The man who had just stormed out on Justin Fier still hadn’t returned, but the room could see what he was up to.
Fier, director of cyber intelligence and analytics at Darktrace, had been explaining his company’s cyber AI product to the IT department of a new client. But the disgruntled staffer wasn’t having it. He was a legacy-minded sort — not a believer in the newfangled anomaly detection software Darktrace made.
Less than 10 minutes later, a security alert fired on the presentation screen. Within less than a minute, it was clear by how the person was moving through the network and obfuscating their ports to bypass firewalls that it was someone on the client’s own networking or security team.
The room chuckled. “That’s the guy you just got in an argument with,” someone told Fier.
Turns out, the man’s intentions weren’t as nefarious as they may have initially seemed. He was sending security logs — about 150 megabytes — back to his house for off-hours work.
“It was not malicious intent at all, [but] it was introducing risk to the environment,” Fier said.
“It’s important to know, when talking insider threats, the difference between malicious intent and the unintentional — two very different types of insider, two very deadly types of insider,” Fier added.
What Are Insider Threats?
The term “insider threat” might conjure images of hoodie-cloaked hackers, bribed by bad actors to install malware on their employer’s systems. That does happen. It nearly happened last year to Tesla — aside from the hoodie part. Or it might bring to mind an update on Stasi-style Cold War tricks, with someone installing clandestine devices into the network. That happened last year, too, with a tiny Raspberry Pi computer.
But “insider threat” refers to any kind of cybersecurity hazard caused by employee behavior, whether that’s someone taking the bait on a phishing attempt or inviting risk by recycling weak passwords. Or, as Fier’s example shows, it can mean negligence on the part of those who enjoy very privileged access.
How Do Insider Threats Manifest?
Security and cryptography expert Bruce Schneier has a quote that’s well known in cyber circles: “Amateurs hack systems, professionals hack people.” That remains the operating principle for most cybercriminals. Even though, say, the email masquerading as the company CEO, prodding for some urgent task, is so well known as to be a cliche, successful phishing attempts still outpace other forms of cybercrime.
According to the FBI, there were 241,342 reported phishing victims in 2020. (That figure includes vishing, or video or AI phishing attempts; smishing, or SMS phishing; and pharming, or commandeering a website’s traffic to a fake site.) The number is more than twice as high as the method with the second-highest victim count: non-payment/non-delivery, in which the victim doesn’t receive what they paid for or doesn’t receive payment for what they’ve shipped.
And the problem is growing. Phishing complaints jumped from just 26,379 in 2018 to 114,702 in 2019. That figure more than doubled in 2020, ballooning to 241,342 complaints, according to the FBI.
Types of Insider Threat:
- Insiders with malicious intent.
- Employees susceptible to phishing or ransomware scams.
- Business email compromise.
- Misconfigured systems.
- Lax password management.
- Missing or compromised firewalls, intrusion detection or antivirus/anti-spyware software.
Business Email Compromise
There’s also a subset of cybercrime known as business email compromise (BEC), which just means someone takes over a legitimate business email account to attack or extort the institution. BECs aren’t, by definition, insider-threat-allowed phishing. Hackers sometimes take over accounts through brute technical force, rather than social engineering. But BEC perpetrators do often worm into email accounts via successful phishing.
And seemingly because they look perfectly legitimate to whoever’s on the receiving end, BEC attacks are incredibly costly. BECs resulted in more victim loss, a whopping $1.8 billion, than any other cybercrime method in 2020. It was far costlier, in fact, than headline-grabber scams like identity theft ($219 million) or personal data breaches ($194 million).
It’s easier to fall for an attack from a hijacked email because there’s nothing about the communication that raises red flags, aside from possibly the content itself.
“There’s no link, nothing that a firewall can pick up,” said Jack Koziol, founder of cybersecurity firm Infosec. “It’s just a normal communication. You’re hacking the person’s mind — you’re not hacking any of the systems.”
The popularity of BEC attacks owes to how hard they are to prevent, Koziol noted. “The only prevention is really education,” he said.
