What is an insider threat? How do you mitigate the impact of an insider theat? From malicious insiders driven by profit or spite to negligent insiders prone to carelessness, and compromised insiders unwittingly manipulated by external forces, Rob Aragao and Stan Wisseman try to unravel the layers of this critical cybersecurity concern.
Drawing from recent incidents like the Sisense breach and the XZ exploit, light is shed on the evolving tactics employed by malicious actors, highlighting the pressing need for robust detection and response mechanisms.
Links to points raised in this episode:
Blog by Stan -
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
What is an insider threat? How do you mitigate the impact of an insider theat? From malicious insiders driven by profit or spite to negligent insiders prone to carelessness, and compromised insiders unwittingly manipulated by external forces, Rob Aragao and Stan Wisseman try to unravel the layers of this critical cybersecurity concern.
Drawing from recent incidents like the Sisense breach and the XZ exploit, light is shed on the evolving tactics employed by malicious actors, highlighting the pressing need for robust detection and response mechanisms.
Links to points raised in this episode:
Blog by Stan -
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Welcome everyone to another episode of Reimagining Cyber. Rob and Stan here, but before we start, we've had a series of updates on the patio, everything that's going on in the back. I mean, listen, what's the latest? We haven't discussed that. Is it still in process? What's happening?
[00:00:15] Stan Wisseman: So Rob, the latest on the backyard is that the, uh, we're in a wait state.
[00:00:20] So I have Everything done. I have the patio. I have the irrigation system in, but the landscaping is going to be at the end of May. So, so, you know, I have, I have a functional fire put, you know, that's all good. And I use that and everything. But, you know, I have out there looks like sort of like a mutation of the dune movie.
[00:00:44] Because I have all these. Irrigation pipes sticking a foot and a half off the out of the ground in my front yard and backyard. So my neighbors are saying
[00:00:51] Rob Aragao: like, what's this guy?
[00:00:52] Stan Wisseman: If you run out of money, you know,
[00:00:56] Rob Aragao: yeah, then you're tapping the heads off. What are you doing?
[00:01:00] Stan Wisseman: It's like, no, I need to wait until the landscaping is in, you know, and that's going to be a while.
[00:01:04] So it looks kind of silly.
[00:01:07] Rob Aragao: You need to put a sign up for your neighbors. Cause they are, you are new to the neighborhood. So you don't want them thinking.
[00:01:12] Stan Wisseman: They already think I'm weird. So, yeah,
[00:01:14] Rob Aragao: oddities about Stan. Yeah.
[00:01:17] Stan Wisseman: So, Rob, that's enough about my, my backyard and my patio and the yard. But anyway, let's, let's dive into our topic today.
[00:01:24] We're going to go into, um, insider threats, what it really means. Um, we're going to. Talk about the different types of insider threats in the cybersecurity context, as well as approaches to mitigate them. Are you ready? Let's do it. All right. So for our listeners, imagine you're part of a company and this could be anyone, right, an employee, a contractor, or even a business partner.
[00:01:48] Now, because of your role, you've got access to certain company assets, systems, and data. And for, if any reason, you know, whether by mistake or on purpose, That inside info gets misused. That's what we call an insider threat. It's like having a security guard turn against the building they're supposed to be protecting, right?
[00:02:13] Rob Aragao: It's like the insider bank heist.
[00:02:15] Stan Wisseman: Exactly. And then, and we generally have three different types, right? Of insiders that we're trying to keep an eye on. First, we have the malicious insider. Um, those are the individuals who deliberately are trying to harm the organization, perhaps out of spite, perhaps out of profit.
[00:02:33] Um, then we have the negligent insider. They aren't with malicious intent, they're just sloppy or, um, they cause harm due to carelessness or uninformed actions. I mean, and then finally, you have the compromised insider. And we're seeing more and more of those, right? But they're, they're not even aware necessarily that they are a threat.
[00:02:55] But they're typically being manipulated because their account has been, um, circumvented, like, through phishing attacks, right?
[00:03:03] Rob Aragao: Mm hmm.
[00:03:03] Stan Wisseman: Now, among all these different actors, or types of insider threats, um, the negligent insiders are probably the most prevalent. You know, it's a, you know, again, those that are not maliciously trying to mishandle data, but, um, they've got weak passwords, they fall for a phishing scam, you know.
[00:03:23] Um, some kind of Example of, you know, not putting the right access control. I mean, an example of not putting a great access controls on. You saw that, um, incident. It was a big one, um, that came out a couple of weeks ago. Sisense. Yes. Did you see that breach? Yeah. Brian Cribs, I think was the one that broke it.
