DECOYnetTM
What is an Insider Threat?
An insider threat is a person who facilitates malicious activity against the organization in which
he or she works. Many reasons can be listed as root causes of the phenomenon but most can
be categorized into the following 3:
 The desire for financial gain and power
 An inherent disloyalty to the organization
 Irresponsibility and lack of knowledge
Whilst this paper is concerned primarily with how to prevent organizations being compromised
by insiders, it’s worth first taking a closer look at these insider types.
Insider Threats and Financial Gain
Money, as the song goes, makes the world go round and with human nature being what it is,
there are those who prefer to get their money through stealing. This is illustrated in the rising
number of ‘sophisticated’ or ‘advanced’ cyber attacks being exposed of late. Such attacks
represent a growing branch of the crime industry in which the players are looking to reap the
rewards of getting their hands on others’ intellectual property, business plans, strategies,
customer lists, personal information and more. These resources can be worth money,
sometimes big money, to competitors.
A similar attack pattern exists in the activities of national intelligence agencies, spy rings and
the like, where arguably, the motive is oriented more towards power than money, but in most
respects, the mode of operation is similar to the financial gain pattern.
Workers in all types of organization, large and small, strategic and commercial, may get
approached by people who offer them attractive rewards for assisting them. The complexity of
this assistance can be considerable, involving covert malicious, even subversive, activity of
seeking out sensitive information in the organization’s information systems, down to a onetime action like copying a file to the network. The ‘agents’ who recruit in this way are skilled
enough to know how to identify ‘suitable’ inside partners. They have a knack of finding out
contact@topspinsec.com
| www.topspinsec.com
Copyright © 2015 TopSpin Security
who is in debt, has heavy financial obligations, low work ethic, is unhappy with their current
situation or simply unsuspecting.
Insider Threats and the Inherently Disloyal
The inherently disloyal includes people who feel the need to get even following anger or
disappointment with their current employer and also includes spys who joined the
organization under the pretense of wishing to be an honest worker, while having malicious
intentions from the outset. People in such situations may be entrusted with direct or indirect
access to sensitive information or computing resources that they or their partnered attackers
can later exploit.
Furthermore, an employee on the inside, who is active in seeking a willing partner outside the
organization for their malicious activity – or who already has one – has already achieved the
first stage of a malicious attack before even starting.
The Irresponsible or Uneducated Insider Threat
Many sources of information leaks or other damage to an organization through its information
systems stem not from malicious intent but from lack of thought or lack of understanding. This
covers a wide range of issues including organizational policy towards educating staff about
the security of information, unsafe backup mechanisms, workers not keeping their passwords
safe, usage of personal devices like smartphones to save corporate information and more.
These non-malicious actions, bad practices and carelessness can be exploited by others –
outsiders – with their own malicious intent.
Employees may be entrusted with access to sensitive information or have access to
computing resources that the attacker can leverage to reach it, even if the employee is not
aware of it.
contact@topspinsec.com
| www.topspinsec.com
Copyright © 2015 TopSpin Security
Insider Threats – Why Now?
Spies, traitors, conspirators, collaborators, the disgruntled and the careless were around long
before the invention of the computer, so why is it such a hot topic today in the realm of cyber
security?
There are several answers to this question. The first is the ongoing and rising public
awareness in our society. Breaches that were kept quiet in the past can be and often are
exposed in minutes to large audiences. News of cyber attacks travels fast and wide.
The second answer is that our lives are becoming more digitized all the time and access to
sensitive data is part of the modern computerized working environment. Increased computing
power, more versatile software and a greater use of these technologies by the masses makes
it easier and more efficient than ever before to steal online.
Another reason why insider threats are now emerging as a major security concern is that
many of the classic security measures such as firewalls and antiviruses have to a large
degree, reached the limits of their capabilities. They present a reasonably effective line of
defense against mass-produced viruses, trojans, spyware and others but they are, by design,
built to identify signatures or other behavior patterns such as the location of origin of requests
reaching them. They fail however to identify sophisticated or targeted attacks such as APT’s
(advanced persistent threats) because these are invariably custom-made and cannot be
identified using information collected from security databases.
Advanced Attack Patterns and the Human Factor
The resources per target invested in a targeted attack are much greater than the broader
attack patterns mentioned above, and this is where the insider fits in to the conspiracy. The
perpetrator of a mass-distributed spyware application will not invest money and time in
individuals; they go for the equation of high numbers and a relatively low hit-rate.
The targeted attack however is planned, financed and executed with one target organization
in mind from which the right information intended and so a purchasing a person on the inside
can be a cost effective component of the operation.
The pattern of the inherently disloyal, described above, fits the big money picture nicely too.
The disgruntled worker may initiate the scheme, looking for a financial incentive.
contact@topspinsec.com
| www.topspinsec.com
Copyright © 2015 TopSpin Security
Insider Threats, Firewalls and TopSpin Security
With sophisticated targeted attacks becoming a growing menace to commercial and
governmental institutions and the widespread acceptance of the fact that prevention of
infection has long since become unrealistic, TopSpin Security’s DECOYnetTM is a security
solution that is independent of the means by which attackers came to be present in the
system. It is a system built to defeat attacks in progress and this makes it equally effective
against malicious individuals actively working inside the organization and against outsiders
who have got through, or around, the firewall.
DECOYnetTM, as its name implies, employs decoys as a central vehicle for the identification
and elimination of attacks. These decoys are sophisticated honeypots that appear to the
attacker to be network resources, containing ‘desired’ information. They draw attackers into
investigating them and actually contain fabricated jewels of information that cause the
attacker to steal them.
Because the decoy looks like a genuine network resource, the malicious insider trying to steal
information directly and the CnC controlling software that the insider has helped get into the
system, both encounter the same picture. Both find the decoy, investigated it and try to
exfiltrate what they find in it.
The decoy interacts with, observes and ultimately slows down the attacker’s activity. Once
detected, a full forensic path is available and the elimination of the threat becomes trivial.
contact@topspinsec.com
| www.topspinsec.com
Copyright © 2015 TopSpin Security