Image: Andrea Danti/Shutterstock

Most organizations don’t want to consider the possibility of insider threats, but they are a serious issue that should always be in mind. Disgruntled or fired employees seeking revenge, employees moving to a competitor with intellectual property they stole before leaving or untrustworthy contractors can wreak havoc on your business. What if an external threat actor would offer your employees easy money to just do a quick action on one of the company’s computers? How would the company detect it?

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

What is the origin of the insider cybersecurity threat?

Fighting and defending against external threats is the daily routine of every computer security professional. It takes most of the staff’s time, energy and budget. Yet security personnel should not disregard the insider threat, which is unfortunately too often underestimated.

Insider threats can have different origins, the most common being:

  • Disgruntled or angry employees.
  • Fired or ex-employees still having access to the corporate network.
  • Employees leaving the company.

Some of those employees or ex-employees will try to use their knowledge of the company and the data to which they have access to cause harm and affect confidentiality, integrity or availability of the organization’s critical information or networks.

Some will also want to steal information to use it in a competitor company or even sell it to interested third parties.

Cybercriminals looking for employees to recruit

As an example, the LOCKBIT ransomware, once it encrypted contents on the hard drive of victims, showed a very unusual message on the screen in its version 2 (Figure A).

Figure A


Ransom message from LOCKBIT 2.0 ransomware

Part of the message delivered by this ransomware showed a curious attempt to actually recruit insiders:

“Would you like to earn millions of dollars?
Our company acquire (sic) access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.
You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.”

Now it does not really make sense to send this message to a company that is already under successful attack, right?

Well, considering that a lot of companies do employ third parties for IT or security/incident response handling, it suddenly makes more sense. A person might be tempted by that offer and sell credentials for any company he or she provides services to. Seeing the amounts of money ransomware gangs do seem to get, one might expect an important financial offer for providing corporate access.

In another striking example, a ransomware group started sending emails to employees of several companies (Figure B).

Figure B

Initial email sent by cybercriminals.
Image: Abnormal Security

The cybercriminals offer $1 million for installing Demonware ransomware on any computer or windows server from the company. Since the attacker offers 40% to the employee, it means the global ransom to be asked would be $2.5 million. The offer decreased significantly after Abnormal Security chatted with the criminal, pretending to be interested in launching ransomware on a fake company’s windows server.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The investigations run by Abnormal Security revealed that the ransomware group was probably just a single individual based in Nigeria. The company added that western African scammers, primarily located in Nigeria, have perfected for decades the art of social engineering in cybercrime activities.

The request for insider assistance to compromise a corporate network and install ransomware on it clearly shows a lack of technical skills from the attacker. Yet even an unskilled attacker might be able to launch several different emails, and it only takes one person to believe in it and install the ransomware to bring the targeted company to the severe situation of having all its important files encrypted.

Insider threats are a growing risk

Cybercriminals with the ability to compromise networks to launch ransomware attacks have shown through recent years that it was a working business model for them. In addition to hackers compromising companies for their own fraudulent actions, initial access brokers have appeared. Those people are selling corporate access to anyone who pays for it, making it an important asset for people who do not have the skills to initially compromise systems. Insiders might sell credentials to these kinds of criminals for easy money, and contractors working for many different corporations might even sell several of these credentials to third parties.

As for cybercriminals with less skill, they see the ransomware business as highly profitable but cannot compromise companies themselves. They might go for more elaborate emails and social engineering lures to get credentials from insiders.

How can you protect your company against insider threats?

Here are four ways to prevent insider threats at your organization.

1. Enforce strong security policies for remote access

Employees generally need to access different parts of the corporate network, in addition to using a corporate VPN access. They also might use resources in the cloud. Security policies should restrict employees to access only the resources they need for their work, with different privileges: read, write, edit.

2. Use multi-factor authentication

Use multi-factor authentication for users working remotely and for users with extended privileges to critical assets or parts of the network.

3. Monitor usage

Deploy User and Entity Behavior Analytics tools, which will help gain visibility over employee actions and help detect suspicious activities.

4. Build a comprehensive employee termination procedure

Such procedures should be clear and contain actions that should be engaged when the employee quits his or her job. In particular, removing accounts and credentials to access the corporate networks must be done as soon as possible.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.