The Cyber Insider Threat

Sarah Morrison
September 26, 2023

Early in September 2023, I had the privilege of speaking at the Corruption Prevention Network’s Annual Forum. This year’s theme was Recognising and Responding to Corruption Risks. When I think of corruption, I automatically think of the insider threat. Being in cyber, this then turns into the Cyber Insider Threat, which was the topic of my talk. For those of you who happened to miss my presentation, never fear, I have turned it into an article for your reading pleasure!

What do we mean by the cyber insider threat?

Often, when we speak about cyber, everyone automatically assumes this includes all areas of information security, but cyber is only one component. Think of information security as a giant ball; inside that ball, we have all the different ways information is used and stored in an organisation. Cyber is one of those headings. It is a relevant and increasingly dominating heading, granted. Still, it competes with other methods, such as the information stored in people’s minds, conversations, paper documentation, and data stored on external hard drives or USB keys.

Cyber, therefore, is defined as relating to or involving computers or computer networks (such as the Internet) by Merriam-Webster.

With this knowledge behind us, we can now expand our topic to say that a cyber insider threat is anyone within an organisation with access to computers or computer networks that poses a security risk.

In contrast, the insider threat (minus the cyber) is defined by CISA as anyone who has

“the potential to use their authorised access or understanding of an organisation to harm that organisation.”

Simple right?

In our ultimate wisdom, cyber professionals classify the insider threat as either intentional or non-intentional, which would be the same regardless of whether the insider threat was cyber or not. However, there is also a third category between intentional and non-intentional insider threats, making things a little messy. Do not get me wrong. Cyber professionals did not create these categories; they have been around for a long time. Take the somewhere in-between category. If you look at history, particularly in the time of Lenin and the Cold War, the somewhere in-between category was often referred to as the ‘useful idiot’.

The useful idiot

Although this term is primarily used to describe a person susceptible to communist propaganda and psychological manipulation, the definition is still very relevant today, just remove the ‘communist’ part of the sentence.

I would liken the useful idiot to someone being groomed, as defined by the Australian Commission for Law Enforcement Integrity:

“the deliberate targeting of public officials, and intentional manipulation by people within or outside of an agency, to gain an illegitimate or illegal advantage.”

One of the most controversial and well-known cases of a useful idiot is the case of Edward Snowden, a National Security Agency employee who leaked top-secret American intelligence documents and now resides in Moscow under the protection of the Russian government.

Regarding headlines, the somewhere in-between person, who we have described as being groomed or who has taken on the heading of useful idiot, are very hard to come by. I wasted part of an hour trying to find an example other than Snowden, which is a positive. This leaves us with the other more prominent headings of Intentional and Non-Intentional Insider Threats.

The cyber non-intentional insider threat

This term is self-explanatory: the employee or user unintentionally creates a threat. Keeping in mind the focus of this research is cyber, the threat occurs either via a computer or computer network, which leaves many ways for the threat to occur. I would need to write a book to cover this topic in depth. However, let’s start with the most obvious: phishing.

Phishing

In 2022, 41% of successful data breaches in Australia happened because of a phishing email. You would think that continued user awareness, spam filters, enabling firewalls, blocking pop-ups, enabling MFA, patching, web filtering, etc., would have reduced phishing emails to a smouldering pit of ash. But it has not and most likely will not anytime soon.

One of the reasons for this is the business model ransomware and malware-as-a-service organisations have adopted. Take the example of Conti, a ransomware-as-a-service Russian criminal gang that collapsed in 2021 after 60,000+ chat logs from Conti were released online. Researchers learnt from these chat logs the structural changes to ransomware gangs over the last twenty years. No longer is it a single threat actor working on their own to rob us of our money. Instead, over time, ransomware and malware-as-a-service have turned into full-blown business ventures.

For full details on this business model, look out for my up-and-coming article in The Practitioner Playbook, Why we need to discuss cybersecurity: the sophistication of social engineering tactics.

In other nation-state countries, ransomware development may be seen as an arm of the government, with an estimated 6,000 employees working in the cyber arm of the North Korean government. This equated to 1.7 billion in cyber-related activity in 2022. Cybercrime is big business for private enterprises and governments, making it harder and harder for individuals to identify phishing emails and making it harder for organisations to fight against unintentional cyber insider threats.

The non-intentional cyber insider threat is not reserved solely for phishing emails, however, and extends to other mistakes and mishaps that can occur in everyday life.

Exploitation of public-facing applications

The exploitation of public-facing applications accounts for 26% of successful breaches in Australia in 2022 and refers to the successful exploitation of systems exposed to the Internet. This could be because of unpatched systems, application coding errors, misconfigurations and the biggest and scariest of them all, zero-day exploits (exploits that have not yet been publicly disclosed, so no patches are available and your technology controls will not recognise or defend against them).

In terms of case examples of insider threats occurring due to lack of patching, coding errors and misconfigurations, there are many to choose from. It is ridiculous. One of the more publicised and well-known cases is the Federal Court of Australia (FCA) Commonwealth Courts Portal. What can only be described as a coding error left the names of more than 400 asylum seekers exposed in a column next to the pseudonyms assigned by the court.

The issue with mistakes such as this is that no one can be sure whether or not the names of 400 asylum seekers were accessed by anyone who should not have been accessing them. This is because no one was monitoring this data. Why would an organisation be monitoring something that should not have existed in the first place? Hence, these “mishaps” are often called data leaks, not data breaches. Hmmmm.