[00:03:43] Uh, he, he does a lot of that. I mean, he does a great job of getting early on.
[00:03:48] Rob Aragao: We, I don't think we've ever mentioned his name before in an episode. Maybe we did, but you know, that's good for the listeners. Krebs on security, check them out. Definitely great journalist on cybersecurity. Been doing it for many years.
[00:03:58] So definitely someone to pay attention to.
[00:04:00] Stan Wisseman: Formerly from the Washington post. And he took his column that he did there and he's converted in this whole Um, blog that he's does now. Um, but he, he broke the news and, and he said that the, the breach originated from an unprotected token within Sisense's self hosted GitLab environment.
[00:04:20] And, and this oversight allowed attackers to gain full access to the company's Amazon S3 buckets. And ultimately, their entire cloud environment. And as a result, the attackers were able to exfiltrate several terabytes of sensitive data. That includes like, you know, access tokens, passwords, SSL certificates.
[00:04:41] I mean, a really bad breach and, uh, you know, many, many times these insiders, whether it be, you know, again, negligent ones or malicious or, um, those that are, uh, you know, compromised, um, no matter what type, um, the, the, the way in which you identify them as observing certain Behavioral indicators, right? You know, are there unusual things that they're doing, whether it be the information they're accessing, um, the network traffic associated with that user or their accounts?
[00:05:18] Um, it could be something that's an action that's not relevant to their role. Why is a finance person accessing, you know, the source code repo, right? So there are behaviors that serve as sort of that, you know, Warning that something's not quite right. Um, and, you know, one of the things that's, I think, increased potential, I guess, opportunity here, just sort of like the way we've, um, changed the way we worked.
[00:05:48] Right, Rob? I mean, the way in which we are interacting with our businesses today, sort of Well,
[00:05:56] Rob Aragao: it, um, it really expands the attack surface overall, where you think about these aspects of the digital transformation efforts that have been going on for the past several years. Um, the expansion into, obviously, as part of the transmission cloud environments, the example of Sisense and getting into that cloud repository is a couple of that.
[00:06:17] Um, and just think about, you know, several years back and, you know, unfortunately, everybody went through with COVID. That change of now here's really this shift to complete remote workforces and everything that had to come along with, you know, what you thought were normal behavior patterns for individual just completely blew up and changed.
[00:06:35] And you had kind of a whole new baseline. You have to build upon as part of that. Those those challenges. All right. So that's that's a key aspect of insider threat. Um, kind of program evolution. If you think back those stand insider threat or insider risk management in and of itself programmatically. Has been around for over 10 years now, right.
[00:06:55] It was back in 2011 where it was an executive order actually that came out that was saying, Hey, listen, you know, you need to ensure that we're starting to pay attention to and building out a programmatic approach to how we deal with insiders from a cyber perspective, as we're talking about it today.
[00:07:10] And so, you know, those are all kinds of key aspects. We just discussed digital transformation, cloud security, um, and, uh, in the remote workforce. The other thing though, is what we've been seeing a lot of these different attacks based off of back, you know. Late summer last year with the casino breaches and seizures, the social engineering aspect of it all.
[00:07:28] So that's part of it as an insider threat perspective, right? How you actually are getting back into these environments. Um, and some of the, the, you know, the paths you're taking through social engineering are part of that. You know, a lot, a lot of this, I kind of, I kind of, you know, Package it up into there is intentional and then there's the unintentional consequences, right?
[00:07:47] So intentional is as you were calling out before, right? It's the malicious attacker. And it's just, you know, actor that's coming in very targeted. Uh, the unintentional is that user that obviously. wasn't aware of, you know, their own, uh, uh, credentials being compromised as a way back into the environment.
[00:08:03] But that, you know, this, this whole change and shift, um, and evolution, in essence of the attack surface for insider threat programs, it's made it much more complex. If we talked about that, you know, as an area of Distinction and how do you actually start measuring the differences between that individual's normal activities, um, to, you know, what we're now seeing because of the change in what they do, it could be their role change.
[00:08:26] It could be again, where they're coming from, that they've moved and it's coming from a different IP address. Like all these different aspects have to be taken into account. So there's a lot of moving parts in it, but a lot of it has to do with, you know, just having good core foundational elements in place for, for a program.
[00:08:39] Stan Wisseman: Yeah. I think it was around, um, 12 years ago. That I was involved with standing up an insider threat program at Fannie Mae. So when I was still, I was probably the deputy CISO at that time. Um, I guess, you know, the thing is somewhat of a mystery to me. You know, you're right. It's, it's, it's been typically a, a part of organizations, Risk management program to recognize that insiders could be a threat.
