Understanding Insider Attacks - Part 1
March 19, 2020

Chetan Conikee
ShiftLeft

Majority of security solutions focus on externally triggered unauthorized and illegitimate access to systems and information. Unfortunately, the most damaging malicious activity is the result of internal misuse within an organization, perhaps since far less attention has been focused inward.

Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. It is also one of the most challenging attack models to deal with in practice.

In general, insiders are authorized users that have legitimate access to sensitive/confidential material, and they may know the vulnerabilities of the deployed applications and business processes. Many attacks caused by malicious insiders are more difficult to detect compared to those of external attackers whose footprints are harder to hide.

Twitter threads can usually make for irresistible reading. This particular one from respected cybersecurity veteran Phil Venables is an invitation to shake off Twitter's rapid-fire rhythm and focus on this critical yet unspoken topic — Insider Threats.

These threads are little essays in miniature. I'd encourage you to read the entire thread that is linked here.

Lets kick off this article with Phil's formal definition. As Phil states in his twitter thread — grossly simplifying, there are 3 types of threats:

Trusted insiders who go bad over time due to disgruntlement or other (Progressive Insider Risks).

Trusted insiders who go bad immediately from some cue like coercion from an external actor (Instantaneous Insider Risk)

Infiltrators, i.e. external attackers who infiltrate the organization. Infiltrators can often look like Instantaneous Insider Risks

In all cases, the legitimate user within an organization who has been granted access to systems and information resources, but whose actions are counter to policy, and whose goal is to negatively affect confidentiality, integrity or availability of critical information assets.

In recent years, famous whistle-blowers have made their way into the media, such as the high profile data exfiltration cases involving Edward Snowden or Chelsea Manning. Although such cases may be viewed as security issues breaking the confidentiality of secret information, they may also be viewed as human loyalty manifested to the country or the society

The state-of-the-art seems to be still driven by forensics analysis after an attack, rather than technologies that prevent, detect, and deter insider attack.

One would have to thread together many indicators within context in order to provide conclusive evidence of an insider attack. Some examples are

Markers: Insiders sometimes leave deliberate markers to make a "statement." Markers can vary in magnitude and obviousness. Finding the smaller, less obvious markers earlier — before the "big attack" occurs — should be a major goal of those faced with the task of detecting such attacks.

Errors: Perpetrators, like anyone else, make mistakes in the process of preparing for and carrying out attacks. The perpetrator will then erase the relevant log files and the command history.

Behavior: The perpetrator may, for instance, attempt to gain as much awareness about the potential victim system as possible. The use of commands such as ping, nslookup, finger, whois, rwho, git log, git-dorking, and others is only one of many potential types of preparatory behavior.

Scoping Assessment to detecting insider attacks would require continuous assessment of integrated business and technology software. In order to understand how to detect malicious insider actions, we have to understand the many forms of attack that have been reported:

■ Tampering with data (unauthorized changes of data or records)

■ Unauthorized extraction, duplication, or ex-filtration of data

■ Destruction and deletion of critical assets

■ Downloading from unauthorized sources or use of pirated software which might contain backdoors or malicious code

■ Eavesdropping, packet replication and sniffing

■ Purposefully installing malicious patches, modules, rootkits

■ Spoofing and impersonating other users

■ Misuse of resources for non-business related or unauthorized activities

■ Social engineering attacks

■ Software supply chain infiltration

■ Backdoors introduced for debugging purposes that intentionally gets deployed into production to bypass compliance

Go to Understanding Insider Attacks - Part 2

Chetan Conikee is Founder and CTO of ShiftLeft
Share this

Industry News

March 26, 2020

Redgate’s new SQL Monitor now ensures that DevOps teams can monitor and track deployments at all times.

March 26, 2020

Split Software announced a two-way data integration with Google Analytics that can instantly detect performance issues caused by new features.

March 26, 2020

Cloudreach earned the Kubernetes on Microsoft Azure advanced specialization.

March 25, 2020

Informatica updated its Intelligent Data Platform, powered by Informatica's AI-powered CLAIRE engine, with advanced intelligence and automation capabilities, enabling enterprises to accelerate cloud analytics modernization, drive better customer experiences, and properly govern and manage all their data.

March 25, 2020

Datical released Targeted Rollback capabilities for Liquibase, the rapidly growing open-source tool that helps application developers track, version and deploy database schema changes quickly and safely.

March 25, 2020

HashiCorp raised $175 million in Series E funding, at a company valuation of $5.1 billion.

March 24, 2020

Sysdig launched PromCat.io.

March 24, 2020

Sonatype announced expanded language coverage within Nexus Lifecycle to include Conan (C/C++), Composer (PHP), and RubyGems (Ruby), including the ability to create and contextually enforce policies.

March 24, 2020

Swimlane joined the Chronicle Index Partner program as part of a broader industry effort to help customers improve visibility of and response to cyber threats.

March 23, 2020

Portshift introduced Kubei Open Source container scanning software.

March 23, 2020

Perspecta achieved Amazon Web Services (AWS) DevOps Competency status.

March 23, 2020

Talend announced the availability of Talend Cloud in Microsoft Azure Marketplace, an online store providing applications and services for use on Azure.

March 19, 2020

DevOps Institute, a global member-based association for advancing the human elements of DevOps, announced eight Virtual SKILup Day micro-conferences starting April 30, 2020.

March 19, 2020

Oteemo, an enterprise DevSecOps and Cloud Native Transformation consultancy, launched an enterprise kubernetes and cloud native learning program.

March 19, 2020

Spectro Cloud, an enterprise cloud-native infrastructure company, emerged from stealth and unveiled its first product: Spectro Cloud.