Chapter 2: The Human Side of Cybersecurity

It is important to understand the human side of cybersecurity. Too often, people get caught up in the technology related to cybersecurity and lose sight of an important fact – all attacks involve people attacking people. Both attackers and defenders use technology to do their work, but the underpinnings of most successful attacks seek to exploit a human before they exploit a system.

In this chapter, we will cover social engineering techniques, types of malicious software that are used to compromise an environment, and the types of insider threats an organization will face. While tactics and technologies change for both attackers and defenders, the motivations of human beings are more predictable. Understanding the people behind the breaches creates a more solid information security foundation as opposed to chasing the latest technology.

By the end of this chapter, you will be able to identify social engineering attacks, types of malicious software and their purpose, and types of insider threats and know what to do about them. We will start off with a discussion about the people on the attacker's side.

In this chapter, we will cover the following topics:

  • People exploiting people
  • The three types of insider threat

People exploiting people

It is a sad fact that cybercriminals are in the business of exploiting people. They exploit their victims' hopes and dreams or willingness to help to install malicious software on their machines or gain access to their credentials. Then they exploit that access to steal identities or financial information or hold their victims for ransom. While technology is involved in every step, the story of cybersecurity is a human story. Cybercriminals are no different from other criminals; they use shady tactics to exploit people for their own gain. Cybersecurity, then, is the art and science of protecting people from harm.

The first element of the human story that is cybersecurity is understanding the tactics from the attacker's perspective. When people set out to exploit others in cyberspace, the following categories of techniques are most popular:

  • Social engineering techniques
  • Stealing credentials
  • Malicious software

When describing social engineering, most people will intuitively understand what it is, even if they are not familiar with the term.

Social engineering techniques

Social engineering is the collective name for tactics designed to persuade someone to do something they wouldn't normally do so the attacker can gain something of value. Sometimes the attacker seeks to gain access to sensitive information they can profit from. Other times, the attacker may want to gain access to a system to install malicious software. Regardless of the end goal, social engineering is often an important step in the attack chain. The following are common social engineering techniques attackers use to advance their cause.

The first and most common form of social engineering is known as phishing.

Phishing

Phishing is the most common social engineering technique because it is easy to launch large-scale attacks. Phishing specifically refers to email attacks that are designed to trick an end user into clicking on a link or opening an attachment. Often, link-based phishing attacks are designed to harvest a password. For example, if an attacker sends you a phishing lure that looks like a Chase banking alert and you click on it, the link will likely take you to a page that looks like a Chase login page. If you enter your login credentials, the attacker now knows you bank at Chase and has your username and password. They now have access to your bank account. If you don't bank at Chase, you either wouldn't click the link or wouldn't enter a password. Attackers are smart, and they try to find ways to increase their likelihood of success. For example, in a scenario where they are targeting XYZ company, they may register the XYZSecurity.com domain name. That way, when they send their messages, it looks more legitimate and may fool a user into clicking on the link and entering their credentials to log in.

Attachment-based phishing messages are designed to get you to click on a malicious attachment, which will then install malicious software on your machine. This is a common vector for ransomware attacks. Often, these attachments are designed to pique your curiosity. For example, sometimes a PDF file will be attached to a message that looks like someone in finance sent it to the whole company by mistake. The attachment may be named something such as Next Year's Salaries and Bonuses. There is a good chance that someone will want to see what is in that attachment.

These examples are not comprehensive. For example, there are phishing messages that contain links where the URL will install malicious software or attachments that are malicious but do not install malicious software. Business Email Compromise (BEC) attacks contain no payload at all. The purpose of the phishing message is to convince someone to do something such as wiring money to a fraudulent bank account.

