CyberWire Daily - Insider Threats [Special Editions]
Episode Date: November 3, 2019What’s an insider threat? Loosely, it’s a threat that operates from within your organization. In this CyberWire special edition, our UK correspondent Carole Theriault speaks with experts who’ll ...talk us through the different ways insider threats manifest themselves. A quick note - when Carole interviewed Dr. Richard Ford he was with Forcepoint. He’s since moved on to Cyren. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
What is an insider threat?
Loosely, it's a threat that operates from within your organization.
We'll hear shortly from some experts who'll talk us through the different ways insider threats manifest themselves.
But consider, as you listen to what they have to say, that even the clearest forms of insider threat,
the rogue, the turncoat, the sellout, the traitor, the reckless eccentric,
those aren't always easy to spot, even when you know what to look for. If it were easy,
would the FBI have taken so long to realize that Richard Hansen was spying for the Russians,
years after another special agent laid out all the classic signs of someone who'd been recruited
by a hostile service? Would NSA have let Hal Martin walk out the gates of Fort Meade
with a terabyte of highly classified information?
How did the Cambridge Five
pull the wool over the eyes of MI5 and MI6?
None of these agencies are notably inept,
inattentive, ill-informed, or poorly resourced.
And if they failed,
what hope do the rest of us have?
In this CyberWire special edition,
our UK correspondent Carol Theriault speaks with three industry experts
who give us reason to hope. Stay with us.
So I kept reading about insider threats. These are the threats that are born from within the
organization. And I wanted to learn more about these people,
people that seem to put the organization at risk.
Are they all bad apples, so to speak?
Or are they people just like you and me who occasionally do something
that doesn't follow the security protocol?
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy. We could book a vacation. Like sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
First things first, let's define what our experts mean by insider threats. Let's hear from Dr.
Richard Ford, Chief Scientist at Forcepoint. Right, so I don't even like the name, actually. I think one of the reasons that these programs are not often as successful as they could be is because of that
name, Insider Threat, which sort of summons up these pictures of shady operators hanging around
the water cooler doing dark deeds. Most Insider Threats are perfectly well-meaning employees
that end up doing something foolish
or getting convinced to do something foolish that compromises your data or your security in some way.
So to me, an insider threat is the threats that emanate from within,
but it doesn't necessarily mean that they're malicious.
So if I stole your username and password, for example, or I got you to give it to me,
in some sense, you're an insider threat. You're an
accidental insider. Then you have these malicious insiders. And when you hear the name insider
threat program, you think of malicious insider. But in fact, what you tend to find is a lot of
accidental insiders who you can help along to not being accidental insiders.
Forcepoint are not alone in categorizing insider threats. After all, mitigation against
these threats depends on the company being able to foresee what risk each threat type presents
to the company. Here's MC, the VP of product at insider threat specialist firm Observe IT.
So at a high level, I would break it down into three kinds of insiders.
The first one is just users like you and me who come to work with a good intent, hardworking, go back to home, family, friends.
But at some point, you know, we may do some negligent things.
So, for example, taking a printout so that you can read it on the train ride back home or sending a sensitive file
so that you can work over the weekend. So we call them as negligent insiders. The second kind of
category is where rogue insider, the small within the mix, has a bad intent and is actually,
for whatever reasons, maybe financial, maybe ideological, maybe some kind of bad performance review,
some kind of a personal stress situation in the mix to begin with, ends up stealing something
that they shouldn't do.
So we'll call that as the malicious insider.
And then there is a third category that people don't think about, which is people falling
victim to a phishing email coming from outside and they end up compromising their credentials.
We call them a compromise insider.
So kind of these three in the mix that we've started to see in companies across our customer base and different enterprises.
Just from the get-go, I don't think you have to treat your employees like adversaries all of the time.
That would make for a terrible work environment.
And that's probably not the greatest thing to do.
This is Tom Beardsley, Director of Research at Rapid7.
But the thing with insider threat controls is that what you're really targeting almost always are attackers who are from the outside that manage to get access as an insider.