[00:09:10] And yet, even though organizations have been taking action in this area, there's still been like a surge of this kind of, these kinds of incidents. I mean, 47 percent surge over the last few years and, um, not just minor incidents to, I mean, like we were talking about some major incidents. I mean, the Panama Institute, which, you Obviously does a lot of reports each year that people like to cite.
[00:09:35] Um, they, they had one around this topic that, um, cited, um, 16. 2 million dollars being the, the total average cost. To resolve these kind of incidents and that that number includes not only the direct damages from the data theft or corruption, but also the indirect costs, you know, so investigating the breach, implementing corrective measures, navigating legal repercussions and and ultimately repairing the damage of trust with your your customers.
[00:10:08] Right? So a couple of examples. I talked about size sense earlier. Um, you remember the one with Tesla? So there's a while back, but there were two former employees that leaked sensitive personal data to a foreign media outlet that breach included information such as names, addresses, employee records, and social security numbers, like 75, 000 individuals.
[00:10:30] And so that. Impacted Tesla's reputation at the time they've recovered, right? Um, they have other issues like they're getting impacted by climate activists right now, burning cars in Germany, right? But, you know, but, you know, that impacted their reputation at the time. Another example is Yahoo. Um, there was a departing employee who stole proprietary information, you know, minutes before accepting a job offer from another competitor and yeah, yeah, and that was, you know, information that really could have been, you know, giving a competitive edge to the competitor.
[00:11:07] Rob Aragao: And I think that's where you see, um. Maybe not the greatest impact, but definitely significant impact is if, if it's, if you think back to Tesla as an example, what if what the, those two individuals actually were taking beyond, you know, um, you know, kind of user customer information was design concepts, right?
[00:11:26] What's next to come from Tesla? Mm-Hmm. and getting that out there. Right? So I think that especially in the area of manufacturing, we've seen it in some other areas. Around, um, you know, telco manufacturing and, um, you know, just, just access into the designs of what the future of the company basically is relying on and walking out the door with those things.
[00:11:43] So those are major examples around insider threats.
[00:11:47] Stan Wisseman: I think a couple of sectors are also more, um, prone to these kind of attacks are finance and health care. I mean, finance, because you're dealing with money. Um, health care, because you're dealing with PHI, personal health care information. Um, an example of that was, uh, Yakima Memorial Hospital, um, a couple years back, um, they had an employee entrusted with access to patient data and misused that access and, you know, illegally obtained it and sold patient records.
[00:12:17] And so, in, in, in those highly regulated industries, it's again, not just the, the ramifications of the theft itself, but it's also regulatory penalties, right? for HIPAA violations in this case, right? So that, that's another ramification that, um, that these organizations have to keep in mind is, you know, just not just the cost of the breach, but also the, um, the other things that hit them.
[00:12:44] Rob Aragao: You talked about Stan, as you mentioned about the Ponemon Institute, um, you know, report and the cost associated to insider related breaches, if you will. Um, also in that report was the time to contain, right? So not the time to detect. You've detected. Now, how long does it take to contain? And then with an average of about three months after you've realized that there's an insider threat that's occurred or insider, uh, incident that's occurred, it still takes, you know, close to 90 days to be able to actually contain the situation.
[00:13:15] Stan Wisseman: Well, let's face it. I mean, these individuals, especially those that are, you know, malicious, right? Or compromised accounts, right? Um, they probably have, you know, You know, if, if there are insiders, as far as employees, they probably have some understanding of the security controls and the environment, right?
[00:13:31] If they're, if they're external actor, the circumvented account, they are doing the discovery and they understand and learn quickly what the controls are and that familiarity with the controls and the processes enable them to evade detection. And potentially for extended periods of time, right? To your point about how long it takes to contain even when they've been identified.
[00:13:52] Um, and so that, you know, being able to go under the radar, you know, complicates efforts.
[00:13:59] Rob Aragao: It does. It does. So let's pivot this a little bit into, um, you know, what are some of the mitigation strategies in essence you can put in place to help, right? So, so some things, um, that, and even the Pontima report actually calls this out as well.
[00:14:11] But I mean, these are common things you should be considering your, your educational aspects, right? So your employee training awareness, you have to give examples to them as to, you know, these are the things you need to be, uh, Um, aware of, um, this is the way not just from a technology perspective, but also how you engage with people.
[00:14:27] Cause again, social engineering, as we talked about earlier, is the key, uh, attack vector, especially. So again, training, awareness, um, monitoring tools, right. So, you know, security incident, um, and event management tools, uh, XDR solutions. So, you know, how do you have visibility across what's happening in your environments that look, um, Um, you know, as a way to detect unusual behaviors.
[00:14:50] Another one they called out was around privilege access management. So providing more strict controls, access controls, um, around privilege users. So that would be typically more your administrator type of, uh, functional roles.
[00:15:01] Stan Wisseman: But let's, well, let's face it. One of the, one of the challenges is just the over entitlement
[00:15:05] Rob Aragao: of
[00:15:07] Stan Wisseman: users, right?
[00:15:07] I mean, the fact that many times that. Review process of, of ensuring that users only have the entitlements they need for their role is not necessarily as rigorous as it should be, and therefore you end up with users with, with privileges or entitlements to do things that can do harm. And it's not necessarily.
[00:15:30] Um, important for their role. Right. So you definitely have to be on top of that.
[00:15:34] Rob Aragao: You do, and, and, you know, that, that actually is a great area of like identity governance, being able to provide, you know, visibility to who has what entitlements, you know, should they, shouldn't they make the decisions, uh, push the button to obviously change that, especially if their role has changed.
[00:15:47] I, I've seen examples, especially in the, um, the higher ed space where, you know, there's the researcher's side has to have. Right. Complete, Well, at least they believe they have to have complete access, right? To everything and anything. You're not
[00:16:01] Stan Wisseman: going to constrain me. Don't constrain me.
[00:16:03] Rob Aragao: Uh, the other thing that's a growing area of interest is around, uh, ITDR, right?
[00:16:08] So identity threat detection response. And this was called out as well, because it's a great principle of how it's more of a framework based approach, but it's a great principle of how you have kind of the aspect of prevention, um, specifically focused on the identities. Right. And so what is it that we're doing to control the identities, access into the environment, to validate?
[00:16:28] They are where they say they are. The things we just talked about has their role changed and they should have different types of entitlements into the organization and specific applications. So that's fine. That's more of the preventative kind of control mechanism of ITDR. This, the secondary aspect is now more that detect and response piece, right?
[00:16:45] So, so now you. See that there's something that's going on. Um, it's an additional, you know, layer of defense or set of defenses in essence that come into play that give you ways to identify that there's something that seems to be a bit off. Again, it could be behavioral. Uh, it could be leveraging things where you map into, um, the MITRE ATT& CK framework as an example, which we've talked about in previous episodes.
[00:17:06] So MITRE ATT& CK framework is a great way to be able to start looking and identifying your different, uh, TTPs. That the attackers are taking. So tactics, techniques and procedures. Um, and so you have good visibility awareness of some of the different things that the adversary may be attempting to do, and therefore your detection and response capabilities.
[00:17:28] Would be able to help kind of flag those for you and pick up on, you know, again, where there might be something that could be an insider risk or insider threat type of, um, concern to deal with. So, so I think, you know, those are some of the different mitigation strategies that are called out that are important and key principles to consider.
[00:17:44] One of the things we can also, again, add into show notes is mapping it back to the MITRE ATT& CK framework. link. So you have some principles to kind of go better educate yourself there and, uh, and help with some of these different mitigation strategies, if you will.
[00:17:58] Stan Wisseman: MITRE is also, I think, create a knowledge base around insider threats.
[00:18:03] So I think, you know, again, that, um, leveraging of the, of attack framework with the specific tactics of insiders is, is, is, is very valuable. As you're looking at your program and what you need to detect, um, Hey, so I want to share one incident that, that has top of mind for me. I was just at the Linux foundation, North America, open source summit last week in Seattle, and I had a chance to present some findings on a Forrester survey.
[00:18:33] The one we covered back in episode 88. So we, we, we, Covered it back then, but had a chance to talk about it there. Um, and even though I was only there for a day at the conference due to other commitments, I had to travel out of Seattle. Um, I, I caught the keynote and, um, one of the things they talked about was this XZ exploit.
[00:18:55] Um, and for those that don't know, it's, it's a critical vulnerability within the XZ compression tool. And it was unearthed by Andres Frund, who is a Microsoft researcher, who's not typically involved with security at all. Um, and this attack certainly was creating some buzz because it, it certainly highlighted some of the complex and, and protracted tactics Of infiltration employed by malicious actors within the open source community.
[00:19:29] It certainly is a software supply chain kind of attack. It reminds me of solar winds, but that was to a proprietary. You know, company, right. But in this context is open source. Um, it's an example though, of a malicious insider threat. Um, cause this, you know, it was orchestrated by an attacker that all only known as Jai Tan, um, they don't really know who was behind that name.
[00:19:56] Um, but involved, you know, the discrete insertion of malicious code into the XC projects, test scripts, um, Which during the build process was incorporated into a library responsible for compression operations and the RCE or the remote code execution, um, would activate the download and execution of malicious payloads upon connecting to an SSH server.
