A malicious insider threat to an organization is a current or former employee, contractor, or other business partners who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
To be clear, this particular threat refers to the conscious effort to compromise information or an information system.
While of course, this threat can affect individual organizations, within a cloud computing environment there are three types of cloud-related insider threats based upon the CERT Program,
An individual employed by the CSP undertakes an action to affect the confidentiality, integrity, or availability of the service.
Examples include theft of sensitive information or sabotage.
Of course, there exist multiple examples of rogue administrators undertaking actions that circumvent the policy of their employer.
In addition, such actions can exist even after the employee has left the organization, as was the case reported by Information Week.
The case refers to a former employee of Gucci who was accused of maintaining a Virtual Private Network (VPN) token, and using it to access the network of his former employer and “deleting virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server.”
Within a cloud environment, CERT identifies four levels of administrators, each with differing levels of access, and subsequently the potential impact if they are malicious.
The levels of access are, however, hierarchical, where the top-level administrators (hosting company administrators) have the greatest level of access.
Hosting company administrator: Has the highest level of access and therefore could cause the greatest impact such as updating the drivers of the virtual machines to compromise the images. Moreover, can implement network taps to perform man-in-the-middle attacks on all hosted systems.
Virtual image administrator: Could create alternate images outside of the authorized baseline, and that report they align with such baseline.
Could also potentially copy virtual machines/disks, or modify individual instances of a virtual machine in a cloud so that only some of the cloud behaves the wrong way.
System administrators: Have the ability to conduct operating system attacks, and could update the virtual machine drivers to vulnerable instances.
Application administrators: Have the ability to copy application data, edit the configuration of applications, potentially can gain control of the hosting platform.
Exploit weaknesses introduced by the use of the cloud
The use of cloud computing introduces vulnerabilities that the malicious insider will look to exploit.
One particular example of these vulnerabilities includes a difference between the access control model between the local system and the cloud-based system.
Also, another threat proposed is the replication lag exploit.
In this example, the cloud environment potentially includes multiple systems that synchronize important information (such as pricing, for example).
However, due to network latency, or those servers are located in different geographic locations, the replication of these data may take some time.
Therefore, while the cloud environment removes the single point of failure issue compared with a single server located on-premise, by understanding the replication lag issue the insider may be able to purchase items for less than the corporate agreed price.
The example provided by CERT is as follows:
- The company has server A that is authoritative for all pricing.
- Server A replicates prices to servers B1 and B2 that have 1 and 2 s of latency, respectively.
- Server B1 replicates prices to servers C1 and C2, these have 2 s of latency each.
- Server B2 replicates prices to server C3 with 4 s of latency.
The attacker wishes to buy a $20 item for $10.
Therefore, when a price change is scheduled, they will apply a false notice so the price is $10 sent to C3.
Then by timing the purchase before the correct price is applied they could remove evidence of the incorrect price, and potentially evidence they circumvented the integrity of the system.
Using the cloud to conduct the nefarious activity
This example relates to a malicious insider who utilizes cloud services to conduct attacks against his or her employer. Indeed, research published by TechTarget suggests that the lack of appropriate fraud detection capability within CSPs allows criminals to undertake activities on commercial providers without such activity being detected.
The acquisition of services can be conducted using stolen credit cards, or as indicated earlier through account hijacking.
7 Common Indicators of Malicious Insiders
- Unusual logins: most user accounts have a repeating login pattern (for example, employees signing in at the start of the work day and signing out at its end). Logins occurring at strange hours, from unusual locations, logins from unknown devices, or failed login attempts, should all raise an alert.
- Use of unauthorized applications: each mission critical system should have clearly defined groups of authorized users, and each group should have clearly defined roles with controlled access. Any employee gaining access to unauthorized systems, or unauthorized features or data within a system, should be immediately investigated.
- Impossible travel: employees logging in from a location which would be impossible to travel to, given the location of their last login and time from that login.
- Escalated privileges: any individual receiving additional privileges they did not previously have should be a concern, especially if they granted permissions to themselves, and not with the approval of another administrator. In addition, there should be regular audits of employees who have privileges due to previous roles and no longer require them.