So for example, let's say I send employees a phishing link or something, and they download a Word doc and get popped by a Word macro or something like that.
or something like that. Now I have control from the inside, from their workstation, using their own user account. And now I can start acting like, as an outsider, I can start acting like an insider,
right? Like I've breached that perimeter. And I think that's where the most value you get from
thinking about insider threats. It's not so much like the people that you trust, but it's the user
accounts that you trust. So what all these experts are telling us is that insider threats are a problem.
That there are different types of insider threats, from the malicious, such as a disgruntled employee wanting revenge,
to the inadvertent, like the newbie in accounts who gets duped into handing over confidential info to an attacker.
It all sounds a bit 1984, doesn't it?
Surely there are organizations out there who poo-poo the idea of internal monitoring,
citing that they trust their employees.
Dr. Richard Ford at Forcepoint.
Yeah, absolutely. I've definitely met with CISOs who've said,
but we love our employees.
Well, you're also helping keeping them safe, right?
Because also, you know, if you do somehow
accidentally get a wolf in that flock, that wolf can do an awful lot of damage. And in this current
sort of threatened environment in which we live, where you have to think about things like nation
states, I think most companies should recognize that they are potentially a target, you know, if only as a stepping stone
for something else. So there will be occasional employees, and they are very much the exception,
not the rule, who enter your company or even apply for that job with a whole intent of abusing the
company in some way. Think also that we tend to use the lens of cybersecurity when we think about
this. The lens of fraud is a much better lens, right? So there's this whole concept of fraud,
which is perpetrated by employees. And now that all involves something cyber pretty much, right?
So these sort of worlds are merging. It used to be fairly separate, but now the footprints of those
fraudulent transactions or those fraudulent acts often exist in the cyberspace. And that's where
you can find them and shut them down. And that's something that's good for all the other employees
in the company. So again, I think the name gives us this sort of glass half empty thing. And the
glass is really rather full indeed it's quite a positive thing
when it's done right I asked MC at observe IT the same question you don't
want to come across as a big brother watching the employee or contractors
that's not the norm right that's not the that's not the intent the intent is
actually secure the corporation security employees make sure it's a friendly working environment. So transparency as you implement these programs,
communication through HR, through cybersecurity, through physical, through ethics, audit compliance,
everybody in the mix, through executive teams is very important because this is not a big
brother watching. This is actually with a good intent. As tech and processes increase in complexity
and user interfaces streamline and simplify,
I can't see how the average user can be expected
to be the be-all and end-all
in stopping attacks that prey on insiders.
I asked Todd Beardsley from Rapid7
if cyber training was even worth it anymore.
Imagine someone named Martha who works in finance and doesn't really care about computing.
They are a great root in for a threat.
But can we arm her even if she's not interested in a way that can help protect the company?
For sure, yeah.
People who are not like technologists, who aren't like security dorks, you know, um, people who, uh, are, are just regular
people are aware, uh, much more aware today than they were even two or three years ago of like the
threat of phishing, like what actually happens. Um, you know, the, the threat of, you know,
someone is pretending to be who they're not on email to try to get you to open a document or
click a link or give up a password or something like that, right?
That kind of attack is now pretty well known.
And I do think that there are some things that companies can do to help train up their
employees to kind of spot these scams and figure out who's more likely to click on nastiness,
things like that.
But I do think that people are more sophisticated sophisticated today mainly because it's been in the news a lot
right like over the last couple years we hear a lot about like Russian fishing
right and people people hear that in their in their regular day-to-day and I
do think people are more aware of it which is good I don't think people like
hang out on the internet like just consumed by fear all the time.
I do think companies can do awareness training of, like, this is what a phishing link looks
like.
And when your email client has the big red warning saying, like, this is someone whose
name you know, but it's coming from a different email address, those kind of warnings that
we're seeing more and more, especially in services like Google App Suite and other like Outlook 365 and all those other
kind of cloud-based email services. I do think people are seeing those and they may be confused
about it. And so that's where like the enterprise can step in and like explain like what's going on
and what does this look like. And then after that, like follow up with training, like it's a great training exercise to fish your own employees
and then tabulate like who clicked on the link and who could use like who should watch the training video, you know, things like that.