Data breaches due to human error

In the second half of 2022, 25% of data breaches occurred due to human error, 81% of which occurred via a computer or computer network. Examples include sending personal information to the wrong person or unintended data publication. Apart from user awareness, you cannot do much to stop staff from sending information to the wrong people or over-sharing, except for ongoing user awareness training. Some technical controls allow you to add a pause after sending an email in case you have that panic moment. However, the best way to share sensitive data is via secure cloud solutions, such as OneDrive, where you rely on the organisation’s security configuration and access controls, so all you need to do is invite a person to the external cloud environment. This type of solution, however, does not necessarily scale and will not help organisations with heavy customer bases like insurance, banks and super funds.

The intentional cyber insider threat

This leaves us with the final category, the intentional cyber insider threat. In terms of case examples, there are many case studies on the cyber intentional insider threat. In terms of motivation, financial motivation and competitive advantage seem to be the most predominant. Other examples include nation-state-backed operations and angry and disgruntled employees.

Financial motivation

In 2017, an employee of Bupa stole over 500,000 customer records and sold them on the dark web. Over five years, the employee downloaded information to his desktop and sent emails to his account. Bupa was accused of not monitoring logs and giving extended access to employees who did not need it.

Competitive advantage

In 2016, Anthony Levandowski, a lead engineer at Google Waymo, who designs automated cars, left to start his own company, Otto. Several months after the launch of Otto, the company was acquired by Uber, who soon discovered that they had purchased trade secrets stolen from Waymo.

Levandowski had connected his laptop to the central server holding IP and downloaded 14,000 files to an external drive.

Nation backed operations

In 2009, Dongfan Greg Chung was found guilty of six counts of economic espionage and one count of acting as a foreign agent. Chung, whose espionage activities spanned over thirty years, was hired by Rockwell International (an aerospace company) in 1979, which Boeing would take over in 1996. The investigation revealed that Chung had been stealing information and sending it back to China.

Disgruntled employees

In a strange case in 2021, it was discovered that the day after quitting their job, a former employee logged into the South Georgia Medical Center system and downloaded patient data. The breach was detected and terminated, but not before the employee could download data on over 41,000 individuals. The offender was motivated to download the data as they were angry at their employee.

Scary stats time!

I would not be doing my job if I did not, at this time, liven the conversation with some scary statistics, and that is precisely what this section is going to do – turn your hair white.

In a recent survey of Brits regarding the increased cost of living, 11% said they were tempted to engage in illegal or illicit online behaviour. Focusing only on young people aged 25-35, that statistic jumps to 25%!

Looking again towards the UK, 47% of small businesses believed that their greatest threat was cyber, with 38% stating this threat would come from an intentional internal threat, whilst 35% thought the threat would come from an unintentional insider threat. The current global cost of living crisis is the primary reason for this belief. Of particular concern to businesses who relied heavily on their customer bases was the fear of employees stealing and selling their customer data or stealing and taking the customer data to their next employer. Plain tiredness from working multiple jobs was also a concern, with employers blaming fatigue for the increase in mistake-making, such as clicking on phishing emails.

Moving closer to home, in a recent study of 325 cybersecurity professionals in Australia, more than half of the organisations had experienced an insider threat in the past year, with only 3% of respondents not concerned over the insider threat.

Regarding the unintentional insider threat, it is estimated that one in ten employees globally leaks sensitive company data every six months.

What does this mean?

Put simply, with declining economic conditions globally employees become more susceptible than ever to recruitment offers from threat actors. Difficult economic times lure more actors to cybercrime. Whether the employee uses their initiatives, as in the case of Bupa, or they are recruited after being targeted via open-source intelligence, it is a threat that businesses must be aware of and be able to respond to.

Cybercrime is set to reach $10.5 trillion by 2025. At the same time, it is estimated that 70% of insider threats will never be made public. So, how can organisations learn about the cyber insider threat if we do not open it up for discussion?

How to fight the insider threat

A key to fighting the insider threat is first to acknowledge how the threat may occur. Australians still prefer the good old USB key, so if you are not blocking these already, please do so.

Other means of exfiltration are personal cloud storage, personal webmail and, for the lazy insider threat, using their corporate email to send emails to themselves or another third party.

Also, knowing who is most likely to leak data is essential. Numerous studies have identified departing employees as most likely to leak data. In my own experience, I have worked with salespeople who have been offered more pay and better conditions from competitors in exchange for them bringing a customer list with them.

Staff who are on performance reviews, who are on their way out, who are about to be fired or who have been fired are also high-risk threats to organisations. And do not forget about the employee who has silently resigned. Employees who do the minimum they need for their role, do not engage in office activities and turn off their mobile and email as soon as it hits 5 p.m.

There are an abundance of controls you can implement to fight the cyber insider threat, but there are too many to list in this small article. But if you would like to chat about how to start defending against the cyber insider threat, please feel free to reach out.

Sarah Morrison

Sarah Morrison

Sarah is the Co-CEO of Morrisec. With over 20 years in cybersecurity and a PhD in Russian information operations, Sarah has a deep understanding of threat actors and their tactics and motivations, making her highly equipped to assist organisations in their defence against them.

0 Comments