The insider threat has been a major risk to all governments and organizations around the world for many years. High profile examples are numerous; Nick Leeson and the collapse of Barings bank, Jeffrey Skilling the former Enron President, to the more recent intelligence leaks from Bradley Manning, Edward Snowden and Reality Winner that disclosed sensitive information that was damaging to the security and reputation of the United States.
This is a classic reminder of how powerful and impactful a trusted insider can become because they have elevated privileges and are therefore able to leak sensitive data undetected. This type of behavior has been controversial for years and it will long be debated whether or not Snowden is a hero, a whistle-blower, patriot or a traitor. It has always been the assumption of hackers that governments are performing massive surveillance on citizens. However, it wasn’t confirmed until Snowden revealed those sensitive documents that provided the truth of its existence and started huge debates about government surveillance, encryption, national security and privacy.
Also, a topic of recent debate has been the revelation and disclosure of the NSA hacking tools that are now available online. This enables hackers and cyber-criminals to reuse powerful tools that had been created for national security purposes, political advantage or intelligence gathering on other nation states. This has been a contributing factor to the recent major cyber-attacks which used those tools to cause havoc across the world with ransomware like WannaCry and NotPetya causing disruption and fear around the world.
It is thought of all data breaches. Some of these are intentional abuse or misuse. However, many are unintentional configurations or accidental data loss where the employee was likely the victim of a targeted phishing scam and unknowingly gave sensitive credentials to an external hacker. The hacker was then able to use that access to simply walk past the expensive complex security controls undetected.
In some cases, employees who have left the organization still have active credentials, often for months after walking out the door. For a disgruntled employee is it then easy to return to cause sometimes significant financial damage. The definition of the term ‘insider threat’ is evolving and the criminal underworld is bursting with this hidden secret that many organizations have yet to discover. We are entering the era of the cyber security digital inside trader.
Era of the Cyber Security Digital Inside Trader
This new cyber security digital inside trader is actually an external cyber-criminal who has stolen valid credentials and a trusted identity allowing them to gain access to the most sensitive confidential information the company has. This can include a myriad of financial details and forecasts. For the cyber criminal the goal is NOT to install malicious malware or disruptive ransomware forcing the company to pay-out. These cyber criminals do not even steal the data or threaten to disclose it. Just like nation states cyber security units who keep surveillance tools hidden and undisclosed, so criminals quietly continue to use these exploits to gather intelligence or political advantages against adversaries and allies alike. In common with nation state actors, cyber criminals do not want to be detected, and so employ the same techniques. However their goal is financial gain, to do this they need to remain hidden from their unsuspecting victims.
Information gathering – Passive Assessment
Once these cyber criminals have completed gathering data they will have created a massive digital footprint of the potential target. Typically this is achieved through vast correlation of public data using mathematical algorithms on companies who are stock market listed, have patents pending, active lawsuits, legal approvals, upcoming IPO’s or those considered likely acquisition targets.
They intelligently comb through the data for the best targets that would be expected to yield the highest returns and once identified the active targeting of the victim starts. Usually it begins with collecting a digital footprint of the target’s employees and their family relations, organizational structure, public data, software versions, supply chains, 3rd party vendors and contractors. All of this can be obtained without touching the company’s security perimeter and is a technique known as the passive assessment. When the weakest security link has been identified, which is typically either an employee or 3rd party vendor, and with enough knowledge of personal details, email formats, invoice templates, and existing security controls, the cyber-criminals can easily start the technique to gain access.
Human factors, Identities, and Vulnerabilities
If we look at why many of the breaches in the past year have occurred it comes down to three major factors that can be categorized into; human factors, identities and credentials, and vulnerabilities. In the digital age, most people are sharing more information via social media, ultimately causing themselves to be much more exposed to social engineering and targeted spear phishing attacks. The ultimate goal to compromise systems to commit financial fraud or to steal identities in order to access the company that the target was entrusted to protect. When identities are stolen, it provides the attacker with the means to bypass the traditional security perimeter undetected, and if that identity has access to privileged accounts, they can easily carry out insider trading.
Email and social media continue to be the weapon of choice. Simply targeting a secondary victim the unsuspecting employee who receives an authentic looking email from a 3rd party supplier that only requires the employee to click once on a hyperlink and it is game over for that endpoint. The employee has handed over their secret password and digital identity for the cyber-criminal to use and bypass security controls and pose as a trusted employee.