I think that goes a real long way.
Does Dr. Richard Ford from Forcepoint think that cyber training can help?
I'm going to say yes, but, right?
Because obviously, yes, awareness is really important and generating awareness is super important.
So that's the yes part.
Here's the but part.
The but part is that we are what I would call task-centric cognitive misers.
What I mean is that, you know, when you're trying to accomplish something,
you're going to spend as little time as possible thinking about other things
while you think about that task.
And the fact that you're a task-centric cognitive miser
is exactly what a social engineer will use to get you out of your game.
I mean, there's a lot of different techniques that can be used, right?
But it'll be something urgent.
It'll be something where you're sort of trying to help somebody out.
So one thing that an attacker will do is sort of trying to get you on their side often.
Oh, can you help me out?
My boss is going to yell at me if I don't get this thing done.
And they do that by building a small relationship with you.
That's why actually the phone can be so deadly because it's much harder to say no by phone
sometimes than by email. Because I actually have a nice collection of calls where I have answered
and have a bunch of virtual machines that people can log into and try and poke around. It's quite enjoyable. You know, social norms, right? So bending or
relying on social norms and politeness, these things are very effective. A simple example would
be, you know, when I used to do physical pen testing, showing up at a company on crutches
or with your foot in a boot on crutches is great because everybody holds the door open for you.
It doesn't matter that your badge therefore doesn't work. You wave a photocopy of a badge
around and nobody's going to make you take it off and actually use it on the proximity sensor.
It's a very effective, very simple technique. So awareness works well to try and build up the
defenses of your users that just need training.
But if you're a bad agent inside an organization, of course, they're not going to take any heed to that.
So I guess this is where technology comes in.
That's right.
So I'm a huge, huge fan of the idea.
Never send a person to do something that technology can do for you.
that technology can do for you. And so there's a lot of things that you can do with behavioral analytics that you can do with, you know, effective but privacy-preserving sort of monitoring
that can not only detect fraud or detect misbehavior, you can actually predict fraud
or predict misbehavior. So these sort of predictive analytics that get ahead of
the threat are really important. But there's also an element which sort of makes somebody think
twice about, you know, testing the bounds of the system when they know that there's a program in
place. So what I'm hearing is that cyber training is important, but it is a component, not the whole
answer. Here's Todd Beardsley from Rapid7
on whether technology can help reduce the exposure to insider risks.
For sure.
There is an email control called DMARC,
which stands for Domain Message Authentication Reporting and Conformance.
It's a long acronym.
So we just say DMARC.
And what DMARC does is these are signals you can put in your DNS records.
So like if you're, I don't know, rapid7.com, right?
And you can say on the domain registrations,
like these are the entities that are allowed to impersonate rapid7.com.
Because email actually doesn't have a bunch of these built-in controls.
You have to kind of bolt them on.
But DMARC is pretty easy to do for IT folks.
It's pretty easy.
It's pretty low cost.
And all it does is make it obvious when someone is impersonating an insider as an outsider.
And so something like that goes a real long way. So that's a technology,
for example, that can help, you know, just either flag email that is suspicious or just,
you know, kick it off to the trash bin, like don't ever deliver it.
Here's MC from Observe IT on how technology can be used to mitigate this insider threat.
But at the core of it is three things.
One is visibility.
It's very important for you to know what your users do, what applications do they browse,
what is their behavior on the desktops, on the servers, on the machines, mobile phones
that they access and they use to access the corporate environment.
That is very important.
So we call it visibility.
You need to know what is happening.
Second, in terms of what you build up on the technology
front, if you want to catch the threats before they happen
in real time, you have to move into this notion
of proactive and more predictive security
so you can actually see in threat scenarios,
we call that detection, before they happen in real time.
