#ISC2Congress: How to Mitigate Evolving Insider Threats
The changing nature of insider threats was described by Lisa Forte, founder, Red Goat Cyber Security, during a keynote presentation at this week’s virtual ISC2 Security Congress 2021.
Forte began by noting that traditionally, insider threat actors are seen as ‘bad apples’ within a business, but we have now “moved quite far away from that.” Indeed, many perpetrators do so without malicious intent. She also pointed out that it has become far easier for employees to carry out these acts of espionage on their employers’ thanks to new technologies. For example, mobile phones can be used to take photos of important data, and thousands of documents can be transferred to an SD card. These acts are far easier to conceal than previously when insider threat actors would “have to physically copy large quantities of files.”
Additionally, the rise of social media means that the “biggest threat comes from insider people who get socially manipulated online to hand over information,” according to Forte. She then described a recent case that highlights this tactic. This involved a scientist (John) who was in charge of a team working on sensitive research for a major UK company. He had recently been divorced and was looking to meet a new partner who shared his passion for science, and signed up to dating websites.
John made a professional post on LinkedIn and received a question in the comments from a lady called Sveti. He responded to her via the private message function, and they engaged in scientific discussion before exchanging numbers and continuing the conversation on WhatsApp. Sveti was from Bulgaria and an aspiring environmental scientist. She continued to ask John questions about science and his research and began requesting diagrams and documents to help explain certain concepts. John obliged, flattered by the interest Sveti was showing in him and his work, and they became closer, with the messages taking a romantic turn. Sveti was also an aspiring dancer and would often ask John to critique her performances.
One day, while working at his organization’s lab during the COVID-19 lockdown, John received a message from Sveti asking him to watch a video of her dancing that she was planning to publish online. However, he couldn’t open it on his phone or a PC in his company’s office. She then begged him to try to play the video on an older device, of which there were several in the lab. He attempted this, but the video still failed to play. Yet suddenly, everything started crashing on the lab computer, alerting the company’s security team, who discovered the file was actually malware. After that, John never heard from ‘Sveti’ again – he had been duped by a highly tailored social engineering campaign to steal information and sabotage his organization.
Forte explained: “Likely, John was carefully and meticulously targeted the data and the systems that he had access to.”
She added that the method of attacking organizations by manipulating their employees is a growing problem. It is also highly effective as high-profile insiders will have access to sensitive systems and data. For example, UK intelligence agency MI5 believes at least 10,000 UK nationals have been approached by fake profiles linked to hostile states on LinkedIn in the past five years.
Other insider threats are conducted intentionally. These fall across three categories: theft, sabotage and fraud. Forte pointed out that even these actors are not always motivated by malice; for example, it may be to pay for a health bill.
Alongside strategies like monitoring, training and collaboration between internal departments, Forte emphasized the importance of culture and well-being in reducing the risk of intentional insider threats. She highlighted ‘City 40,’ a secret city created in 1946 by the Soviet Union for the workers for its nuclear program to illustrate this point. While the residents were not allowed to leave the city or communicate with anyone outside, they developed a strong sense of community and loyalty to the area, which remains to this day. This is because it had the best facilities, services and quality of life of anywhere in the Soviet Union, ensuring the residents were content despite the restrictions they lived under. The purpose was to make the people “personally invested in keeping our secrets,” and it proved to be highly effective.
Forte believes organizations should apply a similar principle to their staff, focusing on their happiness and well-being. While it is impossible to eliminate the risk of insider threats, employees are very unlikely to engage in such activities “as long as they feel valued and that they’ve got a good deal.”