Technical

Lead developer, Vytenis Darulis
April 08, 2017

Insider Threats

The increasing connectivity and openness of today’s information systems often lets cyber-attackers find ways into a system across many different paths. Data from the 2016/2017 Global Fraud and Risk Report by Kroll shows that more than 85% of executives experienced a cyber incident over the past year. It’s important to say that an “incident” is not necessarily synonymous with a breach.  The report summed up the type of incidents this way:

  • 38% experienced theft or loss of intellectual property
  • 33% reported virus attacks
  • 26% experienced phishing attacks in email

It is worth to mention that many cyber incidents have the same origin: nearly half (44%) of respondents hold insiders responsible for cyber incidents and more than half (56%) say insiders were the main reason for the security problems. For a long time, the primary objective for security teams has been to protect the perimeter — the focus was on keeping outsiders from gaining access and doing harm. But many reports show that more risk exists within the organization.

In a 2016 report from the Ponemon Institute, researchers found that attacks from malicious insiders were among the most costly. On average, these cost companies an average of $4,000,000 per year. With many companies still failing to realize the full scope of this threat, this is a number that is likely to increase in the future.

The threats from inside are much more difficult to detect and prevent because the users are authenticated on the domain already. External attacks, however, must exploit a sophisticated security system. Insiders have access to sensitive information and may know how that information is protected. If they want to steal it or leak it, they can do so with far greater ease than outsiders.

Almost all big organizations have some employees who are unhappy at work. This means that there may be people who have access to sensitive data and who have a motive to sell it. Government agencies estimate that there is one insider threat for every 6,000 to 8,000 employees. Formerly, robbers came straight up with a weapon to steal money from the bank, but now things works differently: the attacker hires employees for such tasks, thus no one notices. Many insiders are actively recruited by criminals over the Dark Web. This platform is most popular to recruit employees from financial institutions, hospitals, government sectors and other organizations for offensive services. Some companies are hiring even cyber security specialists to monitor and track users on the Dark Web that are planning to inflict sundry harmful acts.

Companies have to leverage tools in order to monitor and detect such threats. Probably the best solution is permanent monitoring of employee activity. Arcadia’s SNOW EDR platform uses complex algorithms to find anomalous or dangerous behavior. It proactively searches through networks 24/7 to detect and respond to various advanced threats. At the same time, it provides a continuous collection of data for analysis and the layout of a timeline. Therefore, it is easy to track back what users have been doing. Investigators use the SNOWboard hunting platform where all investigation leads are collected. This platform offers very detailed information about what happened on the host and network: execution of binaries, loading modules, changes made to the file system and registry, as well as network connections.

You want to trust your employees, and you have probably done some verification to ensure that you can trust those who work with critical information. Unfortunately, this is not always enough. Advanced tools can help to find and stop insider threads before they wreak any meaningful damage.

A tale about the NSS Labs 2018 Endpoint Detection and…

We're talking about ways in order to elevate privileges on…

One of the hallmarks of targeted cyber attacks is to…

Recording of the webinar right away! The webinar is recorded…

From a software quality perspective comes the idea to verify…

When actively monitoring endpoints to detect signs of cyber attacks,…