WORKFORCE CYBER
INTELLIGENCE AND SECURITY

BLOG

A Human-centric Approach to Operational Awareness and Risk Management.

DTEX i3 Team Q&A: The Super Malicious Insider

Earlier this year we published an in-depth report on the insider risk landscape for 2022, with research from the DTEX i3 Team and real-life investigations they’ve led. Last year we saw remote work become the norm, employees being targeted by hackers more than ever, and the rise of the Super Malicious Insider.

Our recent webinar, “A New Threat Emerges—The Rise of the Super Malicious Insider” detailed findings of the report and gave listeners a chance to ask questions about this ever-evolving threat, with DTEX insider threat experts Armaan Mahbod and Andy London. We’ve highlighted a few of the questions and answers from the webinar below:

Q. “Has the risk of insider threat increased due to remote work during the COVID pandemic?”
A. Of course. Employees are not in the office, are not being micromanaged. They have full control over their activities within the privacy of their homes or work areas. They’re comfortable. The fact that you can be on a call and have yourself muted and have your video off, this enables comfortability. In many organizations, though they may be innovative, haven’t shifted to a mentality of increased security, for fear of losing that employee privacy; so there are a lot of available opportunities for people to take advantage of and become insider threats.

Q. “Do you believe that IT insider threat teams should directly be involved in identity access management for discussions on tightening up access?”
A. From what we’ve seen, especially in mature organizations that are shifting, is that insider threat is becoming a separate entity from the SOC. Insider threat teams should act on their own volition, but again, should be in conversation with other parts of the organization. Internal threats are just as costly and detrimental to the business as internal threats. So insider risk programs should be right up there with your other cyber security efforts. And the data sets that generally come from our solution, that we’ve seen in larger organizations, are a part of every entity. Privilege escalation, identity management, the list goes on.

Q. “How does DTEX help protect the privacy of individuals, while carrying out this monitoring? The vast majority of employees are honest and shouldn’t be treated like criminals when they aren’t. That’s a reality too, is it not?”
A. There’s a couple of aspects here related to privacy that we should address. One, we’re not like the traditional data loss prevention tool that’s monitoring content. We’re not reading emails, we’re not reading chat sessions, we’re not cracking open documents and reading everyone’s intellectual property. We are simply collecting metadata of behavior and tracking it from a behavior-based perspective versus a content-based perspective, so we’re not collecting credit card numbers and social security numbers, etc. Secondly, built-in to DTEX InTERCEPT is our pseudonymization feature. We actually have a patent for this technology. What this does, is allow administrators and system users to hide users, user names, IP addresses, basically any fields that you want, so that only when an escalation occurs do you have access to the information. From a GDPR perspective, we’re able to provide that level of privacy until the risk level gets to the point where you need to decode that username, so that’s how we’re addressing privacy today. Also, for some organizations, they’re rarely concerned about risk bias, so this feature is helpful. At the same time, the more you mask the data, the more difficult it is for an analyst to discern risk, but at the end of the day, the data speaks for itself.

Q. “You mentioned a specific case where a couple were accused of viewing indecent images of children, but it wasn’t actually them, it was someone using their IP address without their knowledge. So how did you know it wasn’t them? Did you have additional information?
A. We always have conversations about identifying risks, identifying threats, and mitigating those things. But what is funny is that, especially over the last few years with the increase in remote work, when somebody is at home, they’re on their home Wi-Fi, as well as their corporate Wi-Fi, in many cases. People aren’t as locked down at home as you’d like them to be in the corporate office, right? So we’ve gone through a few incidents where an organization was actually identified and one individual or device seemed to be brute forcing to a server. And actually, when looking at our data, it wasn’t the individual who was logged in. There was no window activity, there was nobody behind the actual physical asset. What we noticed was there was actually a bunch of network interface activity. And so the take away was, “Hey, this user wasn’t the actual problem. It was actually the fact that their Wi-Fi was compromised.”

Q. “You mention in the report that you are not publishing the threat indicators around Super Malicious Insiders, but can you share any tips around identifying the profile when they are orchestrating others?”
A. There’s a baseline factor, so there are some oddities in certain aspects. In terms of the exfiltration steps, sometimes individual doesn’t have the opportunity to actually go out and convince others to perform actions, or others around them are more cyber aware. One thing in an organization that’s really important is to make people aware of these things, and the possibility of others within the organization involving them. Everyone’s on the same team here, but there are cases where they may actually not be. So being aware of things where people are trying to ask you to do certain things for them. Maybe question it, ask your boss, have that double validation.

Q. “What about external actors soliciting information from insiders?”
A. MITRE recently put out a study, with regards to people being compromised through LinkedIn, by being offered new jobs. They were offered a great job opportunity, great pay, great title increase, etc….but…then also asked if they would share certain data from the company, or give them access to internal tools. Things of this nature happen all the time.

Q. “Have you seen situations where your solution would have that identified user behavior that resulted in exfiltration from databases?”
A. Yes, absolutely, especially in critical infrastructure. Access to servers, databases, using SQL to archive or aggregate data, and exfiltrate that via remote desktop or similar activities. Time and time again, that’s been a problem area and we suggest to our customers to cover the full audit trail. Not just endpoints, not people’s work stations, sometimes they’re just the start of the compromise, like a ransomware or a phishing attack or other forms of compromise. But then at the same time, making sure we know what their access is, and sometimes it’s not as locked down as you may believe. Being able to identify that is really important. We’ve seen use cases where administrators who have access to the system, but maybe not to certain folders, escalate their privileges to areas in the file system they’re not supposed to have access to and they were able to exfiltrate data that way. So monitoring what’s going on in the servers is very important and we recommend not only deploying to work stations, but servers as well for that complete coverage.

We do hold briefings for approved customers and for approved individuals. The DTEX i3 Team is always open to communications and if you need assistance or education, please feel free to reach out.

Listen to the full webinar on-demand here and download the DTEX 2022 Insider Risk Threat Report now.