Every Threat is an Inside Threat

By TK Keanini, CTO, Lancope

While the cybersecurity industry is quick to put a label on things – Advanced Persistent Threat, Big Data Analytics and the ever-descriptive Internet of Things for example – many fail to grasp the similarities between the myriad of attacks that have taken place in recent years.

The reality is that most cyberattacks function like an inside threat. Attackers put a lot of focus on compromising the credentials and access privileges of legitimate organization insiders, and this is evident in the research surrounding data breaches.

The 2015 Verizon Data Breach Investigations Report revealed an increase in stolen credentials in point-of-sale intrusions:

“These are also not mere opportunistic attacks. Many incidents involved direct social engineering of store employees (often via a simple phone call) in order to trick them into providing the password needed for remote access to the POS.”

According to the cybersecurity consulting company Mandiant, 100 percent of breaches it has investigated involved stolen credentials.

Last year’s data breach at Target originated from credentials stolen from an HVAC subcontractor, and attackers who gained information about 56 million credit and debit cards from Home Depot last April did so with stolen credentials from a third-party vendor.

What is behind this shift in tactics?

Over the past few decades, organizations have been pumping billions of dollars into strengthening their perimeters and managing vulnerabilities. Meanwhile the rise of remote access and personal devices such as smartphones and tablets have broadened the threat surface and brought more sensitive data in contact with the internet.

Instead of focusing on breaching the perimeter, attackers have just shifted to compromising the human layer, which is more reachable now than ever before. In many organizations, employees have generous access privileges and the ability to log into the network remotely, which means attackers have more opportunities to utilize compromised credentials. Additionally, personal information about employees is also more accessible via social media sites like Facebook or LinkedIn, which gives attackers better insight into how to fool them.

Here’s a hypothetical scenario. An attacker has managed to track down an employee named Mark on social media. Mark likes to talk about his job and his favorite online poker site. The attacker sends Mark an email posing as a representative from the poker site with an attached brochure on new services, complete with malware. Mark opens the attachment without a second thought, and in a few days the malware sends keystroke information including his VPN login credentials back to the attacker.

Now Mark has effectively become an inside threat. Unfortunately, no matter how strong our castle walls are, users who appear legitimate are able to walk right through the front gate.

How do you catch an inside threat?

Since it is nearly impossible to stop a potential attacker at the gate, early detection is key. Fortunately the defender, an attack isn’t over with the initial breach. The perpetrator still has to execute a number of steps before their goal is complete, and we can stop them at any point in this process.

The first thing an organization needs to catch a threat inside their network is visibility. If firewalls are armed guards at the gate, visibility is the security camera monitoring inside the building. Internal network traffic, access logs, policy violations and more need to be watched continuously for suspicious activity. Know what a regular day looks like on your network. Know how much traffic to expect, who is expected to access sensitive information and what applications are used in the day-to-day business operation. Anything that falls outside of those bounds should be investigated. Remember compromised credentials will look legitimate until you isolate anomalous activity such as moving abnormally large amounts of data, repeated logins during nonbusiness hours or remote access from unusual and faraway locations.

You want to be able to identify the following activities:

·       Unauthorized access
·       Violation of organization policies
·       Internal reconnaissance
·       Data hoarding
·       Data loss

Data analytics can make a huge difference here. If an organization is large, it can be impossible to monitor network activity manually. Anything important is quickly drowned out by the plethora of other information. Using network telemetry, a good security analytics tool can help the relevant information rise to the top.

Secondly, keep an audit trail of network transactions for as long as is feasible. Once you detect the attacker on your network, the audit trail can be used to identify how the threat operated and what assets were compromised. It may also help the authorities pursue criminal charges against the attacker.

Lastly, don’t forget that these attackers thrive on compromising the human layer. You should train employees on best practices for using the internet and how to recognize social engineering tactics like phishing. Use network segmentation to limit the amount of sensitive data each user has access to, and monitor traffic from third-party contractors for possible compromised credentials.

As corporations expand in both number of employees and connected devices, it has become easier for cybercriminals to appear as a legitimate threat inside the network. While this trend comes with a new set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. Early detection of these intruders can keep a security event from becoming the next big breach plastered across the evening news.