With the new year right around the corner, now’s the ideal time to reassess your cyber security strategies, especially in terms of how you defend against internal network threats. Many organizations dedicate the bulk of their network security strategies to mitigating the risk of external cyber threats without realizing that a comprehensive threat intelligence platform also accounts for the threat of internal cyber attacks. In fact, 60% of companies experienced an insider threat within the last year. That means many businesses are actually at a higher risk of falling prey to an internal threat than to an external one, and even more aren’t doing enough to stop insider attacks in the first place.
But what exactly is an internal cyber security threat, and how can you stay protected in 2020?
What Is an Insider Cyber Security Threat?
Most people think of cyber attacks as something that targets a network from the outside, but an insider threat circumvents barriers to entry altogether by attacking a system from within. As a result, insider threats mostly frequently originate from an employee, former employee, or a malicious actor. They may have been granted network access or they may have found a way to gain entry into your network without being detected.
Some insider threats are intentional; others are due to negligence, but ultimately they involve using your system against you. Internal cyber security threats can be categorized into seven general types based on how they originate.
1. Account Misuse or Abuse
Account misuse occurs when an authorized network user performs unauthorized network functions. This misuse can happen intentionally or unintentionally. If users realize they have access to valuable parts of your network, they may use that as leverage to benefit themselves or threaten your organization. When this occurs, it becomes account abuse. On the other hand, users may have access to sensitive data on your network but not realize it. As a result, they may accidentally delete data, reconfigure network settings, or even leak confidential information.
Account misuse and abuse threats may arise for a multitude of reasons, including:
- Nonexistent, loose, or poorly configured user access controls
- Storing company documents, files, and folders on a universal server
- Not updating user access as roles and responsibilities within the company change
- Scaling cloud services without reassessing user access
Because most instances of account misuse or abuse stem from access control, the best strategy for protecting your network is to start by establishing clearly defined user permissions. From there, it’s critical to review access controls periodically to ensure they align with your network security measures.
The best way to delineate user access is by following the “need-to-know” rule. If an employee doesn’t need to have access to specific data or parts of your network to complete their daily tasks, they likely shouldn’t have access to it. After all, it’s easier to grant access when required than it is to take access away after a data breach.
2. Compromised Accounts
A compromised account refers to when an unauthorized individual gains access to an authorized account on your network. They can then use that account just as an authorized user would—but with malicious intent. An unauthorized individual on an authorized account can originate from within your organization or from outside of it. When undetected, a compromised account can wreak havoc on a network. As we’ve already mentioned, granting need-to-know access control can be one of the best defenses against a compromised account.
From inside your organization, compromised accounts can occur when:
- An employee finds another employee’s password written down
- An employee guesses another employee’s password (e.g., a pet or child’s name)
- Organizations use generic, standard passwords for shared accounts
To protect your organization from these risks, make it known that employees are never to write down passwords under any circumstances. They should also use complex passwords composed of a series of letters, numbers, and symbols that would be impossible for someone close to them to guess. Similarly, it’s also helpful to enact policies and safeguards that require employees to change their passwords periodically.
From the outside, compromised accounts are most often the result of an employee losing an unsecured device or a successful phishing attack on your network. Even with stringent user access controls, however, a malicious actor can use a compromised account to trick other users on your network into divulging sensitive data or granting unauthorized permissions. To combat the risk associated with compromised devices, ensure that all devices on your network are appropriately secured and encrypted so they can’t be used against you if they’re lost, misplaced, or stolen. To protect your network from phishing attacks, one of the most effective strategies is implementing an ongoing phishing awareness training program for employees.
3. An Infected Host
An infected host occurs when one of your internal network resources begins behaving abnormally, most frequently due to unauthorized access, third-party control, or malware. Although the source of an infected host generally originates from an external source, it becomes an internal threat as soon as your network perimeter is breached. That’s because an infected host can operate just like any other device on your network.
A compromised host can potentially:
- Send junk, spam, or phishing emails to other systems
- Distribute malicious software on your network
- Distribute network data to other networks
- Collect personal user data, including usernames, passwords, and account numbers
One of the best ways to mitigate the risk of an infected host compromising your network in the first place is with a managed cyber security service provider. However, because the scope of this post relates to internal network threats, we’ll focus on what to do after an infected host infiltrates your network.
With an infected host, your security incident response team will primarily be conducting damage control. That’s because some level of data has likely already been compromised; after that, it’s about minimizing the extent of the damage. Implementing a round-the-clock automated network monitoring system is a vital first step to detecting an infected host as quickly as possible. From there, integrating effective quarantine measures into your network can promptly contain a compromised host until your threat detection and response team can take back control of the device.
4. Internal Network Reconnaissance
Internal network reconnaissance occurs when an authorized user or a malicious actor—having gained undetected network access—researches your network environment from the inside. With a deeper understanding of how your network functions, they’re then able to plan and prepare for future objectives, such as stealing sensitive information or channeling network traffic to a third-party server.
