This month marks the 16th annual National Cybersecurity Awareness Month (NCSAM)—an initiative started by the National Cyber Security Alliance (NCSA) in collaboration with the U.S. Department of Homeland Security to help consumers and businesses stay safe online. Micro Focus is an NCSAM Champion this year (go team!), which is extremely appropriate given that there is a multitude of passionate cybersecurity and data science experts here working to help keep businesses safe in every way possible.
For those of us on the Interset team, an area of cybersecurity that is of particular interest is insider threats. In fact, we find it quite fitting that this year, NCSAM follows directly on the heels of the first-ever National Insider Threat Awareness Month (NITAM). Of course, we never need an excuse to talk about insider threats; we’ll do it year-round. But these occasions have given us a unique opportunity to raise awareness and hopefully educate businesses about how they can improve their breach defense with proactive insider threat detection.
In our recent NITAM blog, Interset’s CTO, Stephan Jou, shared a great overview of the types of insider threats a company might face and how security operations centers (SOC) might best protect against those threats. The key to this type of defense is being able to look at behaviors and identify those that might be out of the ordinary (and potentially represent a security threat).
I’m reminded of an interview I read with Michael Gelles, a forensic psychologist and Naval Criminal Investigative Service veteran, who discussed insider threats in a historical context. Before the concept of commonplace insider threat that we know today, the insider threat discussion was largely focused on espionage. Gelles directs us back to the 1980s, aka the Decade of the Spy, as a time when an “insider threat” was top-of-mind across the country. During this age of heightened awareness, he recalls “realizing that a lot of what we are losing here is coming from people who have access.”
In the late 80s, according to Gelles, the FBI and intelligence agencies joined forces on a project to understand the motivations and behaviors of those convicted of espionage. The results of the study showed that the profiles of these threat actors varied. Some were sophisticated, deeply connected and ideologically motivated. Some were just opportunists hoping to score a buck off the tense Cold War climate. In many cases (regardless of motivation and level of preparedness), “spies” were caught because they made mistakes and/or alerted suspicion. In some cases, Gelles says, people would operate for a long time; not dissimilar to a “low and slow” attack that we might see in a modern enterprise.
Today’s insider threats are just as diverse and will typically be found out, too, when someone is alerted of something suspicious. Being able to detect that suspicious behavior relies, of course, upon being able to observe that person’s behavior around the clock. In our recent webinar, Next-level SecOps with UEBA and MITRE ATT&CK, we discussed this exact concept. The MITRE ATT&CK framework gives us a common vocabulary for naming and conceptualizing threat tactics ad techniques—many of which can be detected by looking at the behavior of a user or entity in your enterprise.
For example, at a large financial institution, an employee was caught printing over 350 pages over the course of two weekend days (at 3 a.m., no less). In this incident, the security team witnessed two techniques: Defense Evasion and Exfiltration, as defined by the MITRE ATT&CK framework. Interset was able to detect the threat immediately by noticing a variety of “suspicious” behaviors: unusual time of day activity, unusual day of the week activity, and an unusual volume of printing. Because this employee was not regularly coming in at 3 a.m. on the weekend and printing vast quantities of material, Interset was able to identify that something abnormal was happening and flag to the organization that they have a potential threat on their hands.
Recognizing what is “suspicious” means having a good understanding of what is normal. In this respect, insider threat detection has to be a proactive effort. Gelles made a point to say that insider threat detection has for a long time been very reactive—even during the Decade of the Spy. The reality of “see something, say something” seemed to be far less effective in execution than in theory.
Inside the enterprise, we likewise can’t rely only on employees to raise their hands when something unusual is occurring. Our approach to insider threats should be very much aligned with the notion of zero-trust. “Bad” employees are few an far between, thankfully. But, as Stephan discussed in his recent blog, it’s not only the “bad guy on the inside” that we should be protecting against. Mistakes happen, and malicious actors on the outside have proven to be able to weasel their way inside and gain privileged access. The best security posture comes from proactively analyzing the behaviors within your organization—before it’s too late.