By: Colin Murray, ITMG Insider Threat Analyst
Insider threat analysts are always looking at their company’s employees. All day they see the activity of those workers and are attempting to understand whether things are a risk or not. It is so easy to fall into the illusion that employees are the only potential insider threat. Having that mindset can potentially lead to us not being able to fully understand when external threat actors become the insider threat.
Insider threats are anyone with credentialled access to everything inside a network. This does not necessarily mean that those credentials are being wielded by someone who is supposed to have them. There are ways in which malicious threat actors can acquire the credentials of legitimate employees.
Phishing attacks are the most common method for external agents to become insider threats. They will often send emails that pretend to be from a trusted source, and they will have the user enter their login and password info into a prompt. Once this has been done the threat actor has full access to the network. To the eyes of analysts, the user will look the same as they always have. The best method for preventing phishing attacks is by having regular training with employees. This will help them to better understand when such an email is a phishing attempt.
Password cracking is a method that just requires the threat actor to correctly guess the password. They are many tools that allow them to do this but what is important is that it requires no interaction from the user whose credentials are being stolen. The best method for preventing this is to require lengthy and complicated passwords. The longer and more complicated the password, the less likely it is to be cracked. If a password is long enough it can be nearly impossible to crack.
The last method is a pass the hash attack. With this technique the threat actor catches the password hash when it is being sent by legitimate users to the system to log on. When they have the hash, they can pass it to the system and gain entry for themselves. This can be a scary method because there is not much that can be done to prevent it depending on the systems being used. Instead, it is more about mitigating the risk by requiring passwords to be changed regularly. Once a password is changed the stolen hash will no longer be effective.
All these methods allow bad actors into the system and become insider threats. Analysts need to be wary that the activity they are looking at in any alert could be activity conducted by someone other than the employee. Analysts should be on the lookout for behavior that runs counter to a person’s role or prior behavior. When this happens there is always a risk that someone has gained access to a user’s credentials and is passing them off as their own.
Contact ITMG to Develop Strategies and Protocols Designed to Help Your Company Mitigate Your Insider Risk
ITMG is an industry leader in helping organizations throughout the United States strengthen their insider risk management programs and secure sensitive data and intellectual property. Our team of bona fide experts has the real-world experience necessary to plan out and create holistic security solutions tailored to the needs and risks in your industry. Contact ITMG today to learn more about how we can help! You can also visit our Facebook, Twitter, and LinkedIn pages for more updates and insights into the world of insider risk management.