We live in a world where breaches are now inevitable. Few would argue with this statement, yet many enterprises have not adapted their broader cyber security strategy to reflect our new shared reality—the need for cyber resilience. Last year, the Ponemon Institute found 56 percent of organizations have suffered a data breach of some sort that was caused by a trusted employee or a third-party supplier or contractor, but cyber security spend today remains inordinately focused on guarding the perimeter.
Despite understanding the risk of insider threats and increasing evidence of the damage that they can inflict, most organizations are not adequately prepared to detect or quickly respond to such attacks. Vulnerabilities will be found and exploited. Threats will evolve to infiltrate even the most sophisticated defenses. And when this happens, organizations must not be caught flat-footed or they’ll find themselves scrambling dealing with repeated breaches, leaks, and compromises.
Attacked from Within
An insider threat is caused by an authorized but malicious user with permission to access sensitive servers or data. As a trusted user with network access, they are in a position to compromise, expose, steal, and exfiltrate confidential data intentionally or unintentionally. There are many possible motives behind why a user might leak or compromise data. The following cases illustrate how widespread insider threats have become and why prevention techniques have repeatedly proven insufficient:
- Texas Lottery: An employee at the Texas Lottery Commission copied the personal information of more than 100,000 individuals onto computer disks—including names, addresses, Social Security numbers, and lottery prize amounts of the winners—claiming that he wanted to retain it for possible future reference as a programmer at other state agencies.
- New York State Electric & Gas: In 2012, an insider working for a software consulting firm doing work for New York State Electric & Gas and Rochester Gas & Electric accessed the Social Security numbers, birth dates, and some personal account information of nearly two million customers of the utilities.
- Apple’s Autonomous Vehicle Program: This year, federal prosecutors charged an ex-Apple employee with copying more than 40GB worth of Apple’s intellectual property to his wife’s laptop before departing the company and joining a Chinese EV company called Xpeng Motors. Xpeng quickly terminated the employee for cause, and the man was arrested before boarding a flight from San Jose to Hangzhou.
- Verizon: Verizon suffered a data breach that exposed six million customer records. The actual breach, however, was caused by a third-party customer service analytics vendor, Nice Systems. Nice Systems stored six months of customer service call logs—including account and personal information of the Verizon customers—on a poorly configured Amazon S3 storage server that was exposed to the public.
Detecting Malicious – or Suspicious – Insider Activity
How can an organization effectively detect and identify suspicious or malicious insider activity? Behavior monitoring is one approach—but it’s susceptible to delays in threat discovery, and often produces misleading results or false positives. Sifting through the noise and separating an actual threat from an employee who simply needed to get some work done over the weekend increases complexity and creates additional work for security teams. However, there are a few important signals to watch for:
- Attempts by authorized users to access unauthorized servers or sensitive data
- Authorized users accessing or requesting access to information that is unrelated to their roles or job duties
- Theft of authorized user credentials (harvesting)
Thwarting Insider Attacks with Deception Technology
With any detected intrusion, early visibility and accelerated response to the attack are equally critical. Deception technology is proven adept at both as it is the quickest and easiest way to detect suspicious or malicious activity from insiders. The “3 D’s” of deception technology—deceive, detect, and defend—ensure that IT security personnel can effectively identify and thwart insider attacks without increasing complexity or adding unnecessary noise. Certain deception solutions, such as the Attivo Networks ThreatDefend™ platform, also provide the forensic evidence necessary to prove that the attack occurred, giving the organization the ability to drill down and analyze details to enable quick attribution.
The Last Line of In-Network Defense
With attack methods and the threat landscape constantly evolving, there is no way to prevent 100 percent of attacks—especially in situations where an adversary is an insider with authorized access to network resources and sensitive data. While there are other detection security controls, attempts to analyze log data or monitor for anomalous behavior create added complexity and are plagued by false positive alerts. But deception technology has proven to be an effective way to outmaneuver any adversary, no matter how privileged or knowledgeable they are about the network. It gives organizations the tools they need to quickly and accurately detect and identify suspicious or malicious insider activity, and finally provides the proof needed to take decisive and substantiated action.
Deception Implementation
As with any cyber security tool, effective implementation is key. It might make sense to closely compartmentalize who on your team even knows that deception is deployed in the enterprise—especially if you have a large number of individuals with administrative access. Properly configuring the deception hosts ensures they look real to an insider or external attacker looking to move laterally in your enterprise. Our team can quickly deploy on appliances or virtual machines with no agents required. With lessons learned from nationwide retailers and global financial organizations, LP3 and Attivo can help you implement a cost effective and highly capable deception solution for your enterprise.
The ability to act immediately with zero false positives is highly beneficial for improving cyber security resilience significantly eliminating and reducing the impact of breaches and compromises. What’s the ROI? One breach…typically less than a year. Deception technology is something any large enterprise needs to consider.