Verizon’s 2018 Data Breach Investigation Report indicates that 68 percent of data breaches take two or more months to uncover, highlighting the importance of having strong, yet manageable, audit trails as well as robust detection tools in place. The study also mentions that while insider threats comprise only 28 percent of all data breaches, they are often cited as being the most costly and most difficult to prevent and detect for businesses today. There are several reasons for this, but chiefly, insiders often have knowledge of, and access to, sensitive information and can often legitimately bypass security measures without raising red flags, as they are “trusted users.”
Insider threat actors can typically be categorized into four main groups: malicious insiders, exploited insiders, external insiders and unintentional insiders. This post will focus on examples from the first group: the malicious insider. Malicious insiders are motivated by a number of underlying factors – anger, financial struggles, political activism or outside influence – so it’s not always easy to pinpoint who a potential malicious insider is, or what their particular motives are.
In a recent example, a disgruntled employee faced with an impending dismissal, subverted a company firewall to access source code data, exported it to a personal hard drive and attempted to sell it for millions of dollars in cryptocurrency. Another recent breach highlights a different flavor of insider attack, where a now ex-employee is being accused of writing software to steal internal secrets, transferring this data to third parties and doing so on three separate computers of different employees to falsely implicate those individuals to avoid scrutiny (unsuccessfully – he’s now in court). These two examples represent the types of dangerous activities that reinforce the need to have controls in place to more closely watch and remediate potentially malicious insider threats.
Before proceeding, it’s important to make two observations. First, as we know, many business users need sensitive data in order to do their jobs (for example, developers need access to the source code), but also require privileged access to log into the systems that house it. Second, every employee has some level of access to confidential information; be it through company memos, announcements, etc. – meaning that everyone inside the organization represents a potential insider threat.
It is paramount to control how information is shared, or more importantly, not shared. The objective of security tools and teams is not to make it impossible for people to do their jobs; but rather it is to ensure that proper access is granted and that sensitive information has adequate protection to prevent it from leaking. There are controls and tools that can be used to not only sound the alarm when something fishy might be occurring, but to automatically and promptly limit the damage done once a malicious insider decides to go rogue.
The CyberArk Core Privileged Access Security Solution requires that users retrieve privileged credentials from the encrypted password vault, which can be set to create and rotate complex credentials as often as policy dictates. In the event that users access systems without first retrieving a credential from the vault, CyberArk has the ability to flag this type of behavior as “suspicious” or “high risk” and administrators can manually or automatically suspend or terminate the session. This disables the threat actor from proceeding further and prevents them from connecting to the specific account, for example, a database that houses source code. With this use case, suspicious behavior is flagged to administrators and can be suspended, rather than automatically terminated. This leads to fewer headaches for operations team members. If the session is deemed to be harmless, then the session can be resumed with approval, rather than forcing users to start over.
Another way that internal users exploit security vulnerabilities is through unmanaged accounts. In many examples, internal users have accessed sensitive and valuable information through manually created backdoor accounts that don’t require the retrieval of a privileged credential. Often times this can provide unmitigated and unmonitored access that can prove catastrophic. However, the CyberArk Core Privileged Access Security Solution can automatically (or manually) be set to add unmanaged privileged accounts to the vault and create a complex password in real time, preventing further mobility. This also prohibits users from essentially creating their own paths within a network, provides adequate checks to ensure that the right access is granted and is monitored in real time to detect potentially dangerous activities. In the case of creating backdoor accounts to access privileged information, like manufacturing plans, the ability to automatically onboard these accounts with CyberArk Privileged Threat Analytics would have created a new credential while the actor was inside, essentially trapping them in the session with nowhere to run or hide.
It’s hard to know if an employee may turn rogue, and it’s even harder to know who might fall victim to an attack and have their accounts exploited. To effectively protect against insider threats, organizations must first understand who has privileged access to which systems. From there, they should minimize user privileges using the principle of least privilege to reduce the attack surface, lock down privileged credentials, and control and monitor privileged accounts. Technology can also help to identify and alert on anomalous behavior.
Learn how CyberArk can help your organization reduce the risk of malicious insider threats and limit potential damage by downloading our eBook, contacting your local CyberArk sales representative or reaching out to us for a demo to see some of the functionality highlighted in this blog in a live environment.