In our previous post on the Insider Threat Kill Chain we discussed how indicators of Reconnaissance efforts are different for insider attacks.
The second step of the kill chain for outside threats is Weaponization; based on reconnaissance of the target, crafting the code needed to execute the attack. In contrast, the next step in the kill chain for insiders is Circumvention; determining how to avoid detection by internal defenses.
A malicious insider may know where the desired information is stored, but also knows that the organization is capable of monitoring or blocking actions. They may even know which insider threat detection or data loss prevention solution is being used.
Circumvention activities are those that an attacker might use to bypass existing security controls. These can include using VPNs or “Incognito Mode” to hide an IP address or search history and private browsers like TOR or personal hotspots to browse anonymously. An attacker may also use non-corporate private messaging tools instead of the official Slack or Teams applications. Additional Reconnaissance activities can also be part of circumvention, including searching for “how to” articles on using hacking tools or bypassing security controls.
It is important to remember that all these activities can also be benign. If an employee needs to conduct personal banking or access a healthcare provider while at work she may elect to use a VPN to protect her privacy. Employees may use free, open source messaging to avoid lengthy approval processes or simply to get work done faster. Research on cybersecurity tools may be a normal activity for a security team member or part of new vendor research for finance.
Context is a required element when determining whether an action is malicious or not. This can determined by comparing the action to past actions of that individual and of individuals in similar roles. When an engineer or product manager is transferred to a new project she will likely access information and file stores that she has never before accessed. Accessing that information is a job requirement, not an attack. To stop attacks at this stage of the kill chain while allowing legitimate activity to proceed unhindered, defenses against insider attacks need to be able to differentiate between the two.