January 22, 2019
There’s no shortage of information available about the insider threat types that public and private sector organizations are forced to contend with. In SC Magazine, our Insider Threat Analyst Team Manager Armaan Mahbod highlights the trouble with obfuscation and evasion, two trends we are observing with increased frequency.
In How to Stop the Insider Threat from Switching Off Your Security Lights, Armaan reminds SC Magazine readers that all of the security layers in the world will be of little use if users have the power to switch them off. According to Armaan:
The reality today is that even the most advanced security infrastructures are vulnerable. Cybercriminals are always getting better at exploiting vulnerable code, developing new malware strains, and taking advantage of misconfigurations. Threats from the outside are only part of the problem. As leader of the insider threat analyst team at Dtex Systems, I help to run assessments inside of organizations that are interested in addressing the insider threat. We frequently find instances where users are able to engage in high-risk behaviors without detection by simply turning off security controls.
However, switching the security lights off isn’t the only way insiders avoid detection:
Our most recent insider threat intelligence report gathered examples of insider risk taking place across a dozen industries and different regions. Sixty percent of the assessments we ran detected instances where employees were using anonymous and private browsing to circumvent security controls. In 72 percent of the assessments, we detected situations where insiders were using high-risk, unsanctioned applications to get around security controls. We also uncovered scenarios where users would log off corporate networks and WiFi and then engage in high-risk activities, which we believe they did in order to avoid detection. Some of the actors in the situations we identified had malicious intent. Others were simply looking for ways to work in a manner they believed to be more efficient. Several wanted to conduct personal business without being monitored. Regardless of the intent involved, all of them were increasing risk to unacceptable levels.
Fortunately, there is a solution. In the article, Armaan elaborates on four basic steps organizations can take to avoid falling victim to insider risk created by obfuscation and evasion techniques. Be sure to read the full story to learn more.
The Negligence Threat
Although malicious insider threats like Edward Snowden and Harold T. Martin III grab the lions’ share of headlines and attention, it’s typically the negligent form that is the most common. Last week, we saw several examples of how user negligence manifests into risk.
Publicly Accessible Data
Youth-run agency AIESEC exposed over 4 million intern applications, by Zack Whittaker, TechCrunch. According to Whittaker:
AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.
Online casino group leaks information on 108 million bets, including user details, by Catalin Cimpanu, ZDNet Zero Day. According to Catalin:
The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet.
In these classic negligent insider threat cases, the organizations in question seemingly forgot to secure Elasticsearch databases (which have since been secured or taken offline, according to the stories). Dtex insider threat analysts identified this emerging trend in the Dtex 2018 Insider Threat Intelligence Report, which highlights that we observed accidental cloud data exposures in 78 percent of assessments we conducted.
To avoid this type of risk, our experts advise: Educate users on what cloud sharing websites do and don’t do to protect data stored on them; make it clear that these websites do not always encrypt information; teach employees never to use public share links unless they’re dealing with information that is suitable for public consumption; and, have a mechanism in place for knowing how employees are using cloud applications and services.
Although not always thought of as an insider threat, phishing is frequently the main vector that cybercriminals and nation-state operators use to take advantage of vulnerable, trusted insiders. Although not easy to forget how frequently this is taking place, it is worth highlighting some recent cases.
Two Ukrainian Nationals Indicted in Computer Hacking and Securities Fraud Scheme Targeting U.S. Securities and Exchange Commission, via the United States Attorney’s Office, District of New Jersey. According to the press release:
NEWARK, N.J. — Two Ukrainian men have been charged for their roles in a large-scale, international conspiracy to hack into the Securities and Exchange Commission’s (SEC) computer systems and profit by trading on critical information they stole, U.S. Attorney Craig Carpenito announced today. In a 16-count indictment unsealed today Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both of Kiev, Ukraine, are charged with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud. The SEC also filed a civil complaint today charging Ieremenko along with several other individuals and entities.
How’d they do it?
To gain access to the SEC’s computer networks, the defendants used a series of targeted cyber-attacks, including directory traversal attacks, PHISHING attacks, and infecting computers with malware. Once the defendants had access to the test filings on the EDGAR system, they stole them by copying the test filings to servers they controlled. For example, between May 2016 and October 2016, the defendants extracted thousands of test filings from the EDGAR servers to a server they controlled in Lithuania.
