'Insiders' in Cybersecurity: “Catch me if you can”

April 25, 2022

If any of us were asked about the hypothetical appearance and profile of those responsible for a serious cyber security incident in a large company, I think we would all automatically think of the archetype that movies constantly show us: teenagers in hoodies, working with laptops full of stickers in a communal house where the music is too loud and the atmosphere is of the most "criminal" kind.

The interesting thing is that there is a significant window of opportunity for security and cybersecurity incidents within organisations: employees, temporary staff, service companies, contractors, etc.

Insider typologies

Let's look at the different typologies of “insiders”, which is the common name used in this field to generically refer to all typologies that produce the same effect: security incidents whose perpetrator is within the "perimeter" of the organisation (as a concept, the walls of the medieval castle where the population to protect lived):

Disgruntled or resentful employees

Very often, there are employees in organisations who are underperforming or in difficult situations which often lead to tensions, sanctions, career stagnation, threat of dismissal, etc. These people assume or know that they will be fired or that their career in the company is over or on a dead end. Faced with this prospect, some people decide to damage the company, steal data, carry out acts of vandalism (even physical) or give third parties remote access for malicious purposes.

Addictions and personal problems

Another group that is often present in organisations are those people who, for different reasons, are in a complicated personal situation: financially, emotionally, suffering from an addiction, etc. This often makes it easier for them to carry out desperate acts to get money or to attract the attention of their superiors. It also facilitates, as we will see below, extortion-type scenarios.

Bribery and extortion

Especially related to the military ecosystem and patent-linked industries (pharmaceuticals, aerospace engineering, mobile device manufacturers, etc.), cases of bribery and extortion (especially through the use of deception, prostitution, etc.) are sadly frequent. By these means, external actors manage to influence internal staff to become their collaborators ("insiders").

Political, religious motivation - Activism

In some cases, especially in sectors where ethics and personal beliefs can play an important role, "opinion or belief" type motivations can be critical: sectors such as the arms industry, pharmaceuticals, etc. They can provoke extreme reactions among their staff (the case of employees who left Google in 2018 because of the company's relations with the US DoD on the JEDI or Marven projects is very significant).

Negligence and accidents

This group also has its place in the general statistics: internal staff who through negligence cause security incidents: either by a constant effect (Example: not having condivd a system properly and leaving it exposed to the Internet without proper protection), or by a specific act at a given time (Example: forgetting a pendrive or confidential documents in a cafeteria which causes a scandal in the media).

Human factor key in cyber security
Human factor key in cyber security
September 28, 2022

What can we do as a company?

All these circumstances often lead to an "insider" type of behaviour, where we must not forget that we also have other groups such as temporary staff, interns and trainees, temporary consultants and auditors or service companies (cleaning, catering, maintenance) who have access to our offices, sometimes at unusual times and with special access to systems or premises.

The key question now is what can we do as a company? It is a really complex problem as the casuistry is very broad (what company does not often have isolated people in remote locations?).

Early detection

The main point to comment on is the early detection of potential high-risk or high-profile individuals. Normally, corporate security has a regular link with the Human Resources area (people management) and these people are usually identified jointly for supervision, sanctioning, etc.

  1. As mentioned above, one possible case would be that of people who are really angry with the company by vandalising it or people with clear addictions who ask for financial advances on their salary every month. Complaints or comments usually first reach human resources: fights in the cafeteria, vandalism in certain areas, people with symptoms of alcoholism or working under the influence of substances, etc.
  2. In the same block, some organisations use platforms generically called “People Analytics” to detect inconsistent or suspicious patterns of behaviour that may be predictive of future problems: long after-hours connections, failed attempts to access corporate systems, sudden unjustified changes in working hours, radical changes in their social activity in the company (on internal social networks, Intranet-type portals, etc...)

Focus on the risk (not the motivation)

In the field of cybersecurity, we must have our protection, prevention and detection systems well condivd to be able to cover the case of the insider actor in the right way.

Obviously, the approach is to focus on the risk and not to analyse the motivation. Some commonly used platforms include:

  • CASB (Cloud Access Security Broker) type platforms often detect many anomalous situations which, if properly dealt with, can be related to “insider” incidents (e.g., massive out-of-hours file movements to personal storage services) or recurrent use of unauthorised software to connect to atypical locations on the Internet.
  • DLP (Data Loss Prevention) type functionalities which, being oriented to legal problems with data loss or data leaks, may be the first phase of a much bigger problem, if successful, as the insider will continue to escalate his attack in search of the greatest possible damage.
  • IAM (Identity & Access Management) type services that will alert us in case of inconsistent or exceptional situations in terms of connections (logins, failed attempts, etc.). A typical case could be the use of a non-privileged account on a personal computer of a person using classified information. This case could correspond to that of an insider spying on the computer of the person in charge or the finance department (perhaps the owner did not lock the system during his or her lunch break...).

Prepare a forensic report

If we finally have an incident involving “insiders”: In this case, the way of working is usually the conventional one (DFIR type services, Threat Hunting type analysis on SIEM or EDR/XDR type platforms) but with the important nuance that we may have to produce a forensic report that can be used in a judicial process.

In these cases, the extraction and custody of evidence must follow certain guidelines and the same with the legal aspects (especially if a report has been made to the police or corresponding security body).

Most of the investigations into this type of situation will undoubtedly have to go through two types of systems:

  • Authentication and access: As mentioned above, of the IAM type or similar, where we can carry out searches and checks on all types of accesses or access attempts to connect them with an account that will be completed on other platforms.
  • Activity on personal computers: Normally, actors of this type will use their own or personal computers or those of colleagues or managers to carry out their malicious activity. Therefore, investigations of this type often use EDR or XDR type platforms to obtain these suspicious patterns based on complex queries.

The rest of the systems to be used will almost always be the end systems affected (if applicable): financial or commercial platforms, document management systems, etc. And the aforementioned perimeter protection systems (SASE, CASB, DLP, etc.).

Two final conclusions

  1. Not assuming that we may have the “enemy at home” is a fundamental mistake that precedes many serious security incidents. The motivations vary but the risk is always the same. If we as an organisation do not pay the same attention to the outside as we do to the inside, we are creating a significant risk.
  2. Early detection is the best measure we can take to try to minimise the occurrence of such events. Many of these people are just out for revenge, to send a message or to compulsively solve a personal problem. If we can identify them, there is room for peaceful resolution.

Let us never forget the quote from “The Godfather (Part II)”,

“Keep your friends close, but your enemies closer”.

FF Coppola, 1974
Human Factors in Cybersecurity: Protect Yourself