Sunday, September 20, 2020

The "Insider Plus" threat: what the Tesla and Twitter attacks say about the resurgence of an enduring risk

Image of logos suggesting threats are insider or outsider or bothThe "Insider Threat" to information system security is as old as computers, but in recent decades it has received less attention than external threats; yet there is reason to believe that the risk posed by insiders acting on instructions from outsiders may be on the rise; we can usefully refer to this as the "Insider Plus" threat. In my assessment, the number of organizations that are fully aware of, and well-prepared to defend against, this insider plus threat is problematically small. 

That's the short version of this article, which explores the implications of recent security incidents at Twitter and Tesla, finding them indicative of several different-but-related phenomena that suggest the insider plus risk will increase over time. I have also provided some hopefully useful background on insider threats.

Twitter, Tesla, and Three Things True in 2020

Reporting in July on the attack that resulted in the hijacking of Twitter accounts belonging to high-profile individuals and brands, CSO Online described it as: "the perfect example of the impact a malicious or duped insider and poor privileged access monitoring could have on businesses." (Twitter VIP account hack highlights the danger of insider threats).

The next month, Government Tech reported on "an alleged million-dollar payment offered [to an insider] to help trigger a ransomware extortion attack" on the Tesla electric car company. This appeared in Dan Lohrmann's extensive piece on ransomware during Covid 19 where he quotes Katie Nickels, the director of intelligence at security firm Red Canary: 

"It really changes the game for the defenders. Before today I would not have suggested companies include an insider attacker installing ransomware in their threat model. Now everyone has to shift their thinking. If we know about this one case that’s been documented, there might be more."

I'm willing to bet there have been more, if only because this type of attack is a natural outcome of three currently observable phenomena:

  1. Some organizations have become adept at defending against external attackers.
  2. Very hard times, such as a global pandemic, make some employees very susceptible to unethical conduct.
  3. The ethical status of abusing access to information systems remains vague and/or malleable in the minds of many humans.

Consider This Scenario 

You want to extort a company with deep pockets that relies on computer systems that you know you can disable with code in your possession, but the company is doing a good job of preventing external access to those systems; so you decide to get an insider to help you. There are numerous ways of doing this, including but probably not limited to: 

  • A monetary bribe: which might be particularly effective right now, given the current levels of economic hardship and uncertainty.
  • A chance at fame: which may appeal to some individuals for whom abuse of digital technologies is a sport or side gig or a form of protest (all of which can be said to be enabled by ambiguities in the ethics of technology). 
  • A promise not to reveal embarrassing or damaging information: also known as blackmail, potentially facilitated by unauthorized access to devices and accounts belonging to the targeted insider. 
Given the plausibility of this scenario, every company needs to check its approach to data privacy and cybersecurity to make sure it addresses the risk that an external attacker may "partner" with an insider. Clearly, privileged access monitoring needs to be in place and in use, but so does management's awareness that insiders may be more susceptible to breaches of IT security policy and criminal statutes during this pandemic.

Consider This Bibliography

Anyone seeking a deeper understanding of insider threats will benefit from reading insider case studies, such as those aggregated by the CERT Insider Threat Center (Cappelli, Moore and Trzeciak, 2012). The Center has documented hundreds of internal computer crimes that impacted companies in sectors like banking (Randazzo, Keeney, Kowalski, Cappelli, and Moore, 2004), information technology and telecommunications (Kowalski, Cappelli, Moore, 2008), critical infrastructure (Keeney, Kowalski, Cappelli, Moore, Shimeall and Rogers, 2005), and financial services (Cummings, Lewellen, McIntire, Moore, and Trzeciak, 2012). 

While the primary goal of the Center was to discover and disseminate practical methods of mitigating insider threats, the case studies are analysed according to academic standards; for example, methodological limitations, like the inability to generalize findings to all organizations, are duly noted (Cappelli et al, 2012). These studies reveal how a wide range of insiders exploit opportunity to commit crimes, often through a simple betrayal of the trust placed in them as employees or contractors. 

Some insiders may, like Edward Snowden (Poitras, 2014), have far-reaching “super-user” access to the organization’s assets, be they physical or digital; yet CERT has recorded many cases where the crime was committed by an insider with few technical skills and only limited access. These studies document how even limited trust can, if betrayed, enable criminal activity. It may be theorized that such betrayal, by colleagues and co-workers, chosen by management to work at the company, and of whom there is at least a minimal expectation of trustworthiness and shared interests, may have a greater negative psychological impact than the criminal act of an outsider, a person of whom there are no pre-existing positive expectations. 

As I noted in my master's degree essay—from which the preceding three paragraphs were taken—the threat of betrayal by trusted insiders is real, for there can be no doubt that the following is true: "never before have so many insiders had so much access to so much computerized information of such great value." 

Furthermore, never have there been so many ways to monetize—often at relatively low risk— unauthorized access to information systems and the information they process and store. What strikes me as particularly worrying right now is the potential for malefactors to adopt increasingly aggressive meatspace crime tactics in their quest for access to protected systems.

I will be discussing this further and providing links here.


No comments: