Nickolas Sharp, a former employee of Ubiquiti, was arrested and charged earlier this month with data theft and attempting to extort his employer. CSO Online has a detailed writeup on the case, which is a clear example of Insider Threat, but there is an interesting twist…Sharp also posed as a whistleblower and an anonymous hacker to try to cover his tracks.
This twist made it undoubtedly more difficult for investigators than a typical Insider Threat case, so we at DTEX checked in with our I3 team to better understand the ins and outs of what made this case tough to crack, potential indicators that could’ve stopped Sharp in his tracks, and behaviors that typically signal that a company is dealing with a malicious insider. Following are some of the key takeaways and lessons learned the I3 team called out.
The Importance of a Dedicated Insider Threat Team
During the process, Sharp participated in the investigation efforts, which allowed him access to and ability to manipulate logs used for the investigation. In this situation, it would have been ideal for the company to have a dedicated “Insider Threat” team to fully handle the probing and ensure no one within Ubiquiti had access to the information being collected. In an ideal scenario, the company would have an insider threat platform and team that could’ve helped tremendously with early detection, response, and mitigation.
Common Flight Risk Indicators: A Security Team’s Best Friend
A common flight risk indication around the Ubiquiti incident is Sharp’s attempts to find another job through his corporate device. His displayed interest in a new job could hold grounds for him to be a person of interest from an insider threat perspective, which would’ve triggered an investigation to ensure he posed no threat to the business.
Following his job search, he also was carrying out additional searches that could have held the context needed to raise a red flag. For instance, on many occasions, users will usually search the internet, internal repositories, and company databases to find all of the information they need to carry out their scheme as seen with Sharp. Having the logs of users’ searches and repository access within the business could have been key to identifying Sharp in the early phases of his data theft. Many of the behaviors carried into action by Sharp, if aggregated and correlated correctly, could have developed an early warning for an individual who needed to be looked further into.
Covering Tracks: What to Look For
Outside of flight risk indicators, the other thing of note is that Sharp anonymously leveraged a VPN, which is a slam dunk indicator of intent. While the sequence of activities does not seem to be convoluted, it’s the act of covering his tracks that speaks volumes of Sharp’s underlying intention.
Based on our experience at DTEX, it’s incredibly important to look for these indicators to proactively detect and mitigate these types of threats. While not a silver bullet, knowing what types of activity to look for within the enterprise is the first, most crucial step, to identifying and thwarting malicious insiders from carrying out attacks.
For example, with the data we collect through our platform, the forensic audit trail would have likely identified the culprit during the process–as long as Ubiquiti requires employees to be on the corporate network to access customer systems. Although it could be considered normal for the individual to access the systems they did, it would be extremely unusual for them to export and exfiltrate data, especially in such a large volume.