That’s a more difficult lesson to teach than those aimed at less sophisticated attempts. It’s far easier, for instance, to catch the weird string of numbers in the email address of the “CEO.” With BECs, you have to recognize the ask as suspicious. And the ask is not always as obviously suspicious as it was in the early days.
The go-to used to be wire payment requests to fraudulent locations, sent from an executive’s account, but tactics are now a bit more sophisticated.
“Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real-estate sector and fraudulent requests for large amounts of gift cards,” according to the FBI’s Internet Crime Report. Koziol has also seen people fall for fake correspondence from “human resources” about canceled benefits.
Now cybercriminals are also targeting people’s desire to get vaccinated against COVID-19. “Phishers use the current news,” Koziol said.
The most prevalent pandemic-related phishing schemes have come from government impersonators.
“As the response to COVID-19 turned to vaccinations, scams emerged asking people to pay out of pocket to receive the vaccine, put their names on a vaccine waiting list or obtain early access,” noted the FBI report. “Fraudulent advertisements for vaccines popped up on social media platforms or came via email, telephone calls, online or from unsolicited/unknown sources.”
But as Fier’s Angry Exfiltrator anecdote illustrates, insider threats run deeper than negligence or errors by non-technical staff. Mistakes on the architecture and engineering side can expose vulnerabilities.
Common sources of trouble include checking all of an organization’s passwords into a cloud-based repo or misconfiguring a cloud computing web server.
Perhaps the most notorious example is the Capital One breach, in which a cloud misconfiguration allowed the hacker to bypass the firewall. “The bits were flipped and you could just walk right through,” Koziol said. “It was configured to block things from the inside instead of from outside.”
Such mistakes can be catastrophic in terms of recouping loss too, Koziol noted, since many cyber-insurance policies exclude payouts for misconfigurations.
Ransomware attacks are also often chalked up to insider threats, since many leech into systems through phishing scams or network vulnerabilities left unpatched by security. Also, they’re on the rise, according to law enforcement.
“Sadly, ransomware is still so profitable that it’s not going anywhere,” Koziol said. How profitable? That’s not totally clear.
The FBI notes that its dollars-lost figure for ransomware is likely artificially low, since not all victims report loss amounts, and the tally ($29 million in 2020) only includes reports lodged with the Bureau’s Internet Crime Center, not those who reported complaints to field offices. Also, some targeted organizations opt to simply pay the ransom, fearing the reputational damage outweighs the monetary loss — despite the fact that law enforcement encourages non-cooperation.
Hospitals and dental offices have become chronic targets. Both house lots of personal data, yet sometimes employ less-advanced security measures due to tight operating budgets. Nonprofits, which often lack both cybersecurity technology and know-how, have similarly found themselves targeted with ransomware.
Can Gamification Make Training Effective?
Cybersecurity experts agree that the most important safeguard against insider threats is employee training. But what does effective training actually look like? Is it enough to throw a couple of learning modules or presentations from IT support at the issue?
Educators have to be mindful of so-called “security fatigue.” That’s when people feel bombarded with cybersecurity information and overwhelmed by a sense of high alert. At worst, that can curdle into fatalistic resignation. A 2016 study by the National Institute of Standards and Technology found that the majority of survey respondents had experienced security fatigue.
Research suggests that even simple gamification might be an option. A 2019 study had participants complete a training questionnaire about password strength and hygiene. The training incorporated a golden knight that lost health when the trainee answered incorrectly and a dark knight that lost health for correct answers. After the gamified run-through, participants reported feeling that their knowledge of password security had increased.
Companies of various sizes have run with the idea in recent years. PwC’s executive-focused “Game of Threats” puts users through high-stakes, quick-reaction cyberattack scenarios. Deloitte took its training to the escape room. Living Security has offered a similar service since 2018, when it introduced online, escape room-themed cybersecurity training. One client, Verizon Wireless, reported that users who trained with the system were 45 percent less likely to click on a phishing simulation compared to other training options, according to Living Security.
Koziol is a believer in gamification too. Infosec partnered last year with Choose Your Own Adventure to incorporate the gamebook’s use of self-determined routes — and its nostalgia factor.
