Special Editions 11.3.19
Ep 30 | 11.3.19

Insider Threats


Dave Bittner: [00:00:07] What is an insider threat? Loosely, it's a threat that operates from within your organization. We'll hear shortly from some experts who will talk us through the different ways insider threats manifest themselves. But consider, as you listen to what they have to say, that even the clearest forms of insider threat – the rogue, the turncoat, the sellout, the traitor, the reckless eccentric – those aren't always easy to spot, even when you know what to look for.

Dave Bittner: [00:00:33] If it were easy, would the FBI have taken so long to realize that Robert Hanssen was spying for the Russians, years after another special agent laid out all the classic signs of someone who'd been recruited by a hostile service? Would NSA have let Hal Martin walk out the gates of Fort Meade with a terabyte of highly classified information? How did the Cambridge Five pull the wool over the eyes of MI5 and MI6? None of these agencies are notably inept, inattentive, ill-informed or poorly resourced. And if they failed, what hope do the rest of us have?

Dave Bittner: [00:01:04] In this CyberWire Special Edition, our UK correspondent Carole Theriault speaks with three industry experts who'll give us reason to hope. Stay with us.

Dave Bittner: [00:01:18] And now a quick word from our sponsors at Okta. When it comes to modernizing identity, legacy on-prem solutions just make everything harder. From managing access for contractors and departing employees to securing cloud apps and on-prem systems, your company deserves better. Choose Okta, the modern identity platform that securely connects anyone that touches your organization to any technology they want to use. Okta reduces AD vulnerabilities, secures not only employees but contractors and customers, simplifies domain consolidation, and reduces your attack surface. Say goodbye to failed pentests and AD patches. Say hello to agile, admin-friendly IT. To learn more, visit okta.com/rethinkAD. That's okta.com/rethinkAD. and we thank Okta for sponsoring our show.

Carole Theriault: [00:02:20] So, I kept reading about insider threats. These are the threats that are born from within the organization. And I wanted to learn more about these people – people that seem to put the organization at risk. Are they all bad apples, so to speak, or are they people just like you and me who occasionally do something that doesn't follow security protocol?

Carole Theriault: [00:02:41] First things first, let's define what our experts mean by insider threats. Let's hear from Dr. Richard Ford, Chief Scientist at Forcepoint.

Dr. Richard Ford: [00:02:54] Right, so I don't even like the name, actually. I think one of the reasons that these programs are not often successful as they could be is because of that name, "insider threat," which sort of summons up these pictures of shady operators hanging around the water cooler doing dark deeds. Most insider threats are perfectly well-meaning employees that end up doing something foolish or getting convinced to do something foolish that compromises your data or your security in some way.

Dr. Richard Ford: [00:03:22] So to me, an insider threat is the threats that emanate from within, but it doesn't necessarily mean that they're malicious. So if I stole your username and password, for example, or I got you to give it to me, in some sense, you're an insider threat. You're an accidental insider.

Dr. Richard Ford: [00:03:38] Then you have these malicious insiders. And when you hear the name "insider threat program," you think of a malicious insider. But in fact, what you tend to find is a lot of accidental insiders who you can help along to not being accidental insiders.

Carole Theriault: [00:03:52] Forcepoint are not alone in categorizing insider threats. After all, mitigation against these threats depends on the company being able to foresee what risk each threat type presents to the company. Here's MC, the VP of Product at insider threat specialist firm ObserveIT.

MC: [00:04:12] So at a high level, I would break it down into three kinds of insiders. The first one is just users like you and me who come to work with a good intent, are hardworking, go back to home, family, friends. But at some point, you know, we may do some negligent things. So, for example, taking a printout so that you can read it on the train ride back home, or sending out sensitive files so that you can work over the weekend. So we call them negligent insiders.

MC: [00:04:40] The second kind of category is where the rogue insider, this mole within the mix, has a bad intent and is actually, for whatever reason – maybe financial, maybe ideological, maybe some kind of bad performance review, some kind of a personal stress situation in the mix to begin with – ends up stealing something that they shouldn't do. So we'll call that as a malicious insider.

MC: [00:05:07] And then there is a third category that people don't think about, which is people falling victim to a phishing email coming from outside, and they end up compromising their credentials. We call them a compromised insider. So kind of these three mixed that we've started to see in companies across our customer base and different enterprises.

Tod Beardsley: [00:05:30] Just from the get-go, I don't think you have to, like, treat your employees like adversaries all of the time. That would make for a terrible work environment. And that's probably not not the greatest thing to do.

Carole Theriault: [00:05:41] This is Tod Beardsley, Director of Research at Rapid7.

Tod Beardsley: [00:05:46] But the thing with insider threat controls is that what you're really targeting almost always are attackers who are from the outside that manage to get access as an insider. So like, for example, let's say I send employees a phishing link or something, and they download a Word doc and get popped by like a Word macro or something like that. Now I have control from the inside, from their workstation, using their own user account. And now I can start acting – as an outsider, I can start acting like an insider, right? Like, I've breached that perimeter. And I think that's where the most value you get from thinking about insider threats is – not so much, like, the people that you trust, but it's the user accounts that you trust.

Carole Theriault: [00:06:36] So what all these experts are telling us is that insider threats are a problem, that there are different types of insider threats, from the malicious, such as a disgruntled employee wanting revenge, to the inadvertent, like the newbie in accounts who gets duped into handing over confidential info to an attacker. It all sounds a bit 1984, doesn't it? Surely there are organizations out there who pooh-pooh the idea of internal monitoring, citing that they trust their employees. Dr. Richard Ford at Forcepoint.

Dr. Richard Ford: [00:07:07] Yeah, absolutely, I've definitely met with CISOs who've said, but we love our employees. Well, you're also helping keeping them safe, right? Because also, you know, if you do somehow accidentally get a wolf in that flock, that wolf can do an awful lot of damage. And in this current sort of threat environment in which we live, where you have to think about things like nation states, I think most companies should recognize that they are potentially a target – you know, if only as a stepping stone for something else. So there will be occasional employees – and they are very much the exception, not the rule – who enter your company or even apply for that job with a whole intent of abusing the company in some way.

Dr. Richard Ford: [00:07:51] I think also that we tend to use the lens of cybersecurity when we think about this. The lens of fraud is a much better lens, right? So there's this whole concept of fraud which is perpetrated by employees, and now that all involves something cyber, pretty much, right? So these sort of worlds are merging. It used to be fairly separate, but now the footprints of those fraudulent transactions or those fraudulent acts often exist in the cyber space. And that's where you can find them and shut them down. And that's something that's good for all the other employees in the company. So, again, I think the name gives us this sort of glass-half-empty thing, and the glass is really rather full indeed. It's quite a positive thing when it's done right.

Carole Theriault: [00:08:38] I asked MC at ObserveIT the same question.

MC: [00:08:43] You don't want to come across as a Big Brother watching the employees or contractors. That's not the norm, right? That's not the intent. The intent is actually to secure the population, secure the employees. Make sure it's a friendly working environment. So transparency as you implement these programs – communication to HR, to cybersecurity, to physical, to ethics, to audit, compliance, everybody in the mix, to executive teams – is very important because this is not a Big Brother watching. This actually with a good intent.

Carole Theriault: [00:09:14] As tech and processes increase in complexity and user interfaces streamline and simplify, I can't see how the average user can be expected to be the be-all and end-all in stopping attacks that prey on insiders. I asked Tod Beardsley from Rapid7 if cyber training was even worth it anymore.

Carole Theriault: [00:09:34] Imagine someone named Martha who works in finance and doesn't really care about computing. They are a great route in for a threat, but can we arm her, even if she's not interested in it, in a way that can help protect the company?

Tod Beardsley: [00:09:48] For sure, yeah. People who are not technologists, who aren't, like, security dorks, you know, people who are just regular people are aware, much more aware today than they were even two or three years ago of the threat of phishing, like, what actually happens. You know, the threat of someone who is pretending to be who they're not on email to try to get you to open a document or click a link or give up a password or something like that, right? Like, that kind of attack is now pretty well-known.

Dr. Richard Ford: [00:10:21] And I do think that there are some things that companies can do to help train up their employees to kind of spot these scams and figure out who's more likely to click on nastiness, you know, things like that. But I do think that people are more sophisticated today, mainly because it's been in the news a lot, right? Over the last couple of years, we hear a lot about, like, Russian phishing, right? And people hear that in their regular day-to-day. And I do think people are more aware of it, which is good. I don't think people hang out on the Internet, just consumed by fear all the time.

Tod Beardsley: [00:10:57] I do think companies can do awareness training, like, this is what a phishing link looks like, and when your email client has the big red warning, saying this is someone's whose name you know, but it's coming from a different email address, you know, those kind of warnings that we're seeing more and more, especially in services like Google Apps Suite, and other kind of Outlook 365 and all those other kind of cloud-based email services.

Tod Beardsley: [00:11:23] I do think people are seeing those and they may be confused about it. And so that's where the enterprise can step in and explain what's going on and what does this look like. And then after that, follow up with training. Like, it's a great training exercise to phish your own employees and then tabulate who clicked on the link and who could use – who should watch the training video, you know, things like that. I think that goes a real long way.

Carole Theriault: [00:11:51] Does Dr. Richard Ford from Forcepoint think that cyber training can help?

Dr. Richard Ford: [00:11:57] I'm gonna say "yes, but." Right? Because obviously, yes, awareness is really important and generating awareness is super important. So that's the "yes" part. Here's the "but" part. The "but" part is that we are what I would call "task-centric cognitive misers." What I mean is that, you know, when you're trying to accomplish something, you're going to spend as little time as possible thinking about other things while you think about that task. And the fact that you're a task-centric cognitive miser is exactly what a social engineer will use to get you out of your game.

Dr. Richard Ford: [00:12:35] I mean, there's a lot of different techniques that can be used, right? But it'll be something urgent. It'll be something where you're sort of trying to help somebody out. So one thing that an attacker will do is sort of trying to get you on their side, often. "Oh, can you help me out? My boss is going to yell at me if I don't get this thing done." And they do that by building a small relationship with you. That's why actually the phone can be so deadly, because it's much harder to say no by phone sometimes than by email. I actually have a nice collection of calls where I have answered, and have a bunch of virtual machines that people can log in to and try and poke around. It's quite enjoyable.

Dr. Richard Ford: [00:13:16] You know, social norms, right? So, bending or relying on social norms and politeness – these things are very effective. A simple example would be, you know, when I used to do physical pentesting, showing up at a company on crutches or with your foot in a boot on crutches is great because everybody holds the door open for you. It doesn't matter that your badge therefore doesn't work. You wave a photocopy of a badge around and nobody's going to make you take it off and actually use that on the proximity sensor. That's a very effective, very simple technique.

Carole Theriault: [00:13:50] So awareness works well to try and build up the defenses of your users that, you know, just need training. But if you're a bad agent inside an organization, of course, they're not going to take any heed to that. So I guess this is where technology comes in.

Dr. Richard Ford: [00:14:05] That's right. So I am a huge, huge fan of the idea. Never send a person to do something that technology can do for you. And so there's a lot of things that you can do with behavioral analytics. That you can do with, you know, effective but privacy-preserving sort of monitoring. That can not only detect fraud or detect misbehavior – you can actually predict fraud or predict misbehavior. So these sort of predictive analytics that get ahead of the threat are really important. There's also an element which sort of makes somebody think twice about, you know, testing the bounds of the system when they know there's a program in place.

Carole Theriault: [00:14:48] So what I'm hearing is that cyber training is important, but it is a component, not the whole answer. Here's Tod Beardsley from Rapid7 on whether technology can help reduce the exposure to insider risks.

Tod Beardsley: [00:15:02] For sure, there is an email control called DMARC, which stands for Domain Message Authentication, Reporting & Conformance. It's a long acronym, so we just say DMARC. And what DMARC does is these are signals you can put in your DNS records. So, like, if you're – I don't know, rapid7.com, right? And you can say on the domain registrations, like, these are the entities that are allowed to impersonate rapid7.com. Because email actually doesn't have a bunch of these built-in controls – you have to kind of bolt them on. But DMARC is pretty easy to do for IT folks. It's pretty easy. It's pretty low cost. And all it does is make it obvious when someone is impersonating, you know, an insider as an outsider. And so something like that goes a real long way. So that's a technology, for example, that can help, you know, just either flag email that is suspicious, or just, you know, kick it off to the trash bin, like, don't ever deliver it.

Carole Theriault: [00:16:07] Here's MC from ObserveIT on how technology can be used to mitigate this insider threat.

MC: [00:16:12] [INAUDIBLE] It's three things. One is visibility. It's very important for you to know what your users do. What application to they browse? What does their behavior on the desktops, on the servers, on the machines, mobile phones that they access and they use to access the corporate WAN? That is very important. So we call it visibility. You need to know what is happening.

MC: [00:16:37] Second, in terms of what you build up on the technology front, you want to catch the threats before they happen in real time. We have to move into this notion of proactive and more predictive security so you can actually see these threats scenarios – we call that detection – before they happen in real time. So you can actually take an action and understand the intent, you know, of the user involved. So that is really important.