Regardless of the payload and the tactics, there are some common elements of a phishing attack. First, attackers know that if a target user takes their time to examine a message, they will be able to find elements of the message that give them pause. For example, hovering over a link may expose the real URL or looking closely at the sender email address may show the sender isn't who they appear to be. As a result, attackers try to create urgency in their messages. They are trying to make their victim feel the need to act quickly and if they don't, something bad will happen or they will miss out on an opportunity. The second element is the lure. Criminals know that if people are in a hurry and they can make something look close to legitimate, people will likely click on it. An example of this technique is to include a coupon to a popular service that is expiring soon. The intention is to make the user think they will be missing out on something of value if they don't act quickly. Since companies use similar tactics to create urgency in buying behavior, the urgency raises fewer red flags. In general, if someone is trying to motivate you to act quickly, whether an attacker or a legitimate business, it should give you pause. There are several ways to support users and stop them from falling victim to phishing attacks. We will cover methods for teaching end users how to identify phishing attacks in Chapter 5, Protecting against Common Attacks by Partnering with End Users. Sometimes people will ask about smishing. Smishing is simply phishing over text message. While there is a different name for it, it is the same as phishing, simply using a different medium.

According to a Security Boulevard article, "85% of all organizations have been hit by phishing attacks" (Meharchandani, 2020) in 2020. Security awareness training can be helpful against generic phishing attacks, but a successful program will not yield a 0% click rate. In fact, most companies would be satisfied with a click rate of less than 10%. Without compensating controls designed to support users, 1 in 10 phishing attacks will be successful. Those statistics make it easy to understand why there are so many breaches and ransomware infections. The numbers are not on the security practitioner's side.

While phishing is generally designed to be broadly distributed, and therefore easier to defend against, there is a specifically targeted form of phishing, known as spear phishing, which is more targeted, specific, and difficult to defend against.

Spear phishing

While phishing campaigns are generally targeted at broad groups of intended victims and are generic, spear-phishing campaigns are targeted attacks aimed at one specific person. Unlike phishing campaigns, spear-phishing campaigns do not need a high click rate to be successful. Popular corporate targets include CEOs and CFOs. Spear-phishing campaigns, then, are much better researched and designed to fool a specific person. For example, a spear-phishing campaign may be targeted at the CEO of a company. The person launching the attack likely knows the names and interests of all the CEO's family members thanks to social media. The attacker has likely also purchased information about the CEO's family members on the dark web. They may even have gained access to their email account. Now they can send a message to the CEO pretending to be a member of their family, in a manner that is convincing because the attacker knows how that person interacts on social media and maybe even over email. This highlights one of the many ways that social media can help attackers conduct reconnaissance. Spear phishing is much more difficult to detect and prevent because it is an attack uniquely designed to exploit a specific person. In many cases, people who are likely to be attacked in sophisticated ways should be supported by additional technology to help them not fall victim to such attacks.

According to the same Security Boulevard article cited earlier, "97% of users are unable to recognize a sophisticated phishing email" and "95% of all successful attacks targeting enterprise networks are caused by successful spear phishing." (Meharchandani, 2020). While generic phishing attacks are more common and less successful, spear-phishing attacks are a dangerous threat. Generic phishing attacks only need a small fraction of users to click to deem their exploits successful, and they may not know precisely what they are targeting. Spear-phishing attacks are often launched by more sophisticated attackers targeting a small group of users in a specific organization, often for a specific purpose. These attacks are more likely to be successful, less likely to be detected since they affect a smaller group of people, and more likely to be catastrophic if successful.

The good news is most companies can predict which people would be targeted by a spear-phishing attack if their organization were targeted. Putting additional protections around those people will help protect them from potential spear-phishing attacks. Because of the prevalence of LinkedIn, it is not difficult to find the names of people in leadership and who have roles that would indicate they may have elevated privileges, for example, IT administrators. Most companies have a public domain name as well, and there are only a few combinations of first and last names that are used by companies to build email addresses. Put all of that together and most attackers can send targeted emails to specific people in specific roles. As a result, protecting from spear phishing requires some thought or technology that can help identify who is attacked most frequently to put additional safeguards around those accounts.

Next, we will discuss a tactic that is generally deployed in the physical world, known as baiting.

Baiting

Baiting is a technique designed to exploit people's natural curiosity. The idea of baiting is to leave something, normally a physical device such as a USB storage device, in plain view. Sometimes it is generic and other times it is marked in a way that is designed to make someone curious. Regardless, the intention of the attacker is for someone to plug the device into a machine to see what is on it. As soon as they do, their machine will become infected. If they are connected to a network, they will spread the infection to other machines. In other cases, the payload may be a backdoor, which is a specific type of malicious software that allows an attacker to access the target system remotely. Baiting can also occur with fake ads or giveaways that redirect users to a website that installs malicious software.

The next session will cover a tactic that is social engineering masquerading as malicious software known as scareware.

Scareware

Scareware is another tactic that was popular for some time. Scareware pops up ads and banners designed to scare a user into thinking they've been infected. An antidote is then offered to remove the infection. In some cases, the antidote is the real malicious software that the user just installed with their administrator privileges. In other cases, the antidote is offered in exchange for money. The key difference between scareware and other forms of malicious software that makes scareware a social engineering technique is that scareware by itself does not have the access it needs to perform its intended function. Its purpose is to trick the end user into taking an action that leads to further compromise.

Scareware is designed to play upon fear. The next tactic we will discuss, tailgating, is designed to appeal to a person's helpful nature.

Tailgating

Tailgating is a method of gaining unauthorized physical access to a secure facility. The classic example is someone going to a secure facility with a stack of boxes of pizza or doughnuts. They will ask someone to hold the door for them. Seeking to be helpful, the unsuspecting victim will hold the door for the attacker, not wanting to be rude and make them put everything down to get their badge. This type of exploit plays on a person's desire to be polite and helpful. Once the attacker has physical access, there are several techniques they can use that would not have been possible without physical access to the facility.

Gaining physical access often opens the door for subsequent attacks. One attack is known as shoulder surfing.

Shoulder surfing

Shoulder surfing is popular at places where large numbers of people are working on their computers, such as coffee shops or the gate area of an airport. The idea of shoulder surfing is for the attacker to walk behind someone on their computer to gain access to information they shouldn't have. For example, if a person is working on a spreadsheet that contains personal information or financial information, the attacker could gain access to that information. There are even examples of shoulder surfing where the attackers rent a building across from a specific office building and use cameras to take pictures of screens.

Not all social engineering techniques are designed to exploit systems directly. In some cases, such as pretexting, the technique is designed to gather information that will increase the likelihood of success of subsequent attacks. It is important to understand that most attacks are chains of events, not single techniques. Most attacks will use multiple techniques. Most begin with one or more forms of social engineering.

Pretexting

Pretexting is a reconnaissance technique designed to gain information about a target. The easiest example is the surveys on social media that you will see people answering. If someone posts something such as Your rock star name is the street you grew up on and your mother's maiden name! and someone posts a reply, the attacker now knows the answer to two common identity verification questions. You will see variations of this scheme all over social media. Some of these surveys may be innocuous, but many of them would allow the person posting them to build a database of identity verification questions that would allow them to compromise accounts belonging to the people who responded.

Now that we understand social engineering techniques, we can examine their intended outcomes. In most cases, the intended result is either the theft of credentials or the installation of malicious software. We will begin with stolen credentials.

Stealing credentials

When credentials are stolen, bad actors can use them to gain unauthorized access to systems and data. Later in the chapter, we will explore what attackers do with stolen credentials and review an example case that shows the damage that can be caused.

In addition to social engineering, credentials are stolen through data breaches. If attackers can access databases containing usernames and passwords, they can steal that information and not only use it to access that service but also, in many cases, use the same combination to access several other services. An attack where sets of credentials are used to try to access several services in an automated fashion is called a credential-stuffing attack. Once the original attacker is finished exploiting the information, they will often sell it on dark web marketplaces for others to exploit. Many people hear that they should not reuse passwords and they should change their passwords frequently. If one account is compromised and you reuse the same credentials on several sites, the damage can be catastrophic. Many people will ask, "If I can't reuse my passwords, how will I remember them all?" This is a fair question.