A cyber criminal or malicious insider may perform reconnaissance to find out more about your network’s:
- File sharing systems
- User access controls
- Network diagrams
- Admin accounts
- Network applications
- Anti-virus systems
From there, a hostile user can begin to identify critical network information, download tools to collect additional information, elevate their own user access privileges, move laterally throughout your network, and create an ideal environment for funneling your critical data to a third-party network.
The solution for addressing this malicious insider threat is not quite as simple as with some of the other threats. The first step to counteracting insider network reconnaissance is by detecting any abnormal activity. As with an infected host, automated network monitoring systems can work around the clock to identify any unusual network activity and alert administrators.
Depending on the competence of the attacker, however, they may be able to sidestep your monitoring systems. That’s why early detection is vital. Once you’ve detected a potential recon user, you can deploy a honeypot that serves as a decoy to lure cyber criminals away from critical network operations.
Some cyber security vendors, such as Rapid7, have even developed platforms for flagging and tracking suspicious users based on significant network events. If you want to stay a step ahead of the threat of network recon, a dedicated user-flagging and -tracking platform with honeypot capabilities is currently your best option.
5. Lateral Movement
Once a malicious actor has infiltrated your network, lateral movement techniques involve using low-level web servers, employee devices, email accounts, and other foundational system features to move within your network. That means most lateral movement threats occur after a network endpoint has been breached by a malicious actor or when an authorized user attempts to circumvent user access controls.
As with internal network reconnaissance, the goal of lateral movement is not merely to exploit these low-level targets but to use them to gain access to your network’s most sensitive data and operations. Successful lateral movements allow cyber criminals to steal additional user credentials, pinpoint weak network configurations, and even exploit software vulnerabilities that can open your network up to further exploitation. That’s why internal network reconnaissance and lateral network movement often go hand in hand.
To effectively defend against lateral movers on your network, you can proactively solidify your network’s endpoint security measures and user access controls. But once lateral movement has already been detected on your system, the best strategy is to track and contain movement by deploying a honeypot. After the threat is identified and contained, you’ll be better poised to eliminate any compromised accounts or devices on your network.
6. Insider Fraud
Insider fraud can be perpetrated by any number of malicious network insiders, including:
- A current employee
- A former employee
- A contractor
- A business partner
Insider fraud occurs when one of these individuals intentionally misuses network access to bypass security measures for their own personal gain or to do damage to an organization’s confidentiality, integrity, or information. Most frequently, this happens when network insiders manipulate data and documents for their own financial enrichment.
Because the individuals most likely to commit insider fraud are frequently the ones most closely tied to your day-to-day operations, it can be challenging to detect or prevent the threat in the first place. One of your best options for mitigating the risk of insider fraud is to reduce or eliminate the opportunities for insiders to commit fraud. Again, user access controls play a critical role in minimizing the exploitation of sensitive data, and following a “need-to-know” data access rule can keep your network protected.
You can also implement policies for performing periodic audits of data and processes that present a higher risk of insider fraud while heightening monitoring measures related to information access and use. That can include automatically freezing network access when an employee goes on vacation, travels out of the country, or takes a leave of absence. Because many insiders are driven to commit fraud due to financial struggles, initiating a program to help employees experiencing money problems can actually protect your organization in the long run.
7. Data Exfiltration
For many of the internal cyber security threats we’ve discussed above, the ultimate goal of a malicious insider is data exfiltration, also known as data extrusion. Data exfiltration occurs when someone on your network transfers unauthorized data to another device or network.
Exfiltration can happen when someone has access to a physical device on your network and manually transfers unauthorized data, or it can be an automated process by which network data is automatically directed to another system. The threat can be the result of a network insider funneling out data, or it can happen when a malicious actor posing as an authorized user reconfigures network settings to redistribute sensitive data. Data exfiltration is what happens when companies fall prey to a large-scale data breach, as happened to Yahoo, Equifax, Capital One, and Home Depot in the past decade.
With Home Depot’s breach, cyber criminals stole a vendor’s login credentials. From there, they were able to move laterally within Home Depot’s computer network to install custom-built malware that posed as antimalware software. The malware infected Home Depot’s point-of-sale (POS) systems, exfiltrating the data of 56 million customers between April and September of 2014, ultimately costing the company about $172 million.
Stopping data exfiltration begins with robust endpoint security. But once data exfiltration occurs, that data may be lost forever. As with Home Depot’s breach, malicious actors often use seemingly innocuous software programs to direct data exfiltration. That’s why it’s a smart idea to block end users from installing new applications on network devices without receiving administrative permission first.
In the event that data has already been extruded, the malware operating on your network needs to be able to communicate with an external server and transmit data. If your incident response team can pinpoint where that unauthorized communication is occurring on your network, they can effectively block the exfiltration of data and from there, focus on damage control.
The Los Angeles IT Support and Cyber Security Experts
How well is your organization prepared to defend against and respond to the ever-present risk of insider threats? If you’re concerned that there’s more you could be doing, the experts at Be Structured can help. From detecting compromised hosts on your network to minimizing the risks of compromised network accounts, we specialize in developing a comprehensive network security platform that protects you inside and out.
Contact our team today to take the first step toward a more secure future.