Why insider threats keep succeeding
Outdated security models rarely address insider threats, argues John Sellers, and perimeter defense and background checks are not going to keep attackers out.
While insider threats are a major concern for everyone, government agencies stand the most to lose from these attacks. After all, the loss of classified or sensitive government information could be a matter of national security. The sensitive nature of information retained on government networks makes it a tempting target to fraudsters, activists and spies alike.
High-profile breaches such as those involving Bradley Manning and Edward Snowden further emphasize the damage these threats can cause. Over the past decade, more than 120 cases of malicious insider crime involving classified national security information were identified by the CERT Insider Threat Center.
Douglas Maughan, director of the Cyber Security Division of the Department of Homeland Security, says some of the most damaging attacks against the government have been launched by trusted insiders, and insider threats have the potential to compromise the nation's ability to fend off future attacks and safeguard critical infrastructure.
Why are the attackers winning?
Despite increased attention on insider threats, the public sector still struggles to adequately address the problem. A report released in April by the Government Accountability Office identified shortcomings in overseeing contractors providing IT services, security incident response and security programs in small government agencies.
In several of the agencies that were studied, key elements of their information security plans, policies and procedures were outdated, incomplete or nonexistent.
The uncomfortable truth is old security models have no room for insider threats. Perimeter defense and employee background checks are not going to keep attackers out.
Even if your network users have no ill intent, negligence and compromised credentials are just as dangerous as a spy. An outside attacker merely has to ask for credentials through a phishing campaign or some other form of social engineering. If they fail, they've only wasted the amount of time it takes to write an email or make a phone call, but if they succeed, they suddenly have all of the privileges of a legitimate user.
Once an attacker has the necessary access privileges, the potential for damage skyrockets. Because most organizations don't monitor their internal network traffic, an attacker can take their time conducting recon and collecting data. Once all of the target information is packaged in a central location on the network, the attacker can then move it out of the network all at once. By the time the alarm bells go off, the data is gone.
How do you catch an insider threat?
Since it is nearly impossible to stop an insider threat at the gate, early detection is key. Fortunately, an attack isn't over with the initial breach. Perpetrators still must execute a number of steps before their goal is complete, and they can be stopped at any point in the process.
The first thing an organization needs to catch an insider threat is network visibility. If firewalls are armed guards at the gate, visibility is the security camera monitoring inside the building. Internal network traffic, access logs, policy violations and more need to be watched continuously for suspicious activity.
Know what a regular day looks like on your network. Know how much traffic to expect, who is expected to access sensitive information and what applications are used in day-to-day operations. Anything that falls outside of those bounds should be investigated.
You want to be able to identify the following activities:
- Unauthorized access.
- Violation of organization policies.
- Internal reconnaissance.
- Data hoarding.
- Data loss.
Data analytics can make a huge difference here. Considering the massive scale of government networks, it is impossible to monitor network activity manually. Anything important is quickly overshadowed by the plethora of other information. Using NetFlow and other network metadata, a good security analytics tool can help the relevant information rise to the top.
Second, keep an audit trail of network transactions for as long as is feasible. If you are struck by an insider attack, the audit trail can be used to identify how the threat operated, what assets were compromised and assist in criminal investigations.
Finally, don't forget that insider threats exist outside of the digital realm. Often, a malicious insider is a disgruntled employee seeking to damage the organization or someone who just can't resist the temptation to commit fraud or steal classified information. These are people who interact in person with other employees, and the other employees may take notice if they are acting suspicious.
Research by the CERT Insider Threat Center indicates that insider threats typically conduct their attacks within 30 days of giving their resignation and often display certain behavior prior to their illicit activities, such as threatening the organization or bragging publicly about how much damage they could do.
As government networks continue to expand in scope and geographic area, it has become easier for insider threats to access sensitive data and inflict catastrophic damage. While the malicious insider comes with a different set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. Early detection of these attackers can keep a security event from becoming a threat to national security.
NEXT STORY: Senators question Thrift Savings Plan's security