Password managers are part of the answer. They store all your passwords, encrypt them, and allow you to unlock them with a master password. A master password should be long, complex, memorable, and not used for any other account. Your master password should never be written down or shared with anyone. Multifactor authentication is also helpful in ensuring a stolen credential alone will not give attackers access to the account. We will discuss password managers and multifactor authentication in more detail in Chapter 9, Cybersecurity at Home.

In 2021, a single repository was leaked by a user of a popular hacker forum. Depending on which reports you believe, the list contains either 82 billion or 8.4 billion passwords. Either number indicates multiple passwords per active user (Whitney, 2021). It is important to remember this is a single source on a single forum that likely has more than one password you have used, obtained from data breaches of a service you have an account with. As a result, if you reuse passwords or have a password that has not been changed recently, it is likely someone has that password and it is a matter of time before your account is compromised. Passwords are disposable and should be treated that way. As technology improves, the demand for complexity increases and the shelf life of passwords decreases.

Example Case: Yahoo Data Breach(es)

Most people know Yahoo as the successful personal email provider and search engine. Security professionals know Yahoo as the company that leaked billions of usernames and passwords over the course of multiple data breaches over several years. Because Yahoo houses email addresses and passwords for many people, it was an attractive target for attackers. They also developed a reputation for poor security practices, so they were frequently attacked.

In 2019, Yahoo agreed to pay $117.5 million to settle damages from several data breaches between 2012 and 2016. The company also said data breaches involving stolen information occurred between 2013 and 2016. In 2012, there were multiple intrusions where the attackers didn't steal information but gained unauthorized access to systems. In 2013, attackers again breached Yahoo and gained access to information about all 3 billion Yahoo users. It is not known whether the attacks in 2013 were launched by the same bad actors that compromised Yahoo in 2012. The 2013 data breach was among the largest in history and included enough information for attackers to access users' email accounts and calendars. With this access, attackers could now launch attacks against other users while pretending to be a friend or family member. Yahoo's response to the breach and commitment to users was underwhelming. Many Yahoo users, including me, began to question their commitment to cybersecurity. In 2014, attackers breached Yahoo again. This time, they targeted the user database, and 500 million users were affected. In the 2014 breach, attackers successfully stole Personally Identifiable Information (PII) such as names, addresses, phone numbers, and birthdays along with usernames and passwords. Attackers were now building the types of profiles on these users that could be used to steal identities or gain additional information to craft targeted attacks against victims. To make matters worse, Yahoo failed to disclose some of its incidents, so it is difficult to know with certainty that there weren't more. Even if Yahoo did not intentionally withhold information, their poor security practices at the time call into question whether they would have known if they were attacked by a sophisticated actor.

The Yahoo breaches started to get attention from regulatory authorities. The size and scale of the breaches make estimating the total economic damage impossible. If you have a Yahoo account, your information is likely for sale on the dark web. Whatever passwords you have used for Yahoo should be assumed to be compromised and you should not use them again. The Securities Exchange Commission (SEC), which regulates financial markets, acted against Yahoo, claiming that their failure to disclose data breaches misled investors. The $117.5 million settlement was separate from the SEC action and went to help victims of the breach with out-of-pocket costs and monitoring. However, it would be difficult for an individual to know whether the damage they suffered was or was not connected to the Yahoo data breach. Verizon acquired Yahoo in 2016 and pledged to spend five times more on security for the Yahoo business unit than Yahoo spent as an independent company. The question is, will people trust the Yahoo brand again? (Stempel, 2019) (McAndrew, 2018) (Matthews, 2019)

The Yahoo case shows how attackers can target a known repository of email address and password information. Since many websites use email addresses as the default username and many users reuse passwords across multiple sites, these types of attacks are often successful. Furthermore, if an attacker controls a person's email account, they could often reset passwords to other services and pass basic multifactor authentication methods. Many multifactor authentication methods offered to consumer accounts allow users to send codes to their email or phone number tied to the account. If an attacker controls the email account, they can defeat the multifactor authentication challenge. These multifactor systems are not performing true multifactor authentication. The three factors of authentication are something you know, such as a password, something you have, such as a physical device, and something you are, which is often a fingerprint or another biometric technique. Multifactor authentication requires more than one of those factors. A text message to a phone may be something you have, but access to an email account is something you know, like a password. Therefore, if the activation code can be sent to an email account, it is stronger than authentication without two steps, but it is not true multifactor authentication.

