Ruslan Rakhmetov, Security Vision
The first few decades of the cybersecurity industry development were characterised by the main focus of protection measures on external attackers - hackers of various qualifications, competitors, employees of special services, to which hacktivists, APT groups and organised cyber armies have now been added. The digitalisation of business and the penetration of IT into the typical job duties of non-IT employees have gradually increased, resulting in a working PC on everyone's office desk. Employees are no longer ‘afraid’ of computers, are actively using new technologies at work and in their lives, and are realising the value of the digital information they work with. Employees and managers have been joined by employees of contractor and partner organisations, outsourcers and freelancers, who gain legitimate access to corporate data within the framework of relevant contractual relationships. In this article, we will explain who insider employees are, what types of insider intruders there are, what threats they can realise and how to manage these cyber risks.
So, insiders are employees and managers of a company, as well as individuals and employees of legal entities that have existing legal (contractual) relations with the company and have authorised access to the company's IT infrastructure - for example, contractors/subcontractors, suppliers, partners, outsourcers/outstaffers, freelancers. These individuals have good knowledge of the company's operations and its valuable digital assets, have or can gain authorised access to infrastructure and information of varying levels of confidentiality, and can impede the implementation of protective measures or investigations (internal audits) against intruders. Compared to external intruders, insiders face fewer defences to overcome: they will not need to bypass perimeter defences, network access delineation within corporate networks (especially in small and medium-sized companies) is usually not strict enough, and the level of logical access to data and applications by insiders can be increased relatively easily by legitimate or circumvented means (e.g., by gradually increasing the level of access ostensibly for the execution of security measures).
The main cyber threats that can be realised by insiders are related to unauthorised access and use of information, as well as malicious impact on infrastructure. Let's list some typical cyber threats coming from insiders:
1. ‘Punching’ of company customer data: access to confidential information about company customers and subsequent sale of the obtained information to interested parties, including so-called “mobile punching” (gaining access to data of mobile operator subscribers) and “bank punching” (gaining access to information about bank customers).
2. Selling stolen (copied) information to interested parties: attackers may contact a company employee in a messenger or social network and offer to share certain information, copy data, or take photos of programme windows for a fee.
3. Launching VPO or performing certain actions for a financial reward: Attackers may contact a company employee in messenger or social network and offer to launch a certain programme for a fee, which will be sent to him/her by email supposedly under the guise of phishing - most likely it will be a ransomware virus, a remote access trojan or a spyware virus.
4. A company employee who has fallen under the influence of certain entities or individuals may deliberately and purposefully launch a destructive VPO (e.g., a viper virus) on his or her work PC or make confidential corporate information publicly available.
5. Purposeful infiltration into a company: an attacker may purposefully infiltrate a particular company in order to gain access to internal infrastructure, to participate in certain projects, or to make decisions for the benefit of certain individuals. Gradually increasing the level of influence in the victim company, an advanced attacker will eventually appoint ‘his’ people to key positions, which may later lead to the closure of the business or a change in the ownership structure of the company.
The danger of insiders should be assessed in terms of their level of motivation and the competencies, methods and capabilities available to them to carry out cyber threats, also taking into account the vulnerability and attractiveness of a particular company to attackers. Such an assessment should be done as part of the intruder modelling process, which is an integral part of the more general process of modelling (assessing) the actual cyber threats to the company.
In terms of motivation, insider intruders can be categorised into the following notional groups:
1. negligent insiders may realise IS threats unintentionally by violating data rules through ignorance, inattention or negligence. Examples: sending confidential information to personal email / cloud storage in order to work with the information from home (in this case, the personal email / cloud can be hacked and the home PC can be infected with VPO); copying work information to a personal flash drive with its further loss or theft. As a rule, the category of negligent insiders can also include individuals and legal entities cooperating with the company, incidents with which most often occur due to their low IS-competence and insufficient protection measures.
2. Sabotaging insiders can disrupt the company's business processes due to their disloyalty, in retaliation or due to psychological peculiarities. Examples: an employee dissatisfied with the lack of a bonus deletes the results of his work from the corporate file server; after a quarrel with the management, an employee publishes sensitive details about the company's work in a social network; an employee dissatisfied with the assessment of his competences introduces a ‘logic bomb’ into the source code of the software being developed, which after a certain time leads to the erasure of all information on the server.
3. Quitting insiders can copy corporate information to themselves to use it at their new place of work. Example: an account manager on his last day of work copies the contact information of all the company's clients onto a personal thumb drive before leaving for a competing firm.
4. Targeted insiders can be specifically introduced by external attackers for espionage, business intelligence, cyber sabotage, sabotage, business takeover. Examples: competitors send a ‘scout’ to a rival company with the task of collecting the maximum amount of confidential inside information; a certain person cooperates on a confidential basis with a representative of an intelligence service of an unfriendly state, who gives a job assignment to a certain state company or government body to collect information and influence decisions.
The competence levels of insiders can be divided into the following conventional groups:
1. Low competences: sufficient for unauthorised access to protected information only with the help of standard OS and software tools. Persons with these competences have no skills to bypass protection solutions, they can only use already developed or leased ready-made software. Examples: an employee can copy a file with confidential information from his/her work PC to a USB stick or send it to his/her personal email without using methods of concealing his/her actions (for example, by not placing the file in an archive with a password); an employee runs a malicious file sent by attackers on his/her work PC on the instructions of a ‘curator’.
2. Medium competences: sufficient for unauthorised access to protected information using little-known standard OS and software functions and technical features of the company's IT infrastructure. Persons with these competences have an idea of the functionality of security solutions, can apply recommendations available on the Internet on how to bypass them and use independently developed (customised) scripts. Example: an employee who is aware of the company's data leakage protection system (DLP solution) can place a confidential document in an archive with a password, photograph the PC screen, deliberately change file extensions, and use inbuilt OS utilities to bypass restrictions before the theft.
3. High competence: sufficient to perform unauthorised access to protected information using a variety of advanced techniques, including investigating the operation and circumvention of defence solutions, developing and applying exploits for privilege escalation and horizontal network movement, developing and applying stealthy IoT for cyber espionage and sabotage. In addition, targeted insiders who infiltrate a company to carry out malicious activities (sabotage, espionage, business takeover) in key and executive positions should also have high competencies.
Examples of in-house OS functionality and typical IT infrastructure features that can be used for information theft by insiders with medium to high competences:
1. using the Windows utility copy:
copy 1.png /B + 2.txt /A 3.png
where 1.png is a non-suspicious image (for example, a personal photo), 2.txt is a text file with confidential information, 3.png is the result of the copy utility ‘gluing’ the two files. The 3.png file will still be opened as an image, but when opening the file in a text editor (for example, in Notepad++), the content from the 2.txt text file will be present at the end of the file.
2 Using Alternate Data Streams (ADS) in Windows:
notepad 1.txt:2.txt
where 1.txt is a text file visible by standard OS tools, which an insider can fill with insignificant information, and 2.txt is a hidden ADS file (attached to the 1.txt file and invisible by standard explorer), in which an insider can specify hidden confidential information.
3. changing the structure of docx/xlsx/pptx files: if you open these types of files in an archiving programme, you can see the internal structure of the document, consisting of xml files combined into an archive. By adding a hidden file to the archive, the original office document will still be opened (with a warning about structure violation), but will contain hidden data.
4. Using macro functionality to create hidden data structures in Microsoft Office documents.
5. Using the Linux utility ‘dd’ to copy data to drives in raw form.
6. Writing ISO images of discs, creating huge files with junk data to exceed the limit on the maximum file size analysed by the DLP system, creating archives with multiple levels of nesting to bypass DLP inspection.
7. Creating a virtual machine, copying confidential information into it, writing the saved machine image to a personal drive.
8. Using encryption for textual information (e.g. base64), using encryption tools (including setting passwords for archives). 9.
9. Using uncontrolled information transmission channels (e.g. sending files via bluetooth to a personal device, using an additional Wi-Fi module), connecting a personal smartphone to a work PC in non-standard modes (e.g. media device mode or USB debugging mode) and then copying confidential information.
10. Removing a hard drive from a work PC and connecting it to a personal device.
11. Using portable devices (Flipper Zero, Raspberry Pi, USB Rubber Ducky, etc.) for unauthorised physical, network, logical access.
The levels of insider capabilities and the corresponding methods available to them for realising cyber threats can be divided into the following conventional groups:
1. Low capabilities: insiders have a low level of resource endowment that prevents them from acquiring commercial tools for unauthorised access and researching defence systems. Low-capability insiders use in-house OS and software tools and free publicly available tools for unauthorised access and apply them sporadically, without additional concealment measures, which increases the probability of successful detection of malicious activities.
