Using External Intelligence to Uncover Insider Threats

September 14, 2017 • John Wetzel

Key Takeaways

  • Malicious insiders evade security controls because of poorly enforced access controls or by exploiting human vulnerabilities.
  • Since controls fail to detect or prevent, indications of insider threats will likely first appear external to your organization, commonly in web exposure.
  • Threat intelligence can detect early indications of insider threats advertising sensitive data assets, criminal actors soliciting potential insiders, and leaked credentials or proprietary information.

Growing Concern

Businesses are increasingly concerned with insider threats as a business risk. Once the purview of government organizations and defense enterprises, concern around insider threats has spilled into commercial markets, most notably in multiple large financial breaches in 2016. Consequently, more companies are seeking insider threat detection and prevention processes and tools than ever before.

Timeline of Financial Breaches

Five-year timeline of chatter related to financial breaches reported
on the dark web and special-access forums.

Unfortunately, many security tools fail to detect and prevent insider theft. This makes sense when you think about identity and access management. Insider threats, by definition, are granted access to sensitive company resources, and regular monitoring is difficult and costly. Even with properly configured UEBA (user and entity behavior analytics), insiders may evade detection, as their actions may fall within the spectrum of expected behaviors. Worse, many of the insider threat detection efforts contribute a preponderance of false alerts to the noise already experienced by security teams.

Combatting insider threats requires fusion between security teams and technologies. Using threat intelligence for insider threats is beneficial to detection efforts. Insider theft typically seeks a customer for the product of their betrayal. Likewise, criminal actors and nation states continually hunt new avenues for profitization and deep access. Threat intelligence can surface various points along the insider maturation cycle both prior to and post data theft.

Using information surfaced from open and closed sources across the web, threat researchers can monitor for leaks of sensitive information, surface valuable context to forecast potential insider activity, surveil developing trends in criminal adoption of insider recruitment and utilizations, and provide warning on direct threats to an organization.

The State of the Insider Threat

Much news coverage of insider threats highlights the impact on espionage and large financial thefts, for good reason. In February 2016, the Bank of Bangladesh issued a statement that criminal hackers had stolen the equivalent of over $86 million from the bank. Likely using custom malware and insider information, the criminals sent forged SWIFT messages to withdraw funds from the Bank of Bangladesh’s account at the U.S. Federal Reserve Bank. In total, the criminals attempted to steal over $1.1 billion.

Criminal actors recognize insiders as a rich source of both sensitive access and valuable knowledge across industries. According to 2016 research by Kaspersky Labs and B2B International, criminals targeting the telecommunications industry used insiders to penetrate network perimeters and recruit other insiders. Criminals may use previously compromised data, such as the Ashley Madison breach, to blackmail telecommunication employees for credentials, information, to propagate spear phishing emails, or recruit other employees for further malfeasance. Kaspersky Labs cited reported 38 percent of targeted attacks now involve insiders.

Insider Threat Intelligence Monitoring

Monitoring for insider threats starts with the likely path of insiders’ maturation. Insider threat behaviors start with naivety and mature to criminal collaboration and theft. Naive actors may violate rules due to ignorance, while self-interested individuals may recognize the policies, but willfully violate as they deem necessary to accomplish or speed their job functions. This creates a gamut of external indications to monitor, as insiders use the internet as frequently as the rest of society to comment, transact, purchase, and research.

Unfortunately, organizations often focus on monitoring challenging or impossible-to-identify information, likely directly focused on their employees. Monitoring an employee’s external behaviors is both disturbing and unproductive as an insider threat mitigation strategy. While public discontent, computer malfeasance, and suspicious working hours are possible behaviors associated with insider activity, these are not reliable indicators of the intent to betray. Many employees portray these behaviors at one point or another during their employment lifecycle, and potential insiders may not exhibit any of these behaviors.

Threat intelligence surfaces relevant sources of information for analysts to rapidly identify potential insider activity. These indications alert the security analyst to research, and if necessary, escalate the incident for further investigation. Recorded Future can assist in monitoring for insider threat indications in four areas:

  1. Proprietary information on sensitive sources.
  2. Proprietary assets or information on public code repositories.
  3. Employee PII or databases for sale.
  4. Posted advertisements or solicitations on criminal forums and dark web.

Leaks of Betrayal

In late 2014, a 30-year old financial firm employee offered 6 million account records, including passwords and login data, for sale on Pastebin. Later, 1,200 accounts were actually spilled and offered as an enticement to purchase more accounts via Bitcoin. Overall, the financial firm determined the insider, Galen Marsh, accessed data on approximately 10 percent of the entire firm’s wealth management clients.

To avoid this fate, it is imperative to monitor for proprietary assets, including mentions of your information assets, brand names, and products in context. Assets may be mentioned for innocuous reasons, so it is important to identify the context where these mentions occur. Context may be an association with a particular event like a cyberattack, or may be the venue where the asset is mentioned, such as a paste site or criminal forum. While this may not always target insider threats in particular, it allows your organization to quickly identify posted information which would immediately require investigation.

Proprietary Code on Public Repositories

Proprietary code represents an immediate threat to a business’s core infrastructure and operating applications. Many network and information technology workers utilize public source code for maintaining and improving company networks and applications. Additionally, they may contribute back to this open source code. While the contributions themselves are not necessarily cause for concern, the addition of company proprietary or sensitive information to open source code repositories certainly is.

In many cases, the proprietary code posted may be accidental. However, this is still an insider posting sensitive information in a public forum where malicious actors can take advantage of the information. Monitoring for this information, and effective, timely remediation, improves the organization’s security posture.

Employee PII or Healthcare Database Leaks

Large-scale healthcare breaches present an avenue for insider blackmail and solicitation by criminal actors. Recorded Future has previously reported on significant breaches of healthcare databases across the United States and elsewhere around the world. To date, criminal actors have primarily monetized this data theft through ransoming the data back to the organizations, with mixed results. This leaves the criminals with a large quantity of data without a direct, reliable revenue source.

Criminal Advertisements and Solicitations

Criminal forums and marketplaces are well known for facilitating all types of illicit transactions. Insider threat advertisements are frequently used by actors promoting their illicit services on dark web sites — from retail cash-out services, to carding operations, to bank insiders facilitating theft. Many of these advertisements lie on closed source forum sites, requiring extensive vetting and personas to maintain persistent access. Additionally, many services cannot regularly automatically harvest from closed sources or forums, so be sure to vet vendors carefully.

Insider threat alerting on closed forums or the dark web takes three forms. Monitoring for direct mentions of your organization or assets are the first priority, as mentions likely indicate either targeting or potential breach. Industry mentions or tangential targeting are the next avenue of monitoring, as mentions of a “UK bank” or “#x of banking accounts” attempt to cover the source of information. Finally, presence on closed access forums allows direct interaction with threat actors, possibly retrieving samples of allegedly stolen information and materials as validation. These interactions are difficult and private, but may prove exceptionally valuable.

Conclusions

Insider threats are a complex problem requiring fusion of security teams, business operational teams, and technology to adequately address. Threat intelligence teams can provide valuable monitoring, as well as investigative and contextual reporting in real time, while requiring few resources to maintain. As security loopholes continue to close, criminal actors will continue to identify exploitable opportunities using available resources. Likewise, nation-state actors will utilize insiders for persistent access to hard targets.

To learn more about insider threats and how to protect your assets, information, and personnel, download our white paper titled “Insider Threats to Financial Services: Uncovering Evidence With External Intelligence.”