Hi,
welcome to the next instalment of our "Knowing Your Enemy" blog
series.
This
week we are going to focus on the “The Insider” and what type of
vulnerabilities this type of actor is looking to exploit and how.
The Privileged
Employee, or the Insider Threat
The name speaks for
itself. The insider, often an employee with privileged access to sensitive
data, may willingly or unwillingly be part of a cybercrime operation.
The insider may
compromise the company they work for on purpose through sloppiness or through
external influence. Alternatively, they may have been a victim of a scam or
blackmail.
This ambiguity of his
nature often makes insiders the hardest to foresee and counter. In other words,
cyber-defences should start with the insider.
Ok,
so this threat actor could be extremely dangerous, as they are already inside
the outer security perimeter and able to perform an advanced, persistent threat
(APT) to an organisation.
They
are usually concerned with data theft, possibly with a monetary gain but
usually they are disgruntled employee’s out to cause damage to a system.
How
does traditional IT Health Checks and Penetration testing activity cope with
this type of threat, well very poorly and there is too much emphasis placed
defining specific systems within the scope of testing, rather than allowing a
testing team the ability to diversify throughout the environment.
Internal
red-teaming would be one way to allow a more effective type of assessment,
although this would be difficult to scope and manage in practice. Allowing an
external company, the freedom to choose target’s in a live, production
environment can be extremely daunting for any business, as the potential for
disruption is high.
A
solution that can safely automate the typical attack vectors that would emanate
through malware payloads or malicious insider actions would be a fair, cost
effective solution to the problem.
So what does this mean in practice.
Well in order to evaluate the threat posed by a malicious
insider, you need to look at the entire environmental eco-system as a whole,
this includes the user settings on the end user devices, whether it be a
Windows workstation that receives group policy updates, or a mobile device that
uses a mobile device management system, it could also be an environment where
users can bring their own devices which an organisation has little control over
the configuration of.
Then what about the network layer, what ingress and egress
points are there in and out of the network, can a user post sensitive data to
website forums or connect to malicious malware infested websites.
Removable media is always a prime target for spreading
malware, along with emails and malicious websites, so anti-virus, anti-malware,
anti-spam and IDS all need to be tested under the guise of a malicious insider.
Fortunately, the industry is catching up and providing
solutions to this type of assessment, whether it be through a customised
virtual machine (as provided by red wolf security) or through a malware
simulation test kit (as provided by Lucy Phishing server) there are options out
there that should be adopted and incorporated into the risk management process.
Links
Insider Threat Testing - Red Wolf Security
Conclusion
Insider threat testing is an essential part of modern
security testing. Performing server build reviews, internal network security
assessments, firewall rule base reviews etc is all well and good and still has
a major part to play in the IT Health Check process.
Although if you are not performing internal Red team
assessments, using customised malware on a regular basis (which would be ideal,
but extremely expensive and could be problematic on a production environment),
then adopting an automated tool kit such as those mentioned in this post,
alongside the more traditional assessment methodologies, then you are covering
the bases.
Progressive and forward thinking security testing
Consultancies are adopting this type of testing within their service offerings
and methodologies, which can allow them to perform a more pragmatic approach to
risk analysis.
No comments:
Post a Comment