2. Medium capability: insiders have a medium level of resources with which they can acquire commercial tools and VPOs, refine off-the-shelf exploits, and research the defences in use. Attempts to implement cyber threats are systemic, measures to conceal unauthorised actions are applied, and the context and appropriate time for an attack are selected.
3. High capabilities: insiders have a high level of material and resource support, which allows them to hire teams of developers, virus writers, security researchers, bribe other insiders, create legal organisations for cover, and invest in image and reputation building. Attempts to realise cyber threats are extremely deliberate, may take several years to prepare, and use methods of conspiracy and careful concealment of cyber operations.
In addition, it should be recognised that some types of perpetrators may collude with other types of perpetrators. To analyse the possibility of collusion, we can use data from Appendix No. 6 to the methodological document ‘Methodology for Assessing Threats to Information Security’ (approved by the FSTEC of Russia on 05.02.2021).
In conclusion, let us list a number of possible organisational and technical measures to combat internal intruders:
1. legally competent support of cybersecurity processes: introduction and maintenance of the commercial secret regime in the company in accordance with the requirements of 98-FZ ‘On Commercial Secrets’, drafting of internal regulatory documents in accordance with the requirements and norms of the current legislation, including the Labour Code of the Russian Federation (Articles 21, 22, 56), Civil Code of the Russian Federation (Articles 1465-1472), Criminal Code of the Russian Federation (Article 183), federal legislation (149-FZ, 152-FZ, 98-FZ).
Local normative acts (employment contract, internal labour regulations), with which the personnel are familiarised against signature, should specify that the employer uses technical means for information protection and control (monitoring) of working devices, and the employee may not use working devices for personal purposes. In cases where video recording devices are used to monitor the office environment and for cybersecurity purposes (e.g., to detect the taking of photos of PC screens on smartphones), signs should be posted to inform employees that photos and videos are being taken.
It is also important to screen candidates before employment, including through psychophysiological testing (voluntary polygraph testing), monitor the psycho-emotional state of employees and moods in teams, proactively identify destructive intentions of employees, and conduct regular in-house cybersecurity training.
2. Use of video surveillance systems with automatic recording, long-term archival storage, motion recording, face recognition, detection of non-standard situations (e.g. appearance of strangers or employees of non-core departments in the server room).
3. Application of access control and access management systems (ACS) with clear delimitation of access levels to premises and zones, absence of the practice of issuing ‘rover cards’, control over the issuance of guest passes (including deactivation of the pass immediately after the guest leaves the building to exclude the use of the copied ACS card by means of Flipper Zero device, for example). It is also advisable to set up correlation rules in the SIEM system to detect certain anomalies, for example, the facts of local authentication of a user on the work PC without previously recorded fact of this employee's passage to the office using his ACS card.
4. Application of classical cyber security paradigms: minimisation and separation of user powers, granting granular rights of access to information, justification of an employee for access to information (need to use, need to know), obtaining approval from the employee's direct supervisor when requesting access to information, including building complex procedures for obtaining approval when access to data requires approval of the data owner or access to critical information will require approval from the employee's supervisor. In addition, it is important to revoke granted access rights in a timely manner, for example, when project work is completed, when an employee moves to another department, or when an employee resigns or goes on maternity leave.
5. Application of systems to automate the recording of employee credentials using credential management platforms (IAM, Identity and Access Management and IGA, Identity Governance and Administration) used to authenticate and authorise user accounts and entities with control, analysis and revocation of access rights.
6. Application of automated tools for detecting anomalies and deviations in user behaviour using behavioural analysis modules (UEBA, User and Entity Behavioral Analytics) that enable the detection of anomalies in the behaviour of user accounts and entities (devices, applications, services, etc.) in order to detect cyber incidents.
7. Use of Data Loss Prevention (DLP, Data Loss Prevention) systems to control the processing of sensitive information in information systems, including its use and transmission through various channels, applying policies to block or allow the processing of information depending on its confidentiality level.
8. Using Employee Productivity Monitoring systems to monitor, record, analyse actions performed by employees on corporate devices in order to assess the efficiency of working time use and protect against data leaks.
9. Application of Privileged Access Management (PAM) systems to control and analyse actions performed by privileged users (e.g. administrators) by recording privileges granted, actions performed with information resources, authentication with additional checks, and recording actions performed.
10. Use of Zero Trust Network Access (ZTNA) technologies to provide granular and controlled network access (including access within corporate network segments) based on continuous verification of subject (user) access rights to an object (information resource) with verification of subject and object cyber security status, with complex conditions and rules of network access.
