As organizations increase spending on cyber security and hire more information security specialists, hackers continue to seek the most vulnerable targets for financial gain. One of the foundational precepts of contemporary security analysis is that as greater technical barriers are enacted to secure computer networks against external hacks, human users have become the weakest link in cybersecurity.
Surveys uniformly confirm that critical breaches by outsiders are achieved through the compromised insider credentials of an organization’s employees. In a Black Hat 2017 attendee survey, nearly one-third (32%) of respondents said accessing privileged accounts was the number one choice for the easiest and fastest way to get at sensitive data, followed closely by 27% indicating access to user email accounts was the easiest path to capturing critical data.
The goal of an attacker is to steal the victim’s valid credentials and look like a legitimate employee going about his normal business, for as long as possible. In achieving success this way, the outsider is immediately transformed into what we refer to as a shadow insider – an outsider who has become a malicious insider through the use of malware, compromised user credentials, and compromised devices. When you consider that average dwell times are currently in excess of 200 days, the undetected existence of a shadow insider threat can have devastating consequences for a business.
A recent insider threat study commissioned by Cybersecurity Insiders, an online community of information security professionals, shows that the main enabling risk factors include too many users with excessive access privileges (cited by 37 percent of respondents), an increasing number of devices with access to sensitive data (36 percent), and the increasing complexity of IT (35 percent). A large majority of organizations - some 90 percent - are vulnerable to insider security threats, and about half experienced an insider attack in the last 12 months.
Not all human threats to cybersecurity involve unwitting victims. The cases of massive data dumps involving Edward Snowden and others are reminders that malicious insiders also pose a significant security risk. Insider threats are often more damaging than attacks from malicious outsiders or malware because they are launched by ostensibly trusted insiders - malicious insiders and negligent insiders with privileged access to sensitive data and applications. The Black Hat survey also identified security professionals’ greatest concerns, 50% of respondents citing phishing, social network exploits, or other forms of social engineering focused on the insider as their #1 concern (up from 46% in 2016), closely followed by 45% naming sophisticated, targeted attacks such as APTs as their #2 concern.
Figure: A survey of 580 top-level cybersecurity professionals who attended the 2017 Black Hat USA conference indicates that the most-feared cyber attacker is an insider.
Today, if an attacker with resources wants to access your network, it’s likely that he or she will be successful. Because of this, stopping attacks from external sources is not enough. CISOs also need to monitor their networks for anomalous behavior and advanced persistent threats (APTs) that may have already infiltrated the network. An APT is a perfect example of an outsider threat that was successfully converted into a shadow insider threat.
In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization's structure, clients etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like ransomware and attempt to gain access, which, for most attackers, is easily done. The former outsider is now a shadow insider.
However, most enterprise information security spending to date has focused on prevention in a misguided attempt to prevent all attacks. This is a futile effort. When it comes to dealing with advanced targeted attacks, prevention-centric strategies are obsolete. The Cybersecurity Insiders survey found that organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%) and analysis and post breach forensics (49%). The use of user behavior monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data. Traditional approaches which focus on outsider threats to protect networks and user devices are ineffective, because they do nothing to protect from advanced targeted attacks that gain credentialed access. An attacker who has gained credentialed access is transformed into a shadow insider and now represents an insidious and invisible threat.
So, which represents the greater danger to the security of the enterprise… outsider or insider? Clearly, the edge now goes to the insider.
Securing enterprises today against insider threats requires a shift to data-centric security strategies that support rapid detection and response capabilities. Better detection requires detailed, pervasive and context-aware monitoring to identify these threats combined with security analytics driven by AI and machine learning. However, for context-awareness to be effective and provide meaningful and actionable information, it must be built on a model that can address multiple, inter-related elements within a dynamic, networked environment.
Whenever an incident occurs, IT security teams want to be able to instantly and accurately answer four critical questions: What data has been compromised, by whom, using what device, and from where? The most important context of all is the inter-relationship among four security vectors: users, devices, applications, and data.
Why is the inter-relationship among these vectors critical? Because it’s the only way a user’s behavior can be precisely profiled, and an anomaly can be detected with minimal false-positives. By understanding what devices a user normally uses, what kinds of sensitive data the user accesses, and typically from which servers/applications, we draw a much more comprehensive and accurate profile of the user. This rich detail enables us to detect his/her deviation from the normal work pattern, regardless of whether this user is a shadow insider or not.
For example, a user who has typically downloaded customer contact info (PII) from server #1 in the past is suddenly observed downloading volumes of source code from server #2. By correlating this user with the types of data typically accessed (PII) and the services/applications typically accessed (in server #1), OnFire can immediately detect the shift in the behavioral pattern. Obviously, without this depth of inter-relationship visibility, such subtle changes in behavior won’t be easily detected by any non-relationship-based methods.
OnFire from HoloNet Security deploys a patent-pending Network Hologram technology to immediately link a user with his/her devices, applications, and data accessed to create comprehensive, precise, individual user behavioral profiles. OnFire functions like an intelligent digital video camera in cyberspace by monitoring and recording the movements of every piece of sensitive data, linking it to its actual user in real-time, and using AI to detect any anomalous user or device activities. In the inevitable event of a breach, like a traditional surveillance camera, the OnFire cybercamera can instantly identify suspects to jump-start the investigative response.
This blog reflects the contributions of the HoloNet team and guest bloggers who are data security experts. HoloNet Security is led by a team of seasoned security industry professionals with a proven record of success creating innovative security products and services.