Next, let's discuss malicious software, which is another common tool attackers use to exploit people.

Malicious software

In many cases, the purpose of social engineering is to install malicious software, also known as malware, on a device to provide an advantage to an adversary. Sometimes the purpose is to cause damage to a target system or to spy on the end user. Ransomware is increasing in popularity because it is generating direct revenue for attackers, unlike stealing credentials where the theft itself is only part of the chain necessary for an attacker to monetize their exploits. There are many types of malicious software. Some of the major categories are as follows:

  • Viruses
  • Worms
  • Trojans
  • Ransomware
  • Spyware

Many people get confused by the differences between similar malicious software types. Let's start with viruses.

Viruses

Computer viruses get their name from their ability to spread from one infected host to another, normally on the same network. They are designed like biological viruses to be as transmissible as possible. Like many biological viruses, the most dangerous among them are the ones that lay dormant and replicate before causing noticeable damage. Computer viruses are designed to either cause damage or steal information. Many years ago, viruses were often used to cause damage for no apparent purpose. Modern viruses are designed to steal data or destroy systems. Different threat actor groups are likely to use different types of malicious software to accomplish their goals. Hacktivists and governments may use viruses to destroy systems. Criminal groups are more likely to use viruses that steal data so they can sell it for a profit or ransomware so they can extort victims directly. A key characteristic of a virus is that it needs activation from a host. As a result, a virus must be paired with a social engineering technique to be effective. While often conflated, worms are different from viruses.

Worms

Worms are like viruses in their aims but are far more sophisticated. A worm can replicate itself and infect other systems on a network without a user doing anything. Worms only need to breach one system on a network and can compromise all other connected systems. Worms can be extremely powerful and are often used by nation-state actors. One of the most famous worms, Stuxnet, was used to disrupt Iran's nuclear program. You can read more about Stuxnet in an example case in Chapter 3, Anatomy of an Attack, detailing the operation. While worms are often more sophisticated and damaging than viruses, there are successful worms available for sale on the dark web. As a result, an unsophisticated attacker with resources can launch this advanced capability against unsuspecting victims. While worms and viruses often seek to exploit systems as soon as they can do so, trojans are a type of malicious software that are designed to remain undetected.

Trojans

Trojans get their name from the story of the trojan horse. A trojan is a piece of malicious software masquerading as a legitimate piece of software. To work properly, a trojan must have two sides. One side is the legitimate software that must function properly for someone to keep it installed. The other side is the malicious side, which allows the attacker some level of access to the machine. An example would be a game that a user could download and install. They would be able to play the game and it would work, but the software would also be providing remote access to an attacker. This type of trojan is commonly called a Remote Access Trojan (RAT).

Other types of trojans lay dormant until activated by an attacker. An example would be a Distributed Denial of Service (DDoS) attack. A DDoS attack occurs when an attacker coordinates many machines that flood a target system with a large volume of illegitimate requests, so it does not have the capacity to service legitimate requests. To successfully launch such an attack, a bad actor must be able to access a large number of machines on command. Trojans offer the ability for attackers to create these types of networks, often referred to as a botnet. Some attackers will use trojans to build a botnet and then sell or lease the network to other bad actors to monetize their attacks. Botnets can be used for many types of attacks, such as credential-stuffing attacks, in addition to DDoS attacks.

Next, let's talk about a malicious software type that often makes headlines, ransomware.

Ransomware

Ransomware can be delivered as a virus or a worm, but it has become popular enough that it warrants its own section. Ransomware is designed to hold files or systems for ransom to demand payment from a victim. Often, it works by encrypting as many files as possible and demanding ransom in exchange for the decryption key. If the ransom is not met within a specific period, the files will be destroyed.

Ransomware has become popular largely because it is profitable and people are paying the ransom. Ransomware groups have even dedicated resources to providing technical support and ensuring that when victims pay the ransom, their files are restored. If the victim believes they are doomed regardless, they are less likely to pay. As a result, ransomware groups guard their reputation carefully. Unlike ransomware, spyware is installed to collect information rather than to extort the victim.

Spyware

Spyware is designed to steal information and monitor activity rather than cause harm to a system or explicitly steal data. An example is a keylogger. A keylogger creates a record of everything you type on a keyboard for the purposes of finding information that could be valuable to an attacker, such as a password or credit card number.

Spyware can also be used for industrial and state-sponsored espionage. Spyware is often covert and designed to use as few resources as possible to remain undetected for as long as possible. Think of spyware as the computer equivalent of a bug or listening devices from decades past.

Now that we understand malicious software types, we will discuss the types of insider threats. We will start with the largest population, well-meaning insiders.

The three types of insider threats

Inside an organization, there are three basic human profiles. First, well-meaning insiders are people trusted by the organization to perform a function and are attempting to do so. Either for the sake of expediency or by error, those people can often expose the organization to unnecessary risk. Second, trusted insiders can become compromised through social engineering tactics, such as phishing, and someone outside the organization may be masquerading as them. These compromised accounts can lead to major data breaches and damage. Third, there are malicious insiders. These people are trusted and likely started as well-meaning insiders, but at some point became malicious. In some cases, the employees are bribed by outside actors. In other cases, they are frustrated by real or perceived slights by the organization. Regardless, their knowledge of the environment and privileges makes them very dangerous.

First, we will discuss well-meaning insiders.

Well-meaning insiders

Most users in an organization are simply trying to do their jobs within the confines of acceptable behavior. Supporting well-meaning insiders is an important function of any effective information security program. The first way that well-meaning insiders expose data or systems is by making simple mistakes.

Mistakes leading to exposure

The first category of risk attributable to well-meaning insiders is a simple mistake. One common mistake is sending the right information to the wrong person. For example, you may have a [email protected] and a [email protected] in your email address book. Since they have the same exact name until you get to the company name, a person may mistakenly attach ABC company's information to XYZ company's email. Doing so would be considered a data breach, but one that was purely accidental. Another common mistake is sending an Excel spreadsheet where the sensitive data is hidden but not entirely removed, so if the recipient or someone who intercepted the message unhid the rows or tabs, they would be able to access information inappropriately. Tools such as Data Loss Prevention (DLP) and secure email gateways offer capabilities that help prevent these types of mistakes from causing harm to the organization.

Outside simple mistakes, many large-scale data breaches happen because of misconfigurations. In many cases, the person configuring the systems has not been properly trained.

Challenges with new technologies

Another common mistake people make is misconfigurations due to gaps in knowledge around solutions they are managing. In many cases, the adoption of new technologies happens faster than an organization's ability to retrain its staff on these new technologies. In many cases, cloud configurations feel familiar to network administrators but have significant differences, as noted in the following example case related to Alteryx. Issues related to the shared security model are important for cloud administrators to understand. With the skills gap in security, it is important to offer training opportunities for existing team members as technologies change. Unfortunately, many professionals are put into situations where they are asked to perform high-risk functions without the proper training and support.

Example Case: Alteryx

Alteryx is a technology company that builds software to power data science and analytics. Because of the nature of their business, Alteryx has information belonging to most American households. Collection of personal information for the purpose of analytics is one of the practices that the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) seek to regulate. The massive Alteryx data breach is one of the major reasons why regulations such as GDPR and CCPA exist.