So you can actually take an action and understand the intent of the user involved.
So that is very important.
And third thing that technology brings to bear is something called response when it comes to insider threats.
Just because of the sensitivity of the data involved, of the due diligence process with various functions, unlike a ransomware
or a malware.
So you've got to bring that into context.
And technology has pretty much automated a lot of these things now as we look at insider
threats as a much bigger threat scenario.
I wondered how our experts saw the future.
I asked them to look at their crystal balls and see what they saw coming in the next few years with respect to insider threats.
And I got to warn you, this is typically not an expert's favorite question.
I actually like this question, right?
So I think, first of all, there's almost nothing that we see happening today that we didn't see 100 years ago.
And it's sort of underlying mechanisms, right?
Now, the medium has changed.
The methods have changed.
But the motives and the ways of sort of thinking about it haven't really changed at all from the old confidence tricks of old.
So in that sense, I think that these kind of things will be around for as long as there are people around. I think technology in some ways makes it easier because it's easier.
I mean, the amount of power you can wield on one terminal is absolutely amazing.
So technology helps this stuff scale up potentially.
We don't recognize, for example, the cash value of the information that might be on a
single laptop. Whenever I'm traveling out of the country with my work laptop, I always stop and
think about the actual value of the information that's stored on it. And it's always quite
shocking to me. But most companies, you know, don't pay a lot of attention to the value that
any individual user might have accrued in terms
of intellectual property in their devices. And I think, you know, you start to view the world
differently when you think about the amount of trust you're placing in those users.
There's a set of technology known as user behavior analytics. And so what that does is that you are
essentially profiling
all of your users.
You get a sense of when they log in
and from where do they log in.
Are they always logged in locally in the office?
Or do you have a work at home set of employees?
Or do you have international employees,
people who normally log in from someplace else?
With user behavior analytics,
you can start collecting these things
and then notice when a user account starts behaving very strangely, like they're logging
in at weird times of day, or they're logging in from some country that you don't do business in,
or they start talking to a lot of computers, local computers that they don't normally ever talk to.
Like Martha in finance usually talks to finance computers,
like she'll log into whatever the accounting software is, even if that's cloud-based. If
she starts running around and pinging every workstation on the floor, like on the local
network, that's weird for Martha, right? Martha's not known to be a hacker. So that's the kind
of thing that you can alert on and the IT security group would see this alert and know
that something's up with, maybe not something's up with Martha, but something is up with Martha's
user account. You take a step back and
start thinking what are the core elements that help you build an
insider threat program or how do you tackle insider threats in your corporation?
And it comes down to fundamentally three things.
First is the people.
You know, it's all about the people when it comes to insider threats.
Second is the process and policies that come along with it.
And third is the technology bit.
So it is that age-old trifecta, people, processes, and technology,
which all need to be accounted for when building a
defense strategy against insider threats. You want your people on the lookout. You want a reliable
policy in place in a cyber emergency. And you want the right technology to secure all your efforts.
My deep thanks to our three insider threat experts, MC, VP at Observe IT, Dr. Richard Ford, Chief Scientist at Forcepoint, and Tom Beardsley, Director of Research at Rapid7.
This was Carol Theriault for the Cyber Wire.
threats, the spies, the embezzlers, and the IP thieves, from the people our experts call the well-intentioned insiders, hardworking and committed colleagues who make mistakes or find
themselves taken advantage of. Calling them, perhaps, vulnerable insiders. All of us are
vulnerable insiders. It's not that Martha in finance, Nigel in HR, or Nikita in engineering
are untrustworthy. Rather, it's that they need
their organization's help to stay safe. And since, as Dr. Ford said, the real threat hasn't
changed fundamentally in centuries, only updated its technology, the wisest course seems to be this.
Help your people remember that fraud, deceit, and compromise are always with us,
and help them look through the sheep's clothing
to see the wolf beneath. Our thanks to Carol Terrio for producing this CyberWire special
edition. For everyone here at the CyberWire, I'm Dave Bittner. Thanks for listening.