The cyber-criminal then spends time learning about the behavior of the employee and any other predictable schedules and operations of the victim. They know when the victim logs on and off, what applications they execute and what is installed, what privileges they have access to, how and when software updates are being deployed and when security scans occur. All of these techniques and activities allow the cyber-criminal to better understand how the trusted authentic identity that they have stolen can remain hidden and for how long.
Many organizations use schedules for almost all operational tasks due to resource constraints and budget limitations so they can automate as much as possible. While it has its benefits, automation can provide predictability which enables cyber-criminals to create a calendar of operations so they can understand the best timing for each step in their quest to continuing to elevate permissions, exploiting unpatched systems and moving laterally across the network to find the sensitive data that leads them to the financial reward.
Once the normal operations routines have been discovered the next step is to move closer to the goal. The typical way cyber-criminals do this is with well-known system vulnerabilities. Many companies struggle to patch systems frequently enough, in some cases, they are left unpatched for months. Often, companies focus too much on the perimeter facing systems and applications, however, these are typically not the ones exploited by cyber-criminals. The systems and applications at risk are those on the same network as the unknowingly compromised employee’s computer and digital identity.
Elevating privileges is one the most important steps and unfortunately, some companies have made this task very easy by granting most employees local admin rights. This is a short step away from gaining full access to the entire network infrastructure. Some organisations give full admin rights in specific situations just to keep staff happy, which they don’t necessarily need them. The result is that if their digital identity is then compromised, the privileged access transfers to the cyber-criminal to do what they need in order to carry out their activity.
Take care of the Keys to the Kingdom
Privileged Accounts are some of the most sensitive accounts within an organization and sometimes referred to as “The Keys to the Kingdom”. They are the keys that unlock access to move around companies’ networks, systems and access to confidential and sensitive data. Many high-profile data breaches are a result of stolen and weak passwords, which provide access and then the attackers target privileged accounts to elevate permissions, allowing the cyber-criminals to move around undetected, sometimes for months.
Unfortunately, many IT users lack a full understanding of how privileged accounts function, as well as the risks associated with their compromise and misuse. That makes them and their organizations much more vulnerable to potential monetary and reputational damage from increasing threats. Privileged accounts are everywhere in the IT environment. They give IT the building blocks for managing vast networks of hardware and software that power the information-driven world. Yet for most people, they’re invisible.
A privileged account can be human or non-human; they exist to allow IT professionals to manage applications, software, and server hardware. Privileged accounts provide administrative or specialized levels of access based on higher levels of permissions that are shared. Some types of non-human privileged accounts are application accounts used to run services requiring specific permissions. Like user accounts, privileged accounts have passwords to control access. The problem with user and privileged account passwords is that many tools exist to aid hackers in cracking these passwords. After a hacker gets access to a password-protected system, the damage can be catastrophic. Hijacking privileged accounts gives attackers the ability to access and view an organization’s most sensitive data, create backdoors, bypass existing security controls, and erase audit trails to hide their activity.
How the targeted attack is executed
Once privileges have been elevated and the network topology gathered, many of the tools used to ensure the business is operating and for IT to manage the systems remotely are typically reused by the cyber-criminal. They are able to avoid the scheduled security scans and in some cases use the victim’s own security tools to perform the scans for example PowerShell, PSexec or WMIC and SNMP.
One reason for systems management and security tools to have strong security and strict access controls is to ensure they are not being abused. A cyber-criminal is looking at where security is typically more controlled and higher as well as looking to gain access to employee’s systems which are known to have more sensitive. This is often the finance team or the legal representatives of the company. This has all been prepared at the passive assessment phase when creating the digital footprint of the company so they know exactly who the financial auditor, accountant or lawyer for the company is and already mapped out the best way to compromise their digital identity and systems.
The age of the Digital Insider is to find out sensitive information to carry out what is typically known as insider trading, the ability to make huge sums of money on the stock market using privileged and confidential knowledge about the company’s performance and financial results. After discovering the company’s upcoming financial results before they are publically released, or the results of an upcoming legal decision, the cyber-criminals are able to make seemingly legal investments just like any other trader though they have insight to the financial performance. Knowledge of confidential information is one of the most dangerous risks on the internet today.
For cyber-criminals, hacking into organizations, remaining hidden and learning about the confidential financial details and to make profit without ever being detected. The inside trading threat has evolved and the world needs to evolve to prevent and detect such threats.
Note: This article was first published on Elsevier Computer Fraud & Security
Volume 2017, Issue 8, August 2017, Pages 12-15