- Excessive data downloads or uploads: security teams must have a clear idea of typical bandwidth usage of current users. When a user downloads an unusually large volume of files or records, downloads assets at unusual times, or downloads data and subsequently uploads files to an external server or storage service, this is a cause for concern.
- Unusual behavior: if an employee who commonly voices disagreement with superiors, is involved in constant arguments with coworkers, suddenly begins performing unusual patterns of activity within their applications, security teams should be alerted and check for other suspicious indicators.
- Termination or resignation: any employee leaving the company is at heightened risk of being a malicious insider. When an employee is dismissed or gives notice, security teams should monitor for suspicious activity, and look into past history over the last few months.
How to Prevent Malicious Insider Threats
Insider threats are difficult to detect and prevent, because malicious insiders leverage their knowledge of your organization’s structure and business processes, and existing access to corporate systems. Here are security controls you can implement in different parts of your organization to effectively mitigate the threat.
- Eliminate removable storage—a common attack vector for malicious insider is exfiltrating data using removable storage. Eliminate or severely restrict its use.
- Control BYOD—personal devices such as smartphones should not be allowed to connect to the corporate network, or should be severely restricted. Personal devices are often a vector for offloading or sharing sensitive information.
- Control outbound emails and files—systems should be in place to monitor outgoing emails and block emails with sensitive keywords or unusual attachments. Any transfer of data to external cloud storage should be blocked.
- Backups—it is common for malicious insiders to sabotage corporate systems by deleting data. Maintaining regular backups on a remote site can help mitigate this.
- Multi-factor authentication—using multiple authentication methods, such as passwords, biometric verification and security tokens, make it more difficult for insiders to gain unauthorized access to systems.
- Restrict access—ensure staff only have the access they need for their current job. Critical transactions should be monitored and logged with a full audit trail.
- Use unique identities—every member of staff should use a unique identity to login to services, without sharing accounts between users.
- Revoke access when no longer needed—as soon as employees change role or leave the organization, access to systems should be revoked
- Change shared passwords—when employees leave, change any shared password in the environment, including wifi passwords, alarm codes, bank account codes, etc.
Auditing and Logging
- Investigate logging capabilities—ensure all critical or high-risk systems have adequate logging with a full audit trail.
- Assign responsibility for auditing—logs are useless if no-one is watching them. Ensure someone from security or IT is responsible for monitoring logs of all critical systems. Inform staff about audit process and frequency, to deter malicious activity.
- Unique identities—just like in access controls, having unique logins for each individual person is critical to effective logging.
- Due diligence for software—evaluate existing and new software and cloud services to see they have appropriate controls for important transactions.
Foster a Positive Work Environment
- Focus on staff happiness—strive to create a work environment that values employees, provides positive reinforcement, and rewards integrity. Happy employees are more likely to align with the values of your company and less likely to be an insider threat.
- Encourage collaboration—when employees work together in teams, there is less room for a “lone wolf” mode of operation which is typical for malicious insiders. Suspicious activity can also be detected earlier by other members of the malicious insider’s team.
- Staff welfare—be aware of issues affecting the welfare of staff, such as emotional, financial, or family-related distress. Helping employees in times of trouble can prevent desperate individuals from resorting to illicit activity.
Personnel Integrity Verification
- Personnel security—ensure that all employees go through background checks and pre-employment checks. Prepare a dispute process in case details are found to be incorrect. Background check processes can also be outsourced to a specialist firm.
- Verify identity—ensure new employees are who they say they are, by requiring official identity documents and ensuring they are authentic.
- Ongoing checks—at least once a year, perform a repeat check on employees to see their situation has not changed—for example, that their police record is still clean.
- IT staff—pay special attention to IT staff, because they have extensive access to corporate systems and can tamper with logs or audit trails.
Security Awareness Education
- Document and train staff on business processes—ensure staff have clearly documented processes, and train them on your risk mitigation processes, why they are important, and the consequences to the business if they are not followed.
- Make employees responsible—pass responsibility for cybersecurity to employees. Explain that without their cooperation and vigilance, it is not possible to mitigate cyber threats that can harm the organization.
- Continually educate about security best practices—don’t assume employees will remember best practices. Continually refresh practices like strong passwords, keeping passwords secure, locking rooms and devices, and protecting sensitive data.