NZ Incident Response Bulletin - August 2020

The August edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being “The Insider Threat”.

Each article contains a brief summary and where appropriate, a linked reference on the web for detailed information.

We'll give you a brief summary of each article, and a link to more information. Why do we publish this bulletin? Because we want to keep you up to date with the latest Forensic and Cyber Security news, so that you aren't caught by surprise - and you'll know about risks and changes before they become problems.

In this Linkedin Article, we've included an extract from this months Bulletin.

The Insider Threat

It is a reality that many crimes are perpetrated by someone known to the victim. Homicide detectives have stated that “Familiarity breeds contempt.” Looking at recent studies, it appears that when talking about cybercrime and data theft in 2020, the same may apply.

The 2020 Cost of the Insider Threats Global Report released by the Ponemon Institute reveals that the number of insider threats has increased by 47% in two years. The cost of these incidents has also soared from $8.76 million in 2018 to $11.45 million US dollars in 2020. The threat report also finds that 68% of organisations feel vulnerable to insider attacks. This comes as no surprise considering recent news such as the Twitter leak where it appears that employees were manipulated into helping an attacker gain access to accounts, the case of the Yahoo veteran who narrowly escaped jail time after hacking into private accounts, and the misconfiguration of AWS S3 buckets that led to the exposure of victim information.

The events outlined above highlight both the serious and the varied threat that insiders pose. The name “insider threat” is also a misnomer as it refers to many different crimes, issues, situations, tactics, targets, industries and motivations which cannot all be handled under a one-size-fits-all policy or solution.

What is the Insider Threat?

Generally, the insider threat can be categorised in three main types:

1.      Malicious insiders

Malicious insiders are often employees, contractors or trusted partners who have legitimate access to the network but abuse this access for profit, revenge, or fun. Frequently they steal data and trade secrets either for profit or to leak to a competitor, another country or the media.

Recent predictions suggest the tough economic environment being experienced globally as a result of COVID-19 will drive an increase in this type of threat as employees suffer pay cuts and employment uncertainty. A report into the impact of an economic recession on New Zealand policing in the next 6 to 12 months states that middle-class workers and small to medium-size business owners are now vulnerable. There are concerns that many who are unaccustomed to financial hardship may turn to crime or be exploited by criminal gangs. Large redundancies, such as those seen at a number of New Zealand companies, could provide an opportunity for organised crime groups to exploit vulnerable employees who have inside knowledge of an industry. The report predicts that online fraud may increase by as much as 30-100% and highlights businesses that “reprioritise their resource” and cut back on cybersecurity as being of concern.

2.      Unwilling participants

Unwilling participants are pawns who fall for a phishing scheme or execute a malicious macro or script. They may make a mistake such as losing a laptop or mistakenly sending an email to the wrong recipient that results in data loss, theft or financial and reputational harm to the business.

 Recent research from one security firm revealed that 43% of employees admitted making mistakes that led to cybersecurity incidents and 52% of employees said stress was the leading cause for these mistakes. Around 58% of employees have sent a work email to the wrong person. Distraction was cited as the primary reason for falling for a phishing scam.

3.      System misconfigurations

System misconfigurations or negligence are IT mistakes that lead to incidents such as leaving a web server unpatched. The COVID-19 pandemic has led to the rapid adoption of cloud collaboration tools for many businesses and increased the risk of configuration mistakes such as not setting appropriate access control on cloud storage or environments such as Slack. In 2018 researchers found that up to 80% of all AWS S3 buckets they inspected contained readable files.

Detection and Prevention

Defending against insider threats can be challenging as insiders often require an elevated level of trust and access to do their jobs, and may have the capabilities, privileges, knowledge and motivation required for a successful attack. Detecting an insider attack is also challenging, with many insider attacks remaining undetected for an average of 207 days in 2019. One security analyst recently reported forum references to “Twitter plugs” or “Twitter reps” – the terms used to describe cooperative Twitter employees appearing for several years before their recent hack. This highlights that the insider threat risk to Twitter was evident but undetected some time ago.

Several techniques, however, can help including:

Conducting Threat Assessments

A threat assessment can help you determine which type of insider threat is most applicable to your business environment and therefore, where to target your efforts. For example, combatting malicious insider threats require the implementation of strict security controls whereas the threats faced by unwilling participants may be mitigated with awareness campaigns and wellbeing programmes. This stage may also include establishing clear visibility of privileged users and accounts for easier monitoring.

Instituting Cyber Security Governance

Ensuring cybersecurity is governed from a clear vision and consistently managed throughout all levels of an organisation reduces the cyber risk in a business and helps builds a strong cybersecurity culture.

Monitoring Data, Activity and Network Traffic

Monitoring email, files and activity including using data protection systems to detect the exfiltration of sensitive data may assist in identifying and mitigating data loss.

Common signs of possible insider threat activity may include:

• The downloading or obtaining of large amounts of business or sensitive data
• Accessing data outside of job function or searching for sensitive data
• Requests or attempts to access resources outside of normal job function
• Using unauthorised devices such as unapproved laptops or USB storage
• Copying sensitive files
• Emailing sensitive data outside of the business
• Increased file activity in privileged folders
• Attempts to alter logs or delete large amounts of data

Security analytics can also alert on unusual behaviours such as those listed above.

Creating Least Privilege Policies

Limiting the access to sensitive resources and information such as Personally Identifiable Information, trade secrets, financial data, or intellectual property and allow people access to only what they need. Local administration rights can be locked down, and application whitelisting and blacklisting policies can help to block malicious software.

Implementing User Training, Awareness and Support

Ensuring all users (including IT) have appropriate training to undertake their roles and recognise security threats is key to avoiding unwilling participants and misconfiguration threats. Additionally, wellness programs and employee mental health support may help prevent workplace stress rising to levels where risk is increased.

Response and Recovery

Following an Incident Response Plan

Following a tailored Incident Response Plan that covers playbooks for specific insider threat scenarios will assist in a faster and more efficient response. Ensuring you have a communications plan in place to handle an event such as a data breach where you may be required to update customers, organisations such as the privacy commission and the media, is also vital.

Conducting an Investigation

If a breach is suspected, conducting a formal forensic investigation can determine the possible cause, breadth and impact of the incident. The use of advanced forensic tools can identify potential evidence relating to any incident for legal or employment proceedings. The potential recovery of sensitive data and evidence such as deleted social media posts can also be achieved with careful investigation. Contact us for further information about investigating insider incidents where protecting the assets, reputation and brand of your business is vital.

Insider threats are an increasing risk for businesses in 2020. They are difficult to prevent and detect and often cause significant financial and reputational harm. Responding to these threats in a timely and efficient manner is therefore critical to protect your business. Planning for the insider threat by ensuring your business understands its risk profile and has good cyber governance and incident response policies and procedures defined and tested are the most effective ways to increase resilience to insider threats.

The Bulletin:

To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin