An insider attack is one of the biggest threats faced by modern enterprises, where even a good working culture might not be sufficient to prevent it. Companies implement sophisticated technology to monitor their employees but it’s not always easy for them to distinguish between an insider and an outside attack.
Those who target and plan attacks from the outside might create strategies for obtaining insider knowledge and access by either resorting to an existing employee, or by making one of their own an insider.
Understanding the attacker types might serve as a stepping stone in selecting effective security measures to prevent threats to the company. According to Bruce Schneier, author of Beyond Fear, the categories of attackers are:
The most common type of attacker. As the category indicates, they spot and seize an “opportunity” and are convinced that they will not get caught. It is easy to deter such attackers via cursory countermeasures.
They may accept a high level of risk and usually want to make a statement through their attack. The most common motivation for them is revenge against an organisation due to actual or perceived injustice. Although emotional attackers feel powerful when causing harm, they sometimes “hope to get caught” as a way of solving the issues they were unhappy with but were unable to change from the beginning.
Cold Intellectual Attackers
Skilled and resourceful professionals who attack for their own gain or are employed to do so. They target information, not the system, and often use insiders to get it. Unlike opportunists, cold intellectual attackers are not discouraged by cursory countermeasures.
They accept high risk to gain visibility and make a statement. They are not only hard to deter by cursory countermeasures, but can even see them as a thrill.
Friends and relations
They may introduce a problem to both individuals (in the form of financial fraud, for example) and companies (by abusing authorization credentials provided to legitimate employees). In this scenario, a victim and an attacker are sharing physical space, which makes it very easy to gain login and other sensitive information.
According to CERT, a malicious insider is; a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information. Furthermore, CERT split insider crimes into three categories:
- Insider IT Sabotage, where IT is used to direct specific harm at an organisation or an individual.
- Insider Theft of Intellectual Property is the use of IT to steal proprietary information from an organisation.
- Insider Fraud uses IT to add, modify and/or delete an organisation’s data in an unauthorised manner for personal gain. It also includes the theft of information needed for identity crime.
But how can companies detect and prevent such attacks?
In his paper, Framework for Understanding and Predicting Insider Attacks, Eugene Schultz suggests that insiders make human errors, which when spotted can help in preventing such threats. Therefore, constant monitoring, especially focused on low-level employees, is one of the basic measures for preventing insider attacks and gathering evidence.
There are a number of precursors of insider attacks that can help to identify and prevent them:
- Deliberate markers – These are signs which attackers leave intentionally. They can be very obvious or very subtle, but they all aim to make a statement. Being able to identify the smaller, less obvious markers can help prevent the “big attack.”
- Meaningful errors – Skilled attackers tend to try and cover their tracks by deleting log files but error logs are often overlooked.
- Preparatory behaviour – Collecting information, such as testing countermeasures or permissions, is the starting point of any social engineering attack.
- Correlated usage patterns – It is worthwhile to invest in investigating the patterns of computer usage across different systems. This can reveal a systematic attempt to collect information or test boundaries.
- Verbal behaviour – Collecting information or voicing dissatisfaction about the current working conditions may be considered one of the precursors of an insider attack.
- Personality traits – A history of rule violation, drug or alcohol addiction, or inappropriate social skills may contribute to the propensity of committing an insider attack.
Security professionals should understand that attackers are people too, who differ in resources, motivation, ability and risk propensity. There are a number of insider attackers who are merely pawns for another inside or outside mastermind. He or she is usually persuaded or trained to perpetrate or facilitate the attack, alone or in collusion with other (outside) agents, motivated by the expectation of personal gain.
Organisations may unknowingly make themselves vulnerable to insider attacks by not screening newcomers properly in the recruitment, not performing threat analyses, or failing to monitor their company thoroughly. Perhaps the most important thing they overlook is to keep everybody’s morale high by communicating to employees that they are valued and trusted.
About the Author: Leron Zinatullin (@le_rond) is a business-oriented information security professional with several years of proven experience in architecture design and project management. Extensive knowledge and practical experience pertaining to analysing and solving governance, risk, compliance, information security and privacy issues.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.