Insider threats continue to be pervasive and real. Last month’s indictment of a Russian national accused of conspiring to recruit a U.S. company’s employee to carry out a cyberattack is a sharp reminder of that. According to public reporting, Egor Kriuchkov attempted to coax an employee into introducing malware into the company’s internal network in exchange for a $1 million payout. The malware allegedly would have enabled Kriuchkov and his co-conspirators to access and exfiltrate data, which they are alleged to have planned to use to extort a ransom from the targeted company. Fortunately, the employee did not succumb to the plot; instead, the employee reported the matter, assisting in preventing the attack and securing the arrest. Insider threats are not new, but in today’s geopolitical climate, the stakes are arguably higher. The transition to a large-scale remote work environment driven by the COVID-19 pandemic exacerbates these risks in remarkable ways.
The foiled attack highlights several important considerations in light of the remote workforce.
First, a poor security culture and low personnel morale create outsized security risks. While procedures and technical controls are critical to detect and prevent insider activity, the importance of employees’ mental health and attentiveness and a positive work environment should not be overlooked—for numerous additional reasons, of course, but also to mitigate security risks. This approach is even more important in the midst of the pandemic, where employees face economic uncertainty, financial strain and increased demands in their remote work environment. The “new normal” has resulted in wary employees who are fatigued from working from home and juggling personal responsibilities during the workday. Certainly, the added challenges from the pandemic will not necessarily convert a strained employee into a cybercriminal, but these added stressors may make some individuals more susceptible to bribery, ignorance or negligence, or to otherwise become an internal threat. Put simply, a disgruntled employee is more likely to take retaliatory or harmful action against their company, or simply turn a blind eye when risk materializes, than is someone content with their job.
Second, visibility continues to be critical and challenging. Visibility across the corporate infrastructure is paramount to any cybersecurity program, and it is equally true in combating insider threats. However, companies often are better positioned to identify anomalous activity against the perimeter than within their own environments. This may be, in part, because organizations tend to allocate more resources to protecting against external security threats. One recent report, authored by Code42, suggested that approximately two-thirds of security breaches were caused by internal threats, but that insider threat programs comprise less than 10% of the company’s budget.
The “fence line approach” as a sole defense strategy presents challenges. In short, technical security programs historically have focused on what we have named the fence line approach: Construct your perimeter defenses (e.g., firewalls) to detect an invading army and prevent a breach of that fence line, then build interior fence lines (e.g., endpoint detection) within the network to detect movement should the perimeter be breached. Given employees’ constant connections through home IP addresses, wireless IP addresses and virtual private networks, it is nearly impossible to rely solely on single fence lines to defend systems when the invaders may already have network access.
Several factors in a remote work environment only amplify these challenges. For example, employees may now use personal devices for business purposes, or they may conduct work during off-peak or atypical hours, both of which make it more difficult to maintain reliable visibility into employee activity. Moreover, user identification can be difficult when each employee is now connecting through various, and often changing, IP addresses and devices. Coupled with the added complexities in establishing a baseline for legitimate user activity—where the remote workforce fosters inconsistent behavior—detecting anomalous activity is more difficult than ever. With diminished ability to employ physical oversight, measures such as event and behavioral monitoring are essential to help detect potential abnormal events. (Those measures may introduce new complexities, however; for example, employers must balance concerns about employee privacy with the security benefits presented by emerging in-home monitoring technologies.) In addition to increased detection measures, companies should deploy appropriate preventive controls to thwart the insider threat, such as limiting data download capabilities, prohibiting unauthorized devices from connecting to the network and blocking high-risk file share programs.
Third, education remains vital to an insider threat program. People continue to be the “weak link” in companies’ cyber defense strategies. Employees need to be continually trained and educated on the types of threats they may face and the steps they should take when confronting those threats, including an insider compromise. The method of training is more important than ever, as well. As employees are strained from computer interaction alone, human presentation of training programs and company procedures can be well received in the virtual environment. Employees also need to be trained on how to report on potential insider threats. The reporting mechanism should be clear, readily located and streamlined. Further, as communication protocols may need to be updated for a virtual environment, organizations need to take steps to issue reminders about reporting procedures. These education and awareness initiatives also need to account for when and how the organization will engage with law enforcement in connection with cyberthreats and related criminal activity.
Fourth, recognize that an insider threat is not always financially driven. Sure, the reported scheme above aimed to make a ransom demand, but financial gain is not the only motive, particularly with nation-state sponsored attacks. Cyberespionage activity by foreign-based threat actors remains prevalent, including efforts to perpetuate foreign economic interests and influence over the global marketplace. Information about individual behaviors and preferences also continues to be a prime target for foreign adversaries. On October 21, the U.S. government confirmed efforts by two prominent foreign governments to interfere in the upcoming presidential election, and earlier this summer, a prominent U.S. university professor was indicted in connection with an insider scheme allegedly designed to recruit scientific talent for a foreign government.
To be sure, not every insider threat will rise to the level of active recruitment by foreign nationals, but that does not make the national security threat any less real. The attempted malware attack and associated extortion illustrate that the type of data and information that may make an organization the target of an insider attack is not limited to data traditionally protected by breach notification laws. Organizations employing proactive strategies in their cybersecurity programs and prioritizing the protection of all data and infrastructure will be better positioned to mitigate the insider threat, in whatever form it may present itself.