DNC: Russian Hackers Targeted Staffers After Midterms, by Phil Muncaster, InfoSecurity Magazine. Muncaster writes:
The Democratic National Committee (DNC) has claimed that one of the same Russian hacking groups blamed for leaking sensitive information in 2016 targeted its employees again just days after the 2018 midterm elections.
In court documents filed at the weekend, the DNC said that the group known as Cozy Bear (aka APT29/The Dukes) posed as a State Department official in spear-phishing emails sent to dozens of its employees.
The emails were booby-trapped with a malware-laden PDF designed to provide access to the victim’s machine.
“In November 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the filing noted.
Preparations undertaken following the 2016 DNC and Hillary Clinton Campaign hacks likely played a key role in defending against the attacks. The incident demonstrates that criminals and spies are continuing to use this technique, as they know it works remarkably well. In addition to having anti-phishing, anti-virus, threat intelligence and education layers deployed, a quick way to know if email accounts are exhibiting risky behaviors is with the help of intelligence that alerts when troubling activities are in play.
More on Privacy
Last week, we highlighted several privacy incidents that grabbed headlines. The momentum continues with further examples of how businesses and government agencies that fail to comply with laws and proper data handling techniques are going to feel the pinch of legislators, politicians and regulators.
French privacy regulator fines Google $57M for GDPR violation, by Teri Robinson, SC Magazine. According to Robinson:
French regulators hit Google with a $57 million fine for violating GDPR rules that took effect last May by being less than upfront about how user data is collected and used.
U.S. regulators have met to discuss imposing a record-setting fine against Facebook for privacy violations, by Tony Romm and Elizabeth Dwoskin, The Washington Post. The duo reports:
U.S. regulators have met to discuss imposing a record-setting fine against Facebook for violating a legally binding agreement with the government to protect the privacy of its users’ personal data, according to three people familiar with the deliberations but not authorized to speak on the record.
The penalty is expected to be much larger than the $22.5 million fine the agency imposed on Google in 2012. That fine set a record for the greatest penalty for violating an agreement with the FTC to improve its privacy practices.
Marco Rubio Proposes New Federal Data Privacy Bill, by Kevin Townsend, SecurityWeek. Kevin reports:
U.S. Senator Marco Rubio (R-Fla.) introduced a bill on Wednesday designed to provide privacy legislation for the entire nation — that is, federal law. It is based on the Privacy Act of 1974, which was introduced post-Watergate to protect people from government storage and retrieval of personal data. Rubio’s American Data Dissemination Act (ADD) is designed to do similar, but is aimed at private industry’s collection of personal data.
Although not specific to the insider threat, a number of stories from last week caught our eye, all showing the always-increasing level of importance that new innovations and security are now viewed with.
VC funding of cybersecurity companies hits record $5.3B in 2018, by Zack Whittaker, TechCrunch. According to Whittaker:
According to new data out by Strategic Cyber Ventures, a cybersecurity-focused investment firm with a portfolio of four cybersecurity companies, more than $5.3 billion was funneled into companies focused on protecting networks, systems and data across the world, despite fewer deals done during the year.
That’s up from 20 percent — $4.4 billion — from 2017, and up from close to double on 2016.
U.S. CEOs Are More Worried About Cybersecurity Than a Possible Recession, by Erik Sherman, Fortune. Writes Erik:
With markets uncertain, many onlookers might think a recession is on the way, whether that’s most CFOs in the world or voters in the United States.
But domestic CEOs don’t find heavy economic headwinds their biggest external business worry, according to a new survey by the Conference Board. Instead, it’s cybersecurity followed by new competitors. Risk of a recession is third.
Gartner Survey Shows 37 Percent of Organizations Have Implemented AI in Some Form, by Gartner. Not just for dreamers anymore, it seems that artificial intelligence is now part of the mainstream. According to the analyst firm:
The number of enterprises implementing artificial intelligence (AI) grew 270 percent in the past four years and tripled in the past year, according to the Gartner, Inc. 2019 CIO Survey. Results showed that organizations across all industries use AI in a variety of applications, but struggle with acute talent shortages.
The deployment of AI has tripled in the past year — rising from 25 percent in 2018 to 37 percent today. The reasons for this big jump is that AI capabilities have matured significantly and thus enterprises are more willing to implement the technology. “We still remain far from general AI that can wholly take over complex tasks, but we have now entered the realm of AI-augmented work and decision science — what we call ‘augmented intelligence,'” Mr. Howard added.