Can you explain what an insider threat is?

“An insider threat is a malicious threat to an organisation that comes from people within the organisation, such as employees, former employees, contractors or business associates, who have inside information concerning the organisation’s security practices, data and computer systems.”  Wikipedia.

 

Can you provide a case study and discuss at a high level what an insider attack may entail?

The attack was quite simple to perpetrate given the access that this user had to the target company’s environment.  It occurred in the following ways:

The specifics of the case:

  • The attack was perpetrated from a trusted 3rd party development contractor;
  • This contractor was a long-standing partner of the organisation and had worked for them for 6 years’ plus;
  • The contractor’s employee that perpetrated the attack was a long-term employee with 8 years’ plus service;
  • There had been no previous issues with the employee, no behavioural problems, no previous discipline matters – he was a trusted employee;
  • It later transpired that the employee had developed a gambling addiction and was burdened with debt – that motivated him to perpetrate the attack to raise cash;
  • Because trust had been established over a period of years, the 3rd party contractor and its employees were not considered as a potential risk by the client organisation!

 

The attack itself:

  • Within the environment there were 60 servers and over 4000 end points (35 were Win 2k, but that’s another story);
  • The attacker accessed the environment via a legitimate route from his laptop to the target companies jump server.  Although it later transpired that he used a smart phone to access his laptop to try and prove that he was not at his laptop when the attack occurred;
  • He ran several SQL queries against the databases until he could extract the customer data that he needed to launch a phishing attack against the customer’s data;
  • He created several test files (text and csv) to store the extracted data, and then pulled it back to the jump server and then back to his laptop;
  • 28Mb of customer data was extracted from the network, which comprised of 135,412 customer records including 1,719 primary account numbers (credit card numbers);
  • The attacker then set up a phishing server (web/mail) via a well know ISP;
  • The attacker used that data to launch a phishing attack on the customers contained within the stolen data files;
  • 30 unique customers accessed the phishing site and 6 uploaded personal information to the phishing server;
  • The customer data, credit card numbers and the 30 unique customers that had their full identity compromised were monetised using the dark web.

 

How was this discovered:

  • This only came to light when an astute customer flagged the phishing email as suspicious to the company;
  • An investigation was then launched.

 

What did we do?

  • Risk-X pulled as many logs as we could identify whilst forensic imaging was under way – all remote;
  • The client’s legal team worked with the ISP to obtain a copy of the phishing server – this was critical in proving the case;
  • From the above, Risk-X identified the IP address relating to the smart phone located on an Austrian telecoms provider;
  • Risk-X tracked the use of that IP address to a single user account (the suspect);
  • Then Risk-X identified several SQL queries that were used by the attacker to obtain the customer data from the databases;
  • Risk-X identified several filename references (but not the files themselves) that were used to extract the data from the network to the attacker’s laptop.  These were found in registry entries and in volatile memory images;
  • Risk-X linked the phone to the owner of the user account in question.  It was his own phone (although we never actually got possession of the phone itself);
  • With the assistance of German law enforcement, call data and cell site analysis was conducted to put the suspect in or close to his workplace at the time of the attack;
  • Workplace CCTV and door entry systems were analysed to place him in the workplace. The CCTV proved negative but the door entry systems placed him in the office where his desk was at the time of the attack.

 

The outcome:

 

What can organisations do to protect themselves from insider threats?

You must remember that there are two main threats from inside your organisation, that of the deliberate / malicious and that of the accident.  Both scenarios can have the same negative consequences on the organisations, even though the motivations are very different.

The first major issue is to know what data you have, what classification it is, and therefore what value it has, to people and the organisation.  People are the key asset to making it work, but they are also the biggest problem.  Why? Because we all create data, we consume it, we correlate it but we never actually go back and tidy up or maintain it.  Fundamentally we are all a little bit lazy. Is it possible that information security is as a much a response to messy housekeeping as it is to striving for agility and ordered decision making?

Asset or data management isn’t a sexy subject. However, it is where we need to start in any security response for protection.  It is an area that is significantly underfunded and unloved by most organisations, and are we surprised? No. Why would it be? It does not directly make or save money for the organisation.  Without it though, it’s impossible to put any building blocks in place. The following are areas that asset and data management affect, and as they are important you ought to be considering them:

  • Governance;
  • Freshness;
  • Classification;
  • Cleanliness;
  • Criticality;
  • Duplication;
  • Ownership;
  • Relevance;
  • Contextualisation;
  • Integrity;
  • Structure.

Remember that implementing data housekeeping (as above) is not driven by technology or systems it is driven by need, and what you are trying to achieve.  This must provide real business benefit, and will dictate the data that you require.  If you can resolve data housekeeping issues, there will be a lot less data in the first place.

Once you have achieved data minimisation and only have the data that you need, in single instance storage locations you stand a chance of understanding its use.  Map the business and technology processes and analyse these against the use cases for the data.  You then understand the context of the information and its use in the organisation (input ¦ process ¦ output).  This leads to a risk assessment and the selection of controls whether it be people, process and technology.  Controls can then be designed to specifically protect the information throughout its processes (input ¦ process ¦ output) and its lifecycle of creation, transmission, processing, storage, archive, expiry and deletion.  Without this, you cannot hope to understand what the data is or how it should be protected appropriately.

 

What should an organisation do if they suspect someone from within their organisation has malicious intentions?

This is a difficult question to answer: as it relies on means, motive, opportunity and action that is more than merely preparatory being taken (i.e. to prove intent / mens rea).  There are many legal, regulatory and contractual factors that must be borne in mind by an organisation.  As the very act of investigation could breach law, i.e. Human Rights Act, data protection law or specific local laws like the German Workers Rights Act.

The first thing to do is ensure your company has sound legal basis to monitor or investigate individuals within your organisation.  This will require legal engagement, changes to contracts and specific notice of law within your territory.  It is also advisable to ensure that you have contact with industry bodies and law enforcement as well.  Without this you are negotiating a minefield of legislation and regulation.  Additionally, you should have a clearly defined whistleblowing policy, and an external contact policy to ensure that any suspicions can be raised confidentially from both inside and outside of the organisation.

Once this is completed then you need clearly defined procedures and processes within the organisation that will govern how, when and why an investigation would take place.  It is also important to remember that those requesting the investigation or bringing disciplinary action (if appropriate) should not be the ones that do the investigation.  This is to provide impartiality, just as the police are not part of the judiciary – separation of duties / powers.  Ask me about the formation of a business integrity department in your company.

You will then need well trained first responders or investigators initially to evaluate the situation and understand what the implications are.  This will need to include if there is likely to be any legal implications or reports to external agencies required.  The first responder will also need to understand if they have the skills to conduct the investigation, or if it needs to be contracted to specialist providers.  It is critical that this evaluation occurs, so that you do not start the process and trample all over what could become a digital crime scene.

The best advice is to contract a specialist company, like Risk-X, to provide Incident Response and Digital Forensic capability if you do not have this in house.  This could be for just advice, training of you internal teams, as overflow or to provide specialist resource where required.  Do not just dive straight in, know what you are doing or take advice, and have a plan.

 

Why is it important for organisations to view security as more than just an IT issue, but as a business priority?

This is a very interesting question and one that raises the general fundamentals of the reasons that security / IT exists.  “In most cases security and IT exist because of the business not in spite of it”, says Steve Marshall.  What we fundamentally mean is that business data or information (i.e. data with value) means nothing to the security or IT teams, their job is to ensure the Confidentiality, Integrity and Availability of the data.  However, to the business this information has meaning – it is their data, they created it and use it to progress the objectives of the organisation.

The usage of this data presumes ownership which comes with both responsibility and accountability.  Can the business live without this information that drives its objectives.  If the answer to the question is no, then the business must ensure that this data is available to them when they want it.  That being the case the ability to protect the Confidentiality, Integrity and Availability of this data must be part of their objectives and priorities for the organisation.  Or they will have no organisation to run!

That being said, it is appropriate for responsibilities to be divested into teams and responsible individuals – as one person cannot do everything.  However, the responsibility passes but the accountability always remains.  So, the role of oversight and the functions of business integrity becomes key as a business priority – however, most companies are not setup to perform this overseeing function as needed.  This is where the real issue is, and why this is not seen as a priority to most businesses.

 

What is the one key takeaway from this?

Your staff are your greatest asset, but also you biggest weakness.  There needs to be a blend of people, process and technology controls as you cannot rely on people to always do the right things.  Whether this is deliberate or by accident, an attacker must only get lucky once, you must be lucky every time to defend against it.

The key takeaway is to ensure that you have appropriate overseeing functions (oversight suggests see and forget, overseeing suggests ongoing assurance) within the organisation that has independent reporting to board to ensure all business integrity areas are on the agenda, and managed.  Speak to us today about how we have helped companies restructure to form business integrity departments, allowing independence of overseeing of the business.

 

Written by:

Steve Marshall

 

Originally posted at:

After David Martin-Woodgate’s presentation at the PCI SCC MEA 2017 forum, Steve wrote the response for the PCI blog post.  This can be found at: https://blog.pcisecuritystandards.org/