of this is due to the switch to remote work, it certainly is a factor. This is a huge increase, especially when compared to the increase in employee or contractor negligence, which increased by only 4% in those same years.
One reason for this increase in malicious insiders is the increased use of personal devices by remote workers. It is becoming accepted, and even common practice, for employees to use personal devices for work instead of a company issued device. Keeping track of what these employees use personal devices for can be difficult.
Source: Bitglass’ 2021 Remote Workforces Security Report
As it stands, the majority of companies do not have total visibility of user’s activity if they disable their VPN. This makes it much easier for remote employees to act maliciously and avoid detection.
Even with monitoring, many employees do not use safe security practices, which makes it harder for companies to distinguish red flags of malicious activity from negligent activities. Examples of this include employees using the same device for both work and personal use. This introduces risks from things like third party apps, using the personal device as a shared device within a household, and from using work email to send non-work related messages. In addition, by not practicing safe use of the device, sites can get ahold of the employee’s work related email for spam messaging. Finally, employees can more easily use things like external devices and USB drives.
All of these may be typical behavior of an employee simply failing to use safe practices, but can at the same time all be signs of malicious behavior. Distinguishing between the two can become a daunting or impossible task if there is a large number of such instances spotted on employees’ devices.
Another reason the shift to remote work allows for more malicious insiders is poor security management in the cloud. Companies shifted their systems to the cloud in tandem with the shift to remote work. While the cloud is not inherently less secure, some companies do not migrate to the cloud in a secure manner. This leaves them open to greater threats. 36% of companies said that malicious insiders were one of the greatest threats facing the cloud. 52% of companies said that the cloud was one of the channels they worried most about for insider-driven data loss.
A final reason remote work can increase malicious insiders is a lack of office culture. It is possible to maintain an office culture through meetings and conference calls. But it can be harder to maintain a rapport with employees extending beyond meetings, and harder for employees to build relationships among themselves. Particularly in the case of disgruntled employees sabotaging systems, an employee with little contact with others in the workforce is more likely to act against that company if they are laid off or terminated. Not having built relationships within the company, which would otherwise help to mitigate fallout, is more likely to occur in a remote workforce.
As we discussed in our previous article, the shift to remote work creates lots of security threats. Just as there were ways to mitigate all of those risks, so too are there ways to mitigate the risk of malicious insiders.
Remediations
Evaluate security practices. These are some security measures that should be used to protect systems in general, but they are especially pertinent when talking about malicious insiders:
Don’t let one person have access to more data than they need. Consider the roles of each team member thoroughly before authorizing them to have access to sensitive data. An employee should only have access to data that is absolutely necessary for their job functions.
Make sure cloud security is strong if your company is utilizing the cloud. Use cloud security providers, make sure your tech stack is compatible and efficient to use with cloud systems, and make sure you train and/or certify staff in charge of security to use the cloud properly. A company who does not take security seriously when moving to the cloud is often more at risk than before the transition. This includes risks to malicious insiders, who can more easily enter with unauthorized access into the company’s systems in the cloud.
Use security best practices when your company utilizes remote work. This includes implementing a secure VPN and using a firewall. Bring Your Own Device (BYOD) policies are becoming the norm, and if a company uses this policy it is crucial that steps be taken to minimize risks. An employee using their own device can be a security risk due to negligence. But using personal devices for work can also be a security risk by making it harder to spot malicious insiders. While it is good to maintain a balance of company oversight and privacy for employees, some measures should be taken to track for malicious activity. Most importantly, all employees’ devices need to be registered with IT. These devices also should not be allowed to be used for anything non-work related, and should not be a shared device.
Role of HR. Screening potential new employees should be a regular step in the hiring process. Screening services can be used to get an even more in-depth view of criminal background history. After the hiring process HR still plays a role. They should monitor company morale. Low morale could indicate a greater likelihood of disgruntled employees. They should also take any complaints seriously, both from employees complaining about the company, as well as from employees about other employees.
Offboarding. Disgruntled employees who are terminated or leave the company present a threat. Offboarding should include an HR interview to evaluate if the employee is disgruntled, as well as termination of ALL accounts and access that employee had with the company. For companies utilizing a Bring Your Own Device policy, 60% of companies do not remove business data from their ex-employees’ devices. What’s more, 65% of companies cannot wipe devices remotely. This is incredibly dangerous to security for companies who have remote workers.
Concluding Thoughts
The frequency of malicious insider attacks are growing at a disproportionately higher rate than employee negligence. This suggests that of insider-threats, malicious insiders will become an ever more severe problem. Steps to mitigate malicious threats involve cooperation between both HR and the security team and reach from the hiring process all the way to the offboarding process. A company who wishes to practice security best practices will see improved security by implementing the proposed solutions, not just in terms of malicious insiders, but to their security systems in general.
Sources:
https://www.secureworld.io/industry-news/google-insider-threat-pleads-guilty
Leave a Reply