How To Mitigate Threats from Inside Your Network
Think back to the most recent cybersecurity advertisement you’ve seen. Chances are the advertisement sold the abilities of the product or service at keeping intruders out of your network. They may have utilized the images of barbarians being thwarted at a castle moat to drive home just how effective they are at keeping threats from ever entering your environment. These visual cues reinforce the feeling of safety our ability to delineate between the relative safety of our internal network and the Wild West of the Internet. Only instead of a moat filled with alligators, we have a firewall, which admittedly isn’t nearly as cool as the name implies. This focus on protecting from the outside in is endemic in the cybersecurity space and does not take into consideration the unpredictable and arguably more dangerous attack vector, the insider threat. We have to apply this same focus to mitigating risk from inside your network.
It’s difficult and uncomfortable to consider, but someone you work with may be planning or carrying out a cyberattack from within your organization. As uncomfortable as this makes us feel, the reality is that inside threat actors are real and they can cause considerable damage to their organization. Arguably the most well known and controversial inside threat actor is/was Edward Snowden. Through a mix of social engineering and technical savvy he was able to access information relating to NSA’s domestic activities, and in 2019 alone insider was able to obtain roughly 140,000 Social Security numbers, 80,000 bank account numbers, and a plethora of other sensitive information from Capital One. While their motivations were different, there is no understating the impact that these individuals made.
A combination of administrative and technical controls is the best tactical decision for mitigating insider threats. While the controls are in two different domains, they empower each other. The joint effort of classifying data and applying Data Loss Prevention (DLP) mitigates the ability for data to be deleted or exfiltrated. Similarly, implementing Role-Based Access Control (RBAC) ensures that people only have access to the resources they need access to. It is paramount that the decision-makers have a solid grasp of the technical capabilities of your organization so that they are informed with the best knowledge on what is possible and feasible. There are also administrative and technical controls that work independently of each other.
Enforcing separation of duties and mandatory vacations allow any fraud to come to light. If Frank in accounting is the one who manages all facets of accounts payable begins paying invoices to FranksFishingTrip LLC, it will be more difficult to notice the malfeasance than if Frank is the one who processes the invoice and Carla is the one who processes the payment. Mandatory vacations also bring malicious activity into attention as the inside actor is unable to cover their tracks, and a fresh set of eyes will be able to see that FranksFishingTrip LLC wasn’t contracted for plumbing work, and no invoice was received! Similarly, there are technical controls that should be put in place that can function outside of the administrative sphere of influence.
At Corsica, our SOC monitors for several actions that can be an indicator of an insider threat such as changes anonymous sharing of SharePoint and OneDrive data, and large outbound transfers from outside my country. When we receive an alert for these events, we review other events and data from the device to evaluate the potential for an insider threat. These two examples most effectively illustrate how seemingly benign actions have the potential to be an inside attacker removing your data from your control. It can be difficult to consider that your colleagues have the potential to do great harm to your organization. When reviewing your technology security policies keep the potential for an insider threat at the forefront of your mind and consider how your organization can combine administrative and technical controls to mitigate the potential harm. If you are concerned you may be breached or feel your plan isn’t secure enough to protect your organization contact us today to schedule your risk assessment.
Ryan is a Security analyst with 10 years of combined IT experience with the last 4 focusing on cybersecurity. Ryan’s education in Criminology and Psychology enhance his capabilities in threat hunting, forensics, and end-user awareness. When not hardening client defenses, Ryan enjoys spending time with his family, hunting, fishing, and camping..