Whac-A-Mole: Profiling and Stopping the Malicious Insider

Two-thirds of data breaches involve insiders giving information to outsiders, whether they are aware of what they are doing or not. According to a report by Kroll Advisory Solutions, “moles, opportunists, contractors, disgruntled employees, and ex-IT personnel—all currently pose a greater risk to corporate intellectual property than state-sponsored hacking and APTs, both in frequency and in damage caused.”

Nefarious insiders have a few basic motivations and, among these, the desire for financial gain is on the top of the list. Some moles steal secrets for foreign governments or for businesses that are related to and in competition with the one they work for. Selling these secrets can often make them substantial amounts of money. Some moles intentionally seek jobs at certain firms for the purpose of obtaining specific information for certain employers. At other times, they are legitimate employees first, who are later contacted by a third party to do some spying for them. The third type of financial mole may realize that they have access to sensitive information that could make them a great deal of money. They may then try to contact someone who is willing to pay for this information. This type of insider is responsible for the greatest financial damage to a company.

In contrast to these financially motivated insiders, the disgruntled employee is mostly motivated by revenge; however, they will not pass up an opportunity to make money if they get the opportunity. Disgruntled employees realize they will be leaving a company by their own volition or by being fired. They may feel like they have been badly treated or under appreciated. They have an axe to grind and may begin accumulating information that they can use against the company if they get the chance. In the worst case scenario, the disgruntled employee is involved in IT and may even be an administrator, meaning that they have access to anything on the network. When they leave the job, they may take all of this information with them. Often, they will try to sell this to interested parties.

The good news for most enterprises is that many of these moles are amateurs. They are not good at covering their tracks and so, if the company is vigilant, they can be caught, even before they commit the crime. Profiling can go a long way towards identifying individuals who may cause problems. According to CSO Magazine’s 2012 CyberSecurity Watch Survey, “51 percent of those insiders violated IT security policies and 19 percent were flagged by a manager for behavior/performance issues” within the 12 months before a breach was detected. The FBI gives employers a few more tips on what to look for when trying to uncover a mole. Here are some questions management can ask to identify potentially dangerous individuals.

1. Does an employee take home unauthorized documents or ask for access to such documents or information?

2. Does the employee remotely access the company network while on vacation or at unusual hours?

3. Does the employee frequently disregard company computer use policies?

4. Is the employee interested in working unusual hours or on weekends when fewer people are present?

5. Does the employee take unannounced foreign trips or have unusual contacts with foreigners, especially those who work for foreign governments?

6. Is the employee suddenly buying things that are normally considered out of their financial reach?

7. Does the employee have contacts with people from similar companies?

Good network logs should preserve records of who accessed what data and for how long. This, combined with the previous profile information, could go a long way towards detecting employees who may be up to no good.

Not taking preemptive precautions can lead to disastrous results. Probably the worst insider attack in history, not including the Snowden leak, occurred in South Korea when 40% of the population had its credit card details stolen. The thief was a temporary employee of a credit rating firm contracted by various Korean banks. The motive was financial and the perpetrator sold the information on to data mining and marketing firms. Security experts claim that the banks granted administrative rights too easily to people who should not have had them. They also point out that a good security system would have noticed that unusual activity was taking place. In other words, a good security system which gives administrative rights to only trusted individuals will go a long way towards undermining any attempts at insider theft. But this will not stop the most dangerous insiders, those who already have administrative rights, the IT sophisticated insider.

The sophisticated, often trusted, insider is extremely difficult to detect. They can be either financially or revenge motivated. They often know the architecture of the security system and so know how to use it to their ends without leaving traces. The fact that they are authorized to access sensitive information means they will not raise suspicions when they do so. Because they are trusted, they may be able to go about their disreputable activities for a long time before they are caught. They may even be able to detect attempts to detect them, and, thereby, use these attempts at detection to their own ends. For example, honeypots can be used to detect external threats but they cannot easily be used against a sophisticated insider. Sophisticated insiders will realize that a honeypot exists and will interact with them in such a way as to hide their tracks. Yes, it is possible to use honeypots to trap these moles, but they must be designed in such a way as to lead these insiders to them without the insiders realizing it: Not an easy thing to do. The honeypots must have an advanced design so that they do not raise the suspicions of the technologically sophisticated insider. If all goes according to plan, the insider will then interact with the honeypot and the organization can follow their actions. They will then be able to identify who the threat is and discover the motives behind the attack. Again all this is easier said than done.

A sophisticated, tech savvy insider knows what he or she is looking for. They will often monitor network activity and arrange ways to detect and collect the information they need that is passing through it. They will be able to learn who is using what information and how it is being used. If the network is being monitored by such an insider, the company can design something called a honeytoken to pass through the network. This is something that a mole may find interesting and that they, therefore, will collect. The token may be something like login information. The insider may tag this as interesting and later try to use it. The honeytoken itself could point to a honeypot. The company could further lure the mole in by using the token to login to something like a database where the database is actually the honeypot. The insider would be interested in looking at this database and, when they do, they give themselves up for further investigation. Honeytokens can be used in connection with email accounts, documents, and search engines. (For a complete and detailed study of their use, see the paper, Honeypots: Catching the Insider Threat, by Lance Spitzner.)

Of course, all this depends on the insider not realizing they are being led to interact with a honeypot. If they do find out, they can learn to avoid it or, even worse, use it to give out false information and mislead investigators. Any such use of a honeypot must be done with the greatest discretion, using the fewest and most trusted investigators. Honeypots have been effective and very tech savvy moles have been caught in this manner.

Yes, insider attacks are real and much more common than most organizations want to believe. You will not usually read about them in the news because companies don’t want to make such failings public. It hurts both their image and their stock prices. However, companies need not be powerless. With proper vigilance and security architecture, such attacks can be minimized. Always keep and review network logs. Restrict access to sensitive information and keep an eye out for unusual employee behavior. Keep an eye on employees who plan to resign or may be terminated as most insider attacks happen within 30 days before an employee leaves. Finally, if a sophisticated insider attack is suspected, get expert help to design a honeypot. Keeping big moles in the dark and poisoning them with honeytokens can keep them from damaging your intellectual property.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s