MC: [00:17:04] And the third thing that technology brings to bear is something called response. When it comes insider threats just because of the sensitivity of the data involved, of the due diligence that needs to be processed with various functions, unlike the ransomware or the malware. So you've got to bring that into context. And technology has pretty much automated a lot of these things now, as we look at insider threats as a much bigger threat scenario.

Carole Theriault: [00:17:26] I wondered how our experts saw the future. I asked them to look at their crystal balls and see what they saw coming in the next few years with respect to insider threats. And I got to warn you, this is typically not an expert's favorite question.

Dr. Richard Ford: [00:17:45] I actually like this question, right? So, I think, first of all, there's almost nothing that we see happening today that we didn't see a hundred years ago. And it's sort of underlying mechanisms, right? Now, the medium has changed, the methods have changed, but the motives and the ways of sort of thinking about it haven't really changed at all from the old confidence tricks of old. So in that sense, I think that these kind of things will be around for as long as there are people around.

Dr. Richard Ford: [00:18:16] I think technology in some ways makes it easier because it's easier – I mean, the amount of power you can wield on one terminal is absolutely amazing. So technology helps this stuff scale up, potentially. We don't recognize, for example, the cash value of the information that might be on a single laptop. Whenever I'm traveling out of the country with my work laptop, I always stop and think about the actual value of the information that's stored on it, and it's always quite shocking to me. But most companies, you know, don't pay a lot of attention to the value that any individual user may have accrued in terms of intellectual property in their devices. And I think, you know, you start to view the world differently when you think about the amount of trust you're placing in those users.

Tod Beardsley: [00:19:08] There's a set of technology known as "user behavior analytics." And so what that does is that you are essentially profiling all of your users. You get a sense of, like, when they log in and from where do they log in. Like, are they always logged in locally in the office or do you have, like, a work-at-home set of employees? Or do you have international employees, you know, people who normally log in from someplace else.

Tod Beardsley: [00:19:32] With user behavior analytics, you can start collecting these things and then notice when a user account starts behaving very strangely. Like, they're logging in at weird times of day, or they're logging in from some country that you don't do business in, or they start talking to a lot of computers, local computers, that they don't normally ever talk to. Like, Martha in finance usually talks to finance computers. You know, she'll log into whatever the accounting software is, even if that's cloud-based. If she starts, you know, running around and pinging every workstation on her – on the floor, like, on the local network – that's weird for Martha, right? Martha's not known to be a hacker. So that's the kind of thing that you can alert on, and the IT security group would see this alert and know that something's up with – maybe not something's up with Martha, but something is up with Martha's user account.

MC: [00:20:25] You take a step back and start thinking, what are the core elements that help you build an insider threat program, or how do you tackle insider threats in your corporation? And it comes down to fundamentally three things. Firstly, the people. You know, it's all about the people when it comes to insider threats. Second is the process and policies that come along with it. And third is the technology bit.

Carole Theriault: [00:20:49] So it is that age-old trifecta: people, processes, and technology. Which all need to be accounted for when building a defense strategy against insider threats. You want your people on the lookout. You want a reliable policy in place in a cyber emergency. And you want the right technology to secure all your efforts.

Carole Theriault: [00:21:10] My deep thanks to our three insider threat experts, MC, VP at ObserveIT, Dr. Richard Ford, Chief Scientist at Forcepoint, and Tod Beardsley, Director of Research at Rapid7. This was Carole Theriault for the CyberWire.

Dave Bittner: [00:21:27] We note in closing that perhaps we should distinguish insider threats – the spies, the embezzlers, and the IP thieves – from the people our experts call the well-intentioned insiders – hardworking and committed colleagues who make mistakes or find themselves taken advantage of – calling them, perhaps, vulnerable insiders. All of us are vulnerable insiders. It's not that Martha in Finance, Nigel in HR, or Nikita in Engineering are untrustworthy. Rather, it's that they need their organization's help to stay safe. And since, as Dr. Ford said, the real threat hasn't changed fundamentally in centuries, only updated its technology, the wisest course seems to be this: help your people remember that fraud, deceit, and compromise are always with us and help them look through the sheep's clothing to see the wolf beneath.

Dave Bittner: [00:22:20] Our thanks to Carole Theriault for producing this CyberWire special edition.

Dave Bittner: [00:22:25] And thanks to our sponsors at Okta. You can learn more about their modern identity platform at okta.com/rethinkAD. That's okta.com/rethinkAD.

Dave Bittner: [00:22:37] For everyone here at the CyberWire, I'm Dave Bittner. Thanks for listening.