Elements of a Successful Cybersecurity Gamification Strategy, According to the University of San Diego
- Visual aids.
- Short and to-the-point training.
- Infuse fun.
- Use rewards.
- Consider incorporating AI and machine learning.
- Know the audience.
- Make the training ongoing.
“You have to meet people where they’re at,” said Koziol, noting that users expect some degree of personalization in the Netflix era. “It’s not about boring, un-engaging training anymore. People just tune it out, and you won’t get the effect you want in the organization. People won’t learn anything.”
Tech teams have a responsibility to make sure complex information is as digestible as possible, and the more immersive and engaging education is, the better, according to Juta Gurinaviciute, chief technology officer at NordVPN.
She advised caution, however, when it comes to sending out fake phishing emails or staging imitation cyberattacks for educational purposes. “Although [that is] a good test of vigilance, employees may then struggle to recognize a real attack should it happen in the future,” she said.
Solving the Password Problem
Bad password hygiene remains one of the biggest insider threats. A recent survey by password manager NordPass found that 70 percent of people share passwords with coworkers over insecure and unencrypted channels.
Experts recommend companies use two- or multi-factor authentication and require employees to change their passwords often, at least every three to six months. Better still are password managers, where users create a master password that acts as a private key for all subsequent, encrypted passwords. Options include Dashlane, LastPass and Keeper.
“Passwords are a cornerstone of cybersecurity, but are often compromised by how employees handle them,” Gurinaviciute said.
Sharing various access credentials across an organization is common enough, “but often too few measures are in place to protect those credentials,” she added. “An encrypted solution, such as a password database with two-factor authentication or a B2B password manager, would restore and maintain access security.”
Fier has witnessed up close the potential for disaster in not cycling or not securely managing passwords. He recalled a case in which someone left an employer, a hotel in Las Vegas, after just weeks on the job, took a role across the street at a competitor and continued to access the previous employer’s SharePoint data. They were able to spot the activity with Darktrace.
Or ask the Houston Astros. Starting in 2016, the scouting director of the St. Louis Cardinals was able to rummage through the Astros’ player database — full of valuable trade discussions and scouting information — for over a year, all because a former Cardinals employee used only a slight variation on a recycled password when he went to work for Houston.
Securing the Back End
Education and password protection is crucial, but so are additional defense measures. “I would certainly never advise that trainings aren’t useful, or to cut back,” Fier said. “What I think we need to do is add additional layers on top of that.”
“In our chaotic lives right now — working from home, managing our lives — we’re not spending those extra few milliseconds that we normally would to ask, ‘Do I expect this email from this person? Is there something odd about this?’” he said. “And that’s where I think companies need to start re-approaching that layered defense.”
Additional Steps to Mitigate Insider Threats
- Implement a password manager with industry-grade encryption and best practices.
- Protect computer networks by using an endpoint security solution.
- Consider a network-behavior-anomaly detection system.
- Set up firewalls, intrusion detection and antivirus/anti-spyware software.
- Small and medium-sized businesses should consider outsourcing security to a managed service provider.
Network-behavior-anomaly detection (NBAD) systems offer a powerful way to spot unusual network behavior, including that stemming from users with high clearance. That helps solve one of the oldest conundrums in cybersecurity: Who watches the watchers? Commercial NBAD systems include Darktrace, Symantec, SentinelOne and CrowdStrike.
Some of the more advanced anomaly-detection options may not be cost effective for small and medium-sized businesses. But smaller companies can nonetheless get the must-haves like intrusion detection — from a managed service provider for only a moderate expense, Koziol said.
Still, according to experts like Kelvin Coleman, executive director of the National Cyber Security Alliance, the most important stopgap remains effective employee training. And, as Steve Durbin, managing director of the Information Security Forum, told Built In in 2019, companies that fall victim to phishing scams made possible by insider-threat mistakes need to make sure they’re not prioritizing speed over precision.
“Everybody’s cybersecurity knowledge and skills need to catch up,” Koziol said. “It’s not because you’re stupid or a weak link. It’s just human nature to trust people.”