Are the risks posed by a malicious insider threat often overlooked in preference to the threat posed by the external ‘hacker’?
In the current climate of Cyber Security, many companies underestimate the potential damage that could be caused by the insider threat. Often, the effects of an internal attack can be as great, or greater than those caused by an external attacker. In the recently published Verizon Data Breach Investigations Report for 2019, it is acknowledged that 20% of cybersecurity incidents within Verizon originated from people within the organisation. In the healthcare industry the figure is believed to be as high as 60%, and amongst the IT sector it is believed that 44% of breaches were caused by internal actors.
A large amount of companies, regardless of organisational size and structure, fail to protect themselves sufficiently against this threat. Frequently, it is put on the back burner because physical security barriers are believed to be sufficient to protect businesses. The reality is that disgruntled ex-employees, malicious insiders, or inside agents who are bribed or solicited by external parties, can have devastating effects on a business.
On many occasions this has been discussed with staff from multiple global organisations and there is often widespread acknowledgment that systems and processes which could protect against the insider threat are often ‘put on the back burner’.
During my time as a Detective on a Regional Cyber Crime Unit, I conducted several large high-profile investigations which resulted in prosecution and ultimately conviction. One these occurred in 2017 when a global company was victim to a cyber incident. On first view, it was not initially clear whether the incident was caused by a malicious actor or a failure of equipment. It quickly became apparent that the damage was increasing as time progressed. Suspicions were confirmed when direct communication was received by the IT director, from a party claiming responsibility for the attack.
Mark Bird – Cyber Security Consultant
The effects on the company were devastating. Approximately eighty percent of UK based operations were halted for several hours, causing significant disruption to the business. This would have been significantly longer if the organisation had not implemented robust backup procedures. Subsequent examination of the computer network identified that many of the servers had been subject to deletion of data. This included multiple DHCP servers, domain controllers and file and print servers, resulting in most UK staff being unable to access the organisation’s network to carry out day-to-day tasks.
A potential suspect was identified when a current member of staff was contacted and asked to delete data from computers on the network. The suspect was a disgruntled ex-employee of the company who had previously been jointly responsible for company network system administration and was embroiled in a bitter industrial employment tribunal process.
Forensic examination of the suspects computer identified that a remote administration tool had been used to RDP into the company network, therefore negating the need to physically enter the company premises. The existence of the RDP tool was identified within the company network and although this was not in itself against company policy, it was not an authorised tool for use on the company network.
Once inside the company network, the suspect was able to carry out unrestricted lateral movement through use of unattributable domain and system administration accounts. The passwords for these accounts had not been changed for a considerable period due to only a handful of members of staff being aware of their existence and due to the belief that physical access to the network would be required to utilise these accounts. However, the installation of RDP tools on the system provided the attacker with the means to access the network.
Once inside the network, and with access to a system admin account, the attacker’s options were virtually unlimited. Tools were utilised to facilitate remote commands to be executed on several servers whereby large amounts of data were deleted causing substantial disruption.
The use of backups meant that remedial action could be quickly carried out and resulted in relatively fast repair of the affected servers, nevertheless, from this single, preventable attack, damage was estimated in the hundreds of thousands of pounds range.
There were numerous learning points following the incident, but the most important were identified as:
- Creation of a cybersecurity incident response plan, which includes incidents originating from within the organisation. A service which, amongst other is provided by IntaForensics:
- Network security solutions to highlight any unusual out-of-hours activity, in addition to the use of remote connections.
- Conduct threat hunting activities to search, monitor, detect and investigate suspicious user account activity.
- Employ endpoint security solutions such as critical asset inventories, removable media policies, device encryption and file integrity monitoring.
- Strong password policies which require network users to regularly changed passwords and require passwords to be complex in nature, i.e. be of a minimal length, incorporate upper and lower-case letters, include numbers and special characters.
- Strong controls on the ability to limit downloadable tools on the network and regular audits of necessity of such tools e.g. remote access tools.
- Adoption of the principle of least privilege, thereby providing staff with the minimum permissions that they require to perform their work.
- Policy regarding system/domain admin passwords to ensure that actions by admins are auditable and overarching admin accounts kept in a secure location.
- Regular internal authenticated vulnerability scanning to identify potential vulnerabilities that may be exploited from within. Every employee has access to a wealth of information available to them on the Internet and just needs the required amount of motivation to seek that information.
- Physical security is important, but this is in addition to overall security.
- Consideration should be given to taking part in the Cyber Essentials Plus certification process which includes internal and external vulnerability scans. It also acknowledged that proper implementation of the Cyber Essentials scheme can protect against the majority of common internet threats. IntaForensics is an IASME accredited Cyber Essentials Certification Body; for more information please see the following links:
For more information on the Cyber Essentials scheme please visit the following link: