Understanding the Insider Threat


Fri, 11/18/2016 - 07:46
Jul 30th, 2011

A good friend of mine asked me today to provide him with some information and metrics about insider network security attacks. That’s a very good question I am often asked, so decided to post a few notes about this topic including some good references.

Bruce Schneier had a good comment/note back in 2008 about this:

The whole insiders vs. outsiders debate has always been one of semantics more than anything else. If you count by attacks, there are a lot more outsider attacks, simply because there are orders of magnitude more outsider attackers. If you count incidents, the numbers tend to get closer: 75% vs. 18% in this case. And if you count damages, insiders generally come out on top — mostly because they have a lot more detailed information and can target their attacks better.

Both insiders and outsiders are security risks, and you have to defend against them both. Trying to rank them isn’t all that useful.

If you count damages, insider attacks often are far worse. They are more extensive and go undetected longer. It is all about the attack surface and how well you understand the level of exposure (internally and externally). The problem sometimes is not technical, but organizational. In other words, sometimes people tend to focus on building a fort that protects them from outsider threads (using the best security technologies and processes in their Internet edge), but then fail to implement the same level of protection internally and develop processes and procedures to audit and assess their internal network.

One of the reasons why mitigating the insider threat has been difficult is because there are various definitions used, and the definition tends to depend on the perspective of the one defining the problem. So who’s an insider a contractor that is in the company for 3 months and still can connect to most of the internal resources; a guest on a conference room who is already behind your Internet edge firewalls; or a 10-year-old disgruntled employee? All those can be a threat, right?

As we can see, insider can mean many different things to different people. In fact, some might even use the term insider when in fact they are referring to insiders with malicious intent. In my opinion, an insider is anyonewith any level of authorized access to an organization’s infrastructure. By access, we refer to the ability to connect to and interact with the infrastructure. What if a naïve ”trusted user” is compromised and now his machine is used as a stepping stone from an outsider? Attacks nowadays are borderless (just like the Cisco marketing buzzword ;-)). The number of organizations hit by advanced persistent threats (APTs) grows on a daily basis.

The following are several real-life examples of insider attacks/threats from the media:

A 63-year-old, former system administrator that was employed by UBS PaineWebber, a financial services firm, allegedly infected the company’s network with malicious code. The malicious code he used is said to have cost UBS $3 million in recovery expenses and thousands of lost man hours. He was apparently irate about a poor salary bonus he received. In retaliation, he wrote a program that would delete files and cause disruptions on the UBS network. After installing the malicious code, he quit his job. Following, he bought “puts” against UBS. If the stock price for UBS went down, because of the malicious code for example, he would profit from that purchase. His malicious code was executed through a logic bomb which is a program on a timer set to execute at a predetermined date and time. The attack impaired trading while impacting over 1,000 servers and 17,000 individual work stations.

A Chinese national—a programmer at Ellery Systems, a Boulder, Colorado software firm working on advanced distributive computing software—transferred via the Internet, the firms’ entire proprietary source code to another Chinese national working in the Denver area. The software was then transferred to a Chinese company, Beijing Machinery. Subsequently, foreign competition directly attributed to loss of the source code drove Ellery Systems into bankruptcy.

In Detroit a former security guard at General Motors was accused of taking employee social security numbers and using them to hack into the company’s employee vehicle database. He was arraigned on eight counts of obtaining, possessing, or transferring personal identity information, and on one count of using a computer to commit a crime.

In Pune, India, police unearthed a major siphoning racket that involved former and present call center employees. One of the employees—who had worked in the call center for six months before quitting—had the secret PIN codes and customer e-mail IDs used to transfer money. In league with friends, the former employee allegedly transferred the equivalent of three hundred and fifty thousand dollars from four accounts of New York-based customers into their own accounts opened under fictitious names. They then used the money to buy cars and electronics.

Zhangyi Liu, a Chinese computer programmer working as a subcontractor for Litton/PRC Inc., illegally accessed sensitive Air Force information on combat readiness. He also copied passwords that allow users to create, change, or delete any file on the network, and then posted the passwords on the Internet.

A disgruntled employee is suspected of hacking a global networking consultancy’s computer systems and then e-mailing staff confidential information about forthcoming restructuring plans. New York-based networking consultancy ThruPoint, which partners with Cisco and KPMG spin-off BearingPoint, confirmed that it is conducting an investigation into the embarrassing incident.

A Management Information Systems (MIS) professional at a military facility learns she is going to be let go due to downsizing. She decides to encrypt large parts of the organization’s database and hold it hostage. She contacts the systems administrator responsible for the database and offers to decode the data for ten thousand dollars in “severance pay” and a promise of no prosecution. The organization agrees to her terms before consulting with proper authorities. Prosecutors reviewing the case determine that the administrator’s deal precludes them from pursuing charges.

An engineer at an energy processing plant becomes upset with his new supervisor. The engineer’s wife is terminally ill and the related stress leads to a series of angry and disruptive episodes at work that result in probation. After the engineer’s being sent home, the engineering staff discovers that the engineer has made serious modifications to plant controls and safety systems. When confronted, the engineer decides to withhold the password, threatening the productivity and safety of the plant.

– Source: “Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures

So, how do you protect your “crown jewels”? — the information that makes your company/organization what it really is… Data centers often are the keepers of these “crown jewels”. Data centers house the data and applications that are critical to the success of many businesses. Subsequently, the data center must be secure and resilient in order to keep your enterprise running at maximum productivity, protecting your profitability, productivity and reputation.

There are many many white-papers already on data center security, network auditing, etc. They provide guidelines on how to implement the biggest, fastest, and shiniest security products and technologies out there. However, even before you explore what technology or product to implement, you must have a good understanding of your traffic flows in your environment and how to achieve visibility and control in all your network.

This is why I always suggest to create topology maps and other diagrams to visualize your network resources and apply security architecture decisions. You can create circular diagrams like the one illustrated below (which is very simplistic, but this gives you the basic idea so that you can then customize the diagrams to fit your organizational needs). Typically, these types of diagrams include resources that surround a critical system or area of the network you want to protect. In the following figure, a very simplistic “cluster of servers” is illustrated in the center of the diagram. Several layers describe the devices in the topology in relation to different sections of the network.


The illustration in the onion diagram above helps you visualize and understand the different layers of protection you can apply within your network to protect the mission-critical systems. The diagram has four major sections that portray the path from and to the protected system and the following sections of the network:

  • Finance department users
  • Internet
  • Call Center
  • Branch Office in Los Angeles, California (LA)

You can also visualize packet flows and understand how security policies can be applied to each network device to protect critical systems and the infrastructure as a whole. You can identify where you can apply the technologies that enable you to gain and maintain visibility of what is happening in your network, as well as apply security policies and identify “choke-points”. The following are two examples:

Visibility Techniques Applied


Policy Enforcement Techniques Applied

I have a lot more examples and details of these diagrams and security frameworks in one of my books (“End-to-End Network Security: Defense-in-Depth“). However, I would also like to share a few other good references about insider attack protection:

Many network security frameworks are in the marketplace and most of them have the common goal of providing a methodical and efficient approach to network security. No framework is perfect, you should choose an approach that can help reduce the time, cost, and resources needed to plan and deploy your security strategy.



This Blog