A well-placed malicious insider has the potential to cause more damage and at a greater speed than an external threat actor due to their knowledge of, and access to, a company’s IT environment.
Think back to June 2013, when the UK press published the first of a seemingly endless string of national security secrets leaked by Edward Snowden. Reports say Snowden downloaded 1.5 million files while working as a contractor for the National Security Agency. And no one noticed until it was too late.
In the years after the Snowden leaks, businesses continue to put themselves at risk. Sensitive documents are exposed to too many users, and files are often kept long after they’ve lost their business value. The Varonis Global Data Risk Report found that, on average, employees could access 17 million documents.
Insider threat techniques
Internal threat actors use a number of different techniques to find and copy the data they are after, as well as trying to cover their tracks to avoid detection. Threat actors working within an organisation have an obvious advantage over outsiders: they are already on the system. This means that they do not need to use malware to break in or communicate with command and control external servers, both of which can trigger alerts for the IT security team to investigate.
Unlike external attackers, insiders with access to a network do not need to carry out much, if any, reconnaissance. They often know where to look for valuable information or can quickly identify the assets to target without tripping any of the security alarms that an external agent might trigger as they extensively trawl an IT system.
Such activity becomes easier when insiders have elevated systems access. For instance, Snowden used admin-level privileges to cover up his activities for as long as he did by concealing his identity and deleting system logs.
Employ a ‘least privilege’ approach
Our Global Data Risk Report reveals the extent to which employees have access to data they shouldn’t. For instance, more than half of the companies surveyed (53%) found that 1,000 sensitive files were open to every employee, while nearly a quarter (22%) of all folders were accessible to the whole business. That is a lot of exposed information that could fall into the wrong hands.
In one case, we discovered an organisation had a payroll file open to the entire staff. Even the receptionist on the front desk could use her account to easily access confidential payroll files.
Businesses need to employ a ‘least privilege’ approach where employees can only access those folders and files needed for their work. The added challenge comes with employees who need higher levels of access across a range of systems. With these “super users” there is the danger that they could use easy-to-guess passwords such as “admin123”. They could also be at risk from giving away their credentials to unscrupulous employees, either by accident or persuasion.
This kind of situation can be combatted by enforcing a policy of strong passwords, employing two-factor authentication and giving passwords an expiry date to compel users to change their passwords on a regular basis.
Sometimes users with the correct level of access misuse their permissions for their own gain. A recent example is of a Tesla employee who, after being turned down for a promotion, allegedly used their elevated access to leak gigabytes of confidential, proprietary information to unknown third parties.
Conversely, insiders that don’t have the access needed for their malicious actions can easily search the internet for effective open-source hacking tools and operating instructions. Many that are freely available. With a modicum of technical knowledge, a malevolent employee can become an amateur hacker or a script kiddie. They can try to find out passwords on a device using Mimikatz, or crack them through tools such as John the Ripper. Further, by visiting hacker forums they can get hints and tips for success.
The State of Technology This Week
While insiders can be more difficult to detect than external threat actors, they can be identified through specific behaviours. These will be different from the actions of innocent users, meaning that solutions based on threat models will detect unusual movement patterns to identify anyone within the organisation who might be a threat. Once a threat has been detected, the IT security team will be alerted, enabling it to take remedial action, such as account suspension, while they investigate the issue.
Businesses must implement a range of measures to ensure employees only have access to those files necessary for their job and monitor the behaviour of users to identify anything suspicious. In this way, they will stop themselves from becoming the next victims of a wannabe Snowden.
Snowden is probably one of the most notorious whistleblowers in recent history and the scale of information leaked was vast. It also served as a wakeup call on what one individual can do to expose an organisation’s secrets. If we can learn one lesson from insider breaches, it is that while businesses should have confidence in their employees, they must also use measures to prevent this trust from being abused.