An insider threat is generally defined as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems,” NCCIC 2014.
The 2015 Vormetric Insider Threat Report (Vormetric 2015) indicates that over 22% of US organizations experienced a data breach in the last 12 months.
Additionally, 93% of organizations indicate that they feel vulnerable to insider attacks.
56
Based on several statistics in the most recent years, insider threats make a signifi- cant portion of overall threats. Three main reasons contribute to why insider threats keep showing as serious and significant threats:
• Insiders, regardless of their position or permissions, have access to sensitive resources and have enough knowledge to make intrusion possible.
• It is usually harder and complex to investigate and track an intrusion from an insider in comparison with outsiders’ intrusions. For one reason, most security controls face external interfaces. Additionally, if those insiders have administra- tive privileges, and those insiders intentionally commit attacks, they have the abilities to hide, tamper, manipulate, and complicate the investigation process.
This makes them harder to analyze, defend against, or anticipate.
• On the other side of insiders with intentional attack, insiders can be part of an attack without their consent knowledge. They can be tricked using several mechanisms (e.g., social engineering) to be attackers as well as victims of the same attack. This is why organizations start to allocate resources for security awareness training.
It is important to understand the psychology and causes of insider threats. Why will an employee be a possible target or entrance for attacks? Analysis and statistics showed different reasons that range from careless to malicious (Fig. 4.3, NCCIC 2014). On the other hand, US-CERT conducted an analysis of over 800 malicious insider attacks and found that there was no standard profile of a malicious insider.
Phishing Attacks
Many reports on insider threats showed that data leaks or breaches are on top of the serious and frequent insider threat attacks. This can typically happen when users or employees click on malicious or unsafe links.
For hackers or attackers, phishing attacks are easy to develop; all what it takes is to fake a legitimate website or user account (e.g., a bank, an e-commerce website, an online social network website, a boss email) and then send it through a message or email, typically with a sense of importance or urgency to a mass of victim users.
Sometimes those can be just pop-ups or links in websites users are visiting. More recently, online social networks (OSNs) such as Facebook and Twitter as well as smart phones start seeing those types of phishing attacks or links.
Fig. 4.3 Examples of reasons why an insider can be an attack target (NCCIC 2014)
4 Cyber Defense Analysis and Support
Password Attacks
While most security policies and regulations pay attention to the strength and pro- tection of users’ passwords, yet many users still, for different purposes, use weak or common passwords or accidentally forward sensitive data to unintended users.
Password roles and guidelines went through different cycles of mechanisms to make passwords stronger and harder to guess by password attackers. For example, different opinions exist on the value for periodically (e.g., 1 month or 3 months) changing passwords. While this was part of NIST standards, many did not see a value of the need to change frequently the password (i.e., either it is strong or it is not, additionally this indicates the existence of methods to store passwords or their hashes). Most recent NIST Special Publication 800-63B (March 2018) revised their stance on password regulations or recommendations. In this newest release, NIST removed the need for periodic change of passwords. The new release also removed the need for password complexity requirements (mixing between the four: capital and small letters, numbers and special characters). A new requirement is added to screen the newly created password against a list of known bad passwords or bad categories of passwords (e.g., passwords obtained from previous breach corpuses, dictionary words, repetitive or sequential characters, context-specific words, such as the name of the service, the username). This is a requirement before accepting the new password. Size also matters, where longer passwords or passphrases are recommended.
Privilege Tampering/Escalation and Abuse
Access controls in operation systems, DBMSs, web servers, routers, etc. include users and their permissions or rights to access different system resources. With mid- dle to large enterprises, this data in access controls can be very large. Administrators may not have the right time and tools to frequently visit access controls to make sure that all users are valid and also those users have the right level of permissions. An attack that starts from a privilege creation or escalation can hence go undetected for a significant time if no proper automatic auditing mechanisms exist to screen for such issues. Privilege tampering can take one of three forms:
• Creating a new account for a user. This means that an attacker may not need an insider account in this case and they will just try to create and use this new account.
• Using an existing account. An employee with proper account and permissions can be a victim of an identity theft where an attacker will try to use their account and permissions. Those are compromised accounts (i.e., internal accounts that have been compromised by external attacks). In this case, the account and per- missions are valid but used by a malicious user. It can be very hard in such case
58
to distinguish the attacker from the victim employee (if they are using their accounts and credentials).
• Privilege escalation: In those cases, valid users (e.g., insiders) are trying to mali- ciously escalate their privileges to access resources that they are not supposed to and knowingly misuse data and exploit the system.
Challenges in Insider Threats Investigations
• High volume of network activity: Given the continuously increasing volume of traffic in networks, detecting malicious acts in real or short time is a challenge.
IT’s main goal is to ensure that all business services are running without prob- lems. Digging deeper into traffic with many roles for possible security alerts may cause a significant network overhead. Bottom line, always there is a need to bal- ance between performance, security and efficiency as in terms of resources, those goals may often contradict with each other.
• Lack of IT staff training. IT staff are not trained to be detectives or forensic investigators. Roles of security personnel in organizations are evolving and on the rise. IT staff may lack the skills to handle, from a technical or communication perspective, several types of attacks.
