The insider threat

Watching the news about the Twitter hack unfold with more and more information and background becoming available over time, it triggered some memories about previous cyber security news stories involving the massive social media giant.

Initially, I posted this comment on LinkedIn when I saw this article from the BBC which primarily focused on the targeted Twitter accounts (being so high profile), the outcome and the response – but the article was quite light on the ‘how’ or methods of attack employed, although it did suggest social engineering played a large role.

At the time, I suggested from that early high-level understanding that the following controls may need some improvement or implementation within Twitter:

• Security Awareness Training
• Email Security (Targeted Attack Protection)
• Privileged Access Management
• Segregation of Duties
• Multi-Factor Authentication

It was also rightly pointed out to me that the following additional controls could also play an important part:

• Microsegmentation
• Automated breach response
• UEBA (User & Entity Behavior Analysis)

Then I came across this article from DataBreachToday which uncovered more details about the methodologies employed and also revealed that (at least declared by Twitter) that they did have ‘two-factor protections’ and the attackers were able to get past these.  While circumventing MFA is technically possible, and our own Red Team has achieved this goal during Red Team Attack Simulations for our clients, it is non-trivial.  This led me to wonder if perhaps the ‘social engineering’ involved here was of a different and more sinister nature.  Namely, that Twitter staff had been bribed or blackmailed into helping the attackers to gain the foothold required.

The DataBreachToday article summarises this well: “So how do attackers successfully pierce a well-resourced, billion-dollar company such as Twitter? Absent exploiting a software vulnerability, the answer is that they either need to trick an insider or recruit one.”

This led me to the thought that perhaps here, the most important control to consider in this situation is actually an Insider Threat (sometimes referred to as UEBA).  There are three types of important scenarios that Insider Threat technology is designed to detect extremely well:

• Malicious Insider: This is typically a staff member who is either disgruntled or bribed/paid/blackmailed into conducting illegal hacking activities from within the company, leveraging the physical and digital access they already have.
• Accidental Insider: This is typically a staff member who is not trying to do the wrong thing, but maybe doing risky things to achieve their goal of doing their job or helping the company. An example of this would be someone uploading some sensitive work data to a cloud storage service (perhaps not company approved and perhaps with greater risk and less or no visibility and control), so they can continue their work from home or on leave.
• Unwitting Accomplice: This is typically a staff member who has clicked on a malicious link in an email or visited a malicious website and, through having their endpoint and user session breached to gain a foothold has become an unwitting accomplice to an external attacker leveraging their credentials and system to move laterally throughout the company.

Interestingly, this is not the first time that Twitter has allegedly had issues with their staff being ‘coerced’. Back in Nov 2019, we heard that Saudi Arabia reportedly paid Twitter employees to spy on users.  This incident had led to prosecution by the US Federal Government of two former Twitter staff.

According to Shlomi Shaki, the Director of Insider Threat Management at Proofpoint for Australia and New Zealand.

“Between July and Dec 2019, the Office of the Australian Information Commissioner) reported that 69% of breaches in Australia were attributed to the human element, i.e. our people, and in particular for insider risk they saw around 32% of breaches were attributed to accidental or negligent behaviour (from employees and third parties), around 29% due to compromised and stolen credentials (phishing or other) and around 8% due to rogue employees. The remaining 31% are due to hacking, malware, ransomware, equipment or paperwork theft and system faults.

These stats we are seeing in Australia right now are also in line with the latest benchmark study from the Ponemon Institute that reported the number of insider-caused cybersecurity incidents jumped 47% since 2018 worldwide, with the average annual cost up 31% to $11.45 million and the average time to contain insider breaches taking 77 days. 

The reason these threats are so prolific and take so long to deal with is that anyone with legitimate trusted access to an organisation’s systems and data – whether full-time employee, part-time contractor or strategic business partner – can be an Insider Threat.

Understanding what is driving this increase in frequency and cost of insider threats is important when organisations plan an appropriate risk management approach.”

The Missing Link has partnered with Proofpoint who acquired ObserveIT, the leading insider threat management platform, in November 2019, to help organisations in Australia identify and mitigate insider risk.

https://www.proofpoint.com/au/products/information-protection/insider-threat-management

So, what can be done to assess your risks and plan the path forward for Insider Threats?

Our Red Team can conduct a variety of assessments that can help you understand the possible attack paths from an insider (typical staff member with little to low privileges initially).

We can conduct an Insider Threat Assessment, and we can help you with a roadmap or plan to address the gaps, and if you are light on your own security staff, then our Security Operations Centre can manage the solution(s) for you.

Reach out if you would like our help or to simply have a chat about this or any other cyber security topic!