Mitch Silber is the Senior Managing Director at FTI Consulting, a global business advisory firm. He spoke with the Cipher Brief about the threat posed by malicious insiders – people within an organization who abuse their network access to harm their employers.
The Cipher Brief: How would you characterize the threat posed by malicious insiders? How has it changed over time?
Mitch Silber: Much of the focus in the media when it comes to cybersecurity has been on external national states or sub-state actors hacking into or attacking an enterprise. What gets less attention, due to the sensitive nature of the events and the desire for organizations to keep these attacks out of the news, is the threat or actions of malicious insiders. Nevertheless, there has been a significant increase in the appreciation of this threat among corporate entities and governmental organizations in the last few years. In the wake of Edward Snowden, organizations are asking themselves – how am I vulnerable to the inside threat and what can I do to detect it before I am impacted by it?
What has changed over time is the rise of the robust black markets that now exist in the deep web and dark net (private forums and networks that one must be invited into). Malicious insiders now know that if they are able to steal valuable information, they have a chance to sell it in these closed and password protected forums that are impossible for law enforcement and intelligence to monitor comprehensively and difficult for them to penetrate. As a result, the rise of anonymous black markets has made theft of electronic data more appealing to insiders given the multiple domains in which it can be sold with a heightened likelihood of success.
TCB: How much damage could a malicious insider do to an organization? What types of activities do they usually engage in (data theft, system damage, etc.)?
MS: Malicious insiders can often be the most dangerous threats to organizations. The combination of their levels of access as well as their unique familiarity with the weaknesses and critical functions of an organization make them one of the highest priority threats. Not only can they divulge sensitive information, but they can also delete and destroy important files as well as throw a wrench into the day to day functioning of an enterprise.
Insiders, depending on their levels of access, often have the ability to traverse networks and get into a wide variety of sensitive data areas. These insiders often, by default, have access levels that exceed what is actually necessary for their job (again think Edward Snowden) and, if they are crafty, can exfiltrate data in many creative ways. Recent examples in the health care and insurance sectors have seen insiders take screen shots of sensitive data as well as print out documents and just walk out of the office with them. Data that includes social security numbers, addressees, phone numbers, and names are some of the most sought after data among cyber criminals.
Consequently, one of the hottest areas in cybersecurity is designing ways to compartmentalize data and access for insiders with privilege. Many new start-ups are jumping into this space.
TCB: How can an organization detect these insiders before they act? How can the threat they represent be mitigated?
MS: Technology is now coming to the aid of organizations seeking to better monitor the electronic footprints of their employees. I have worked with some very impressive technology companies who provide “anomaly detection” capabilities, allowing enterprises to establish baseline patterns among their employees and then provide detection capabilities when new or concerning patterns begin to occur. This field of behavioral analytics, which analyzes email, telephonic chat as well as card swipe data, enables the early identification of high risk activity, which could include such actions as insider trading, intellectual property theft, sharing of sensitive data outside the organization as well as collusion.
TCB: In the event that an organization falls victim to a malicious insider, how can they respond and recover effectively?
MS: If a malicious insider has already victimized an enterprise, the first priority will be to conduct an investigation to determine who the most likely suspects are and how they accessed sensitive information. In parallel and simultaneously, the organization needs to lock down its most sensitive information so that damage to the organization can be minimized. In addition, the organization should conduct an investigation in the deep web and dark net to determine what, if any of their information has leaked to the external world. An event like this most always triggers a re-evaluation of the current security regime and the conducting of a new assessment to determine what improvements need to be made. Lastly, senior management needs to prepare for the likelihood that an event itself may become public and be ready for its response to the media.