Intentional or unintentional? The impact of insider threats

Office meeting

What is an insider threat?

Picture this, someone on your team is not who they say they are. It could be someone sitting next to you if you’re lucky enough to be in an office, or someone on your next Zoom call. They’re using their privileged access to your network to steal your IP, the source of your business income. It’s straight out of a Hollywood movie. Insider threats are impacting Australian businesses right now and you need to protect yourself with effective cyber security.

Broadly speaking, insider threats can be classified into three categories: firstly, a person acting with malicious intent to deliberately cause harm to IT systems or who provides access or information to a third party. Secondly, an employee who makes an error unknowingly and exposes the organisation to external threats through vulnerability to exploitations. And finally, a person who is coerced into doing something wrong - potentially the most harmful of them all.

“An insider threat is any threat that originates from inside your organisation or your supply chain,” said Dan Holman, CEO of WorldStack. “This includes contractors, permanent employees, third-party providers, managed service providers and even the people that take away your backups - particularly those people.”

How do you identify an insider threat?

“Look for changes in behaviour - WorldStack’s product CheckSocial can assist with this. It identifies absenteeism, unexplained wealth, new influences, associations and connections, particularly to groups that would typically be considered out of character for that person. Any activity of this nature should raise a red flag.

“You have opportunities, before that person hurts the organisation, to pick up on their change in behaviour. You won’t find them if you’re not looking. Cyber deception is a way of detecting insider threats and monitoring who accesses what. Another indicator of an insider threat is when someone suddening starts looking at things they wouldn’t normally see - you’re forced to ask the question around why their behaviours have changed.”

Tracie Thompson, CEO of HackHunter, undertook a WiFi audit at an ASX 50 listed company recently, looking at hotspotting because they had a no hotspot policy, and it was part of their PCI DSS compliance.

“We were looking on each floor to see how many API’s there were, and how many of those were unauthorised. We found huge numbers of API’s that weren’t actually meant to be there. The vast majority of them were from staff who weren’t meant to be hostpotting, but we did also find three suspicious devices. One was hidden in a bag and as we were looking into it, the unit was remotely switched off - they were watching us.”

What tools are cyber criminals using?

Tracie said, “There are a lot of tools and most of them are inexpensive and easy to buy off the internet. But if we look at some of the more sophisticated tools, they too only cost around $200 from select online stores and there’s a lot of information online about how to set them up and how to use them. In a nutshell, the tools spin up a fake access point that looks exactly like an existing one, to hijack those devices. In essence, this attaches to what’s called a WiFi pineapple, rather than the legitimate WiFi. Once they’ve got your device, they can use it, control it and mine it for credentials.

“Another tool to be aware of is OMG cables, which again you can buy for under $200. They are interception devices that are hidden within a USB cable, or a USB-connected device like a battery or battery charger. They emulate the keyboard and mouse and can be remote-controlled and used to send preset payloads to harvest credentials or upload malicious scripts.

“The other devices are those we already have - like your phone or a camera. Hotspots on your phone can be used to exfiltrate data, which can be extremely dangerous for a number of reasons. Other things as simple as WiFi cameras, which you can buy for $5 off the internet, can be set up in hotels and public restrooms whereby people are filmed without their knowledge and the content is uploaded to the internet or live streamed. These cameras can also be used within organisations to stream WiFi and if they’re placed the right way, they can log keystrokes that can be used to infiltrate an organisation and steal IP.”

Image removed.

How can you onboard new staff safely?

When it comes to bringing people into the organisation from a hiring perspective, Dan believes it’s important to check people’s offline suitability when you first hire them.

“But also check in at points in time after you’ve hired them to assess how different life events such as financial hardships and traumatic events might be impacting them, and their desire to act out in a threatening way.

“Digital footprint checks and more rigorous security vetting is being introduced for critical infrastructure, and we’ll continue to see this expand into other industries, especially those that are integral to the economy,” said Dan.

“When it comes to insider threats, know what looks normal within the organisation, then look for things that are outside of the pattern of normality. Have everyone in the organisation on this journey with you, so they too notice these things and can bring them to your attention.”

Learn more about insider threats in AustCyber’s podcast ‘OzCyber Unlocked’: