Insider Threat – Tackling the Adversary Within
Written by: Mike Parkin – Product Marketing Engineer – I recently caught a webinar presented by ObserveIT that addressed the challenges presented by an “insider threat.” They did a good job of defining the term, the threats, and they laid out some broad-stroke suggestions on how to address the problem. Something they didn’t talk about, was how deception technology is a powerful tool for dealing with this difficult problem.
Since deception technology is our world at Attivo Networks, I’ll focus on that to show why deception technology is such a powerful tool in this space. But first, we’ll sum up the insider threat problem itself so we can see just why it presents such a challenge in the first place.
Insiders consist of anyone with privileged access to the environment. The organization’s staff is first on the list, but it extends to contractors and vendors who work inside the environment. It can also extend down into the supply chain, where external organizations have access to the environment for a range of legitimate reasons. These external connections can be a serious issue, as the client only has limited visibility and control over the other company’s security. Case in point: in a high-profile breach a few years ago, the attacker gained access to the victim through one of their HVAC vendors because it was a much softer target. From there, they were able to spread and do quite a bit of damage.
The specific threat an insider brings can also vary wildly, ranging from simple accidental disclosures to criminal activities or even competitive sabotage. Something as benign as a misdirected email, or someone placing files on their personal off-site cloud storage so they can work on it from home, can lead to unintended consequences. The most extreme example of insider threats are, perhaps, “state-sponsored” actors who’s goals can include espionage or even altering product plans to some specific purpose. Accidental disclosure and simple fraud are probably the most common, but the range of possibilities is what can make a CISO’s life miserable.
In the session I watched, they went over several countermeasures an organization could put in place to combat the insider threat. They also presented solutions that started with processes and procedures that could mitigate risk, then moved on to discuss security measures that can be applied across the board for personnel, technical, and data defense. These are all important steps, but they didn’t go into much depth on what kind of security measures were best for each application, which is what leads us here.
Deception technology provides some unique advantages in dealing with insider threats. By changing the attack surface’s appearance, an attacker never knows quite what is real and what is not. Deception makes their job much more difficult, especially if they are leveraging vendor or supply chain access. Particularly during the reconnaissance phase, an attacker would have to weave through a virtual minefield to reach their target without being caught. Getting through deception is a daunting task even when you know it’s there.
When you combine deception with the rest of the security stack, including processes and procedures set in place to catch potential insider threats and the other technical measures, an insider threat becomes much more manageable. When the attacker makes a misstep and contacts any of the decoy assets or tries to use a deceptive credential, the deception platform immediately sends a high-fidelity alert – which can automatically trigger a series of defenses that effectively stop the attacker in their tracks. The beauty of deception is that any contact is unusual. This doesn’t just apply to an obvious, active, attacker. Even a relatively benign contact is a policy violation worth investigating. After all, these are insider threats we’re trying to stop, and a seemingly benign event may be the first indication that something suspicious is going on.
What makes deception such an effective solution is its versatility. Whether a threat comes from inside or outside, by obscuring the attack surface, you shift the balance in favor of the defense and make the attacker’s considerably more difficult.