Alteryx accidentally exposed information that belonged to 123 million of the estimated 126 million households in America. If you live in America, there is a 97.6% chance that Alteryx made your sensitive information publicly available, but most Americans do not know who Alteryx is or did not provide the information directly to Alteryx. How did Alteryx gather the information before the breach? They purchased it from Experian so they could analyze the information. Most people also did not voluntarily give their information to Experian. Credit monitoring agencies have historically had the ability to collect information about individuals without their consent and then sell it to third parties without notification. When organizations collected and curated information about people in the past, it was common practice for them to resell that information to other parties who may wish to use it, often without the knowledge of the data subject. Cases such as Alteryx have made it popular to allow consumers to make their own choices with respect to who has their information.

The information involved in the Alteryx breach was stored in a popular cloud platform, Amazon Web Services (AWS). AWS is an Infrastructure as a Service (IaaS) platform where companies can rent space and processing power. For analytics companies such as Alteryx, renting high-powered computers or server farms on-demand is simpler and more cost effective than building large data centers filled with powerful servers sitting idle most of the time. The problem is, security controls for AWS are different than on-premises systems, and the people who work with AWS must be trained to secure the environment properly. The good thing about the cloud is the data is accessible from anywhere. The bad thing about the cloud is the data is accessible from anywhere. As a result, if it is not secured properly with techniques such as access control, it can be accessible to anyone. That is exactly what happened in the case of Alteryx.

Fortunately, Alteryx's mistake was discovered by a security researcher, not a criminal (that we know of), and quickly corrected. In fact, "Chris Vickery, the director of cyber risk research at cybersecurity start-up UpGuard, discovered the data Oct. 6 on Amazon Web Services, or AWS" (Lien, 2017). Mr. Vickery and UpGuard should be applauded for finding this vulnerability and making Alteryx aware of it. However, it is difficult to know for sure if anyone else accessed the information before the vulnerability was reported to Alteryx. Technology is changing quickly. It is critical to ensure employees are trained properly when working with new technologies and safeguards are put in place to ensure an individual mistake cannot cause a large-scale data breach.

If we know that well-meaning insiders can make mistakes that can cause damage to the organization and many people are asked to perform tasks for which they have not been properly trained, we must then establish how we can support these well-meaning insiders.

Supporting your teams

Most employees are trying to do the best job they can. It is the responsibility of leaders and organizations to give them the support they need to be successful. Training and mentorship are important parts of the equation. Employees should be trained thoroughly to perform their functions, expectations should be clearly set, and performance should be objectively measured. Additionally, technology should be deployed to support employees and make sure a single mistake cannot cause harm to the organization. I tell my teams, "If a single person can cause a failure, it is the leadership and the process that failed, not the person."

Too often after breaches, companies will publicly claim the breach was the result of the failure of a single person. Equifax made this claim after their 2017 breach. If a mistake by a single well-meaning person can cause the breach of sensitive information belonging to 148 million people, it is clear to me that the blame for the incident does not belong to the individual who made the mistake. While one person may have neglected to patch a system, there should have been a process in place to catch that mistake before a data breach occurred.

When people make mistakes, it is not because of a lack of intelligence or care in most cases. It is important to ensure that systems are designed to identify security failures and mitigate damage. Often, security programs are focused on stopping external attackers. While that is important, it is also important to ensure information and systems are not put at risk by honest mistakes made by well-intentioned people.

It is important that we do not conflate the term well-meaning with the term harmless. Well-meaning insiders can cause major problems for an organization.

Well-meaning, but dangerous

Well-meaning insiders, by definition, do not intend to do harm. However, they can cause damage if they are not supported correctly. To compare the cost of data breaches and the frequency of data breaches associated with the categories of insider threats appropriately, we will use the same source for each, the 2021 Ponemon Cost of a Data Breach study. This study, released annually by Ponemon and one of their sponsors, along with the Verizon Data Breach Investigations Report (DBIR), is among the best sources of information related to data breaches. While no study can capture all data breaches, especially since some are completely unknown, these two