DECOYnetTM What is an Insider Threat? An insider threat is a person who facilitates malicious activity against the organization in which he or she works. Many reasons can be listed as root causes of the phenomenon but most can be categorized into the following 3: The desire for financial gain and power An inherent disloyalty to the organization Irresponsibility and lack of knowledge Whilst this paper is concerned primarily with how to prevent organizations being compromised by insiders, it’s worth first taking a closer look at these insider types. Insider Threats and Financial Gain Money, as the song goes, makes the world go round and with human nature being what it is, there are those who prefer to get their money through stealing. This is illustrated in the rising number of ‘sophisticated’ or ‘advanced’ cyber attacks being exposed of late. Such attacks represent a growing branch of the crime industry in which the players are looking to reap the rewards of getting their hands on others’ intellectual property, business plans, strategies, customer lists, personal information and more. These resources can be worth money, sometimes big money, to competitors. A similar attack pattern exists in the activities of national intelligence agencies, spy rings and the like, where arguably, the motive is oriented more towards power than money, but in most respects, the mode of operation is similar to the financial gain pattern. Workers in all types of organization, large and small, strategic and commercial, may get approached by people who offer them attractive rewards for assisting them. The complexity of this assistance can be considerable, involving covert malicious, even subversive, activity of seeking out sensitive information in the organization’s information systems, down to a onetime action like copying a file to the network. The ‘agents’ who recruit in this way are skilled enough to know how to identify ‘suitable’ inside partners. They have a knack of finding out contact@topspinsec.com | www.topspinsec.com Copyright © 2015 TopSpin Security who is in debt, has heavy financial obligations, low work ethic, is unhappy with their current situation or simply unsuspecting. Insider Threats and the Inherently Disloyal The inherently disloyal includes people who feel the need to get even following anger or disappointment with their current employer and also includes spys who joined the organization under the pretense of wishing to be an honest worker, while having malicious intentions from the outset. People in such situations may be entrusted with direct or indirect access to sensitive information or computing resources that they or their partnered attackers can later exploit. Furthermore, an employee on the inside, who is active in seeking a willing partner outside the organization for their malicious activity – or who already has one – has already achieved the first stage of a malicious attack before even starting. The Irresponsible or Uneducated Insider Threat Many sources of information leaks or other damage to an organization through its information systems stem not from malicious intent but from lack of thought or lack of understanding. This covers a wide range of issues including organizational policy towards educating staff about the security of information, unsafe backup mechanisms, workers not keeping their passwords safe, usage of personal devices like smartphones to save corporate information and more. These non-malicious actions, bad practices and carelessness can be exploited by others – outsiders – with their own malicious intent. Employees may be entrusted with access to sensitive information or have access to computing resources that the attacker can leverage to reach it, even if the employee is not aware of it. contact@topspinsec.com | www.topspinsec.com Copyright © 2015 TopSpin Security Insider Threats – Why Now? Spies, traitors, conspirators, collaborators, the disgruntled and the careless were around long before the invention of the computer, so why is it such a hot topic today in the realm of cyber security? There are several answers to this question. The first is the ongoing and rising public awareness in our society. Breaches that were kept quiet in the past can be and often are exposed in minutes to large audiences. News of cyber attacks travels fast and wide. The second answer is that our lives are becoming more digitized all the time and access to sensitive data is part of the modern computerized working environment. Increased computing power, more versatile software and a greater use of these technologies by the masses makes it easier and more efficient than ever before to steal online. Another reason why insider threats are now emerging as a major security concern is that many of the classic security measures such as firewalls and antiviruses have to a large degree, reached the limits of their capabilities. They present a reasonably effective line of defense against mass-produced viruses, trojans, spyware and others but they are, by design, built to identify signatures or other behavior patterns such as the location of origin of requests reaching them. They fail however to identify sophisticated or targeted attacks such as APT’s (advanced persistent threats) because these are invariably custom-made and cannot be identified using information collected from security databases. Advanced Attack Patterns and the Human Factor The resources per target invested in a targeted attack are much greater than the broader attack patterns mentioned above, and this is where the insider fits in to the conspiracy. The perpetrator of a mass-distributed spyware application will not invest money and time in individuals; they go for the equation of high numbers and a relatively low hit-rate. The targeted attack however is planned, financed and executed with one target organization in mind from which the right information intended and so a purchasing a person on the inside can be a cost effective component of the operation. The pattern of the inherently disloyal, described above, fits the big money picture nicely too. The disgruntled worker may initiate the scheme, looking for a financial incentive. contact@topspinsec.com | www.topspinsec.com Copyright © 2015 TopSpin Security Insider Threats, Firewalls and TopSpin Security With sophisticated targeted attacks becoming a growing menace to commercial and governmental institutions and the widespread acceptance of the fact that prevention of infection has long since become unrealistic, TopSpin Security’s DECOYnetTM is a security solution that is independent of the means by which attackers came to be present in the system. It is a system built to defeat attacks in progress and this makes it equally effective against malicious individuals actively working inside the organization and against outsiders who have got through, or around, the firewall. DECOYnetTM, as its name implies, employs decoys as a central vehicle for the identification and elimination of attacks. These decoys are sophisticated honeypots that appear to the attacker to be network resources, containing ‘desired’ information. They draw attackers into investigating them and actually contain fabricated jewels of information that cause the attacker to steal them. Because the decoy looks like a genuine network resource, the malicious insider trying to steal information directly and the CnC controlling software that the insider has helped get into the system, both encounter the same picture. Both find the decoy, investigated it and try to exfiltrate what they find in it. The decoy interacts with, observes and ultimately slows down the attacker’s activity. Once detected, a full forensic path is available and the elimination of the threat becomes trivial. contact@topspinsec.com | www.topspinsec.com Copyright © 2015 TopSpin Security