[00:20:24] And obviously that would be, you know, substantial threat to any connected system. And Freund, this Microsoft researcher, he stumbled upon. This XE exploit, you know, he was just conducting routine maintenance and he noticed unusual behavior. It was slow. Yeah. And, you know, as far as the SSH process and, and that led him to investigate.
[00:20:50] Fortunately he was a curious guy, thankfully. Right. I mean, thankfully initially he just like, he just dismissed it as, it just, you know, Hey, I'm jet lagged, you know, blah, blah, blah. But he went back. And, and looked into it and his keen observation and deep dive into the utilities code revealed the exploit.
[00:21:08] And he obviously swiftly raised the alarm about the vulnerability and potential. Potentially he averted a significant disaster. I mean, but this JITAN, and again, we don't know who to attribute it to ultimately, but the method of building trust and credibility over several years. Exemplifies the challenge and detecting and preventing these types of insider threats, you know, so that subtle and methodical approach is, is really tough.
[00:21:38] Rob Aragao: It is. It is. And I think, you know, so that that lends to it as we've been talking. This is not only a technology issue, right? There's that trust. There's that factor of the social engineering aspect that comes into play. So this is all part of, you know, true, you know, insider threat risks that, that are being seen out there have been going on for many, many years, just another avenue, obviously through the cyber realm.
[00:21:59] Um, but we covered it, right? We covered as you called out Stan, the different types of insiders, kind of how you categorize them, if you will, um, how things have become even that much more complex and things have evolved, um, the impacts from a financial perspective. The mitigation strategies, some different thoughts on that different use cases examples we discussed, you know, some, some things to consider.
[00:22:21] We've already called out. So, definitely the, the miter insider threat TTP knowledge base that you refer to that's available out there. Take advantage of it. Carnegie Mellon years ago actually came out with an insider risk program as well, kind of, you know, what the key attributes are you should consider as part of a program.
[00:22:39] Now, they've actually, in conjunction with CISA, come out with the insider risk mitigation program evaluation. Again, we'll link into the show notes so you can take a look at. It's a pretty, pretty solid resource to take advantage of. And then from my perspective, you know, one thing that I've seen across the years, Stan, is where insider threat programs.
[00:23:00] Have not been successful has been more so where it's only been driven from the technology side. It's only been driven from like the cybersecurity organization and the. They kind of, they forgot to go get the buy in from legal. HR, you know, now privacy. Exactly. Yeah. I mean,
[00:23:21] Stan Wisseman: it really, it really is cross functional.
[00:23:22] It really
[00:23:22] Rob Aragao: is. Because now you're dealing with, you know, insider. So you could be like, Hey, listen, no, that's really an actual employee that is not doing anything wrong. As you discussed one of the three kind of aspects of an insider, um, But you're looking and understanding what they're doing. So there's an aspect there you have to take into consideration.
[00:23:39] And then when it's something that's real as a attack vector, and you need to actually go through and deal with the formal investigation, prosecution, and the lawful approach, right? So they all have to be connected and bought into it. So that's the, I think a key aspect is making sure that the stakeholders are truly evolved, bought in and all connected as to what you're trying to accomplish with the insider threat or insider risk program.
[00:24:02] Stan Wisseman: Well, I mean, again, The technology could be some kind of machine learning that helps you identify anomalies, right? That's all well and good, but you're, you're typically going to have to be reaching out to the other organizations to say, is this employee's behavior something that you're familiar with? And if you're, if you're reaching out and they're, there's like, you know, they're not really in the context of why are you doing this?
[00:24:29] Um, then you may get blowback because of that monitoring, even though that's something you as a, as an organization typically have the authorization to do. So you, you, you want to leverage the tools to help identify those anomalies, but you have to have the, the relationships and the understanding of why, um, as you follow up.
[00:24:49] Cause you inevitably have to follow up and confirm that. This behavior is not part of their role and their function, and this is definitely a potential symptom of either the being circumvented or they are a malicious actor in your environment. So, yeah, I think there are a lot of tools that you can take advantage of, but to your point, the program has to be comprehensive and pulling in the right people to ensure it's
[00:25:13] Rob Aragao: successful.
[00:25:14] Absolutely. Well, good. I, I think, you know, again, this is another topic that, uh, hopefully the listeners appreciate some sort of education that we're putting out there as part of our different conversations we're having. Something that's been going on for quite some time, but it continues to get even more complicated.
[00:25:27] And some of these examples you just referenced to, um, I think just really shines a spotlight on it. So until next time, Stan, always good talking. Until next time.