• Growing use of cloud services: For security in general, cloud services create dif- ferent forms of security risks and concerns. For data, services and possible infra- structure that are provided by a cloud service provider, how could an organization properly conduct insider attacks’ investigations?
• Pressure to change IT configurations quickly more so than securely. IT staff are busy with running normal operations and deal with frequent software, system, network, and hardware updates. Such frequent changes create security chal- lenges on making sure that new challenges will not create new vulnerabilities and that our security policies are up-to-date and capable of protecting our most recent software, system, network, and hardware environments.
• Use of Mobile devices and Bring-Your-Own-Device (BYOD) model: Mobile devices and BYOD are inevitable in any organization regardless of how much classified data and systems are in that organization. Whether employees have their own smart devices or use organization devices risks exist in many perspec- tives. For insider threats in particular, with powerful smart devices, users can access and expose system resources through those devices. As those devices are typically used for dual company and personal usage, isolating the two domains from each other is impossible. Smart devices cannot be connected in the organi- zation domain in the same level of control as desktops and laptops. This keeps a very vague or illusive relation between organization network and those devices which complicates activities such as controlling, monitoring, or investigating such devices, if necessary.
4 Cyber Defense Analysis and Support
Methods to Counter and Mitigate Insider Threats
We have mentioned earlier that profiles of insiders’ attacks can vary. So, with no specific profiles, how do you prevent malicious insider attacks from happening?
Followings are methods proposed to mitigate or counter insider threats:
• Security awareness training: With the importance of security controls and mecha- nisms, the human factor should always be a focus in our security investments.
While we build and optimize our firewalls with the best possible protection poli- cies and roles, we should not ignore the “human firewall” where humans are those who create those policies and roles. Users will also use and enforce those policies.
As such, policies should be simplified to normal users and help them understand the necessity and importance of enforcing such roles. It is easy to blame employ- ees on being careless or ignorance when tricked into some social engineering or phishing attacks. As the impact of such incident goes beyond the employee, orga- nizations should invest on any methods that can help mitigate such attacks. We can implement safeguards, such as firewalls, strong spam filtering systems, but in the end, it comes down to users, training, and awareness programs.
Awareness, training, and education are different but related elements in this scope (Table 4.1). Organizations and managers should support such effort and allocate proper resources. Many US government organizations currently employ different security awareness methods for their employees (e.g., periodic exer- cises, training, gamification).
• Identity and access management: Proper policies should exist on how to create, monitor, and maintain user and access control accounts. Policies can be used also to alert for certain behaviors (i.e., red flags) that can be possibly part of a phish- ing attack (e.g., new user account, privilege escalation).
• Intrusion detection and prevention systems: an IDS/IPS represents an intelli- gence security control that can provide real-time monitoring and guard actions.
In comparison with firewalls, IDS/IPS is more intelligent and comprehensive.
Table 4.1 Different elements between awareness, training, and education (Whitman and Mattord 2008)
Awareness Training Education
Attribute: “What” “How” “Why”
Level: Information Knowledge Insight
Objective: Recognition Skill Understanding
Teaching
method: Media Practical Instruction Theoretical Instruction
• Videos • Lecture • Discussion seminar
• Newsletters • Case study workshop
• Posters, etc • Background reading
• Hands-on practice Test
measure:
True/False Multiple Choice (identify learning)
Problem solving (apply learning)
Essay (interpret learning) Impact
timeframe:
Short-term Intermediate Long-term
60
• SIEM or log management: Take advantage of data analytics to continuously screen through logs and alert for possible red flags. The quality of such tools depends on the accuracy and efficiency of built-in algorithms as typically such algorithms have to search through a large volume of data in a very short amount of time. Key successful factors include to lower false-positive and false-negative rates as well as causing minimum overhead in overall system performance.
• Web application firewalls. Those are also called Layer 7 or application layer fire- walls. In comparison with classical L2–L3 firewalls, web application firewalls can look at different attributes that identify malicious applications, users, or traffic.
Insiders’ Investigations: Laws and Regulations
If a company wants to implement technological solutions designed to help detect and investigate insider threats, explicit roles and regulations should exist within the company to regulate the monitoring, detection, investigation, and prosecution pro- cesses. These resources will depend on the organizational structure, who to report to, to be part of the investigation, etc.
Conducting private investigations in organizations are possible. However, orga- nizations should make sure to transfer the investigation to a public investigation if they realize that, based on the nature of the crime, they should step out of the case.
For companies’ sanctions and violations, policies and regulations should be in place first that guide employees to the proper usage of computing resources, the Internet, information privacy, etc. Employees should be trained and educated on how to avoid any liabilities based on improper actions. Auditing and loggings mechanisms can be used to search for evidences. Investigation teams should have the technical skills and the knowledge related to laws and regulations that make them capable of search- ing for, collecting properly handling and using digital evidences. Due to the evolu- tionary nature of computing environments, digital related laws evolved and continue to evolve rapidly. How much valid and credible a digital evidence can be? Can we trust a web log that traces a phishing attack to a certain user? Those are examples of open legal issues and concerns when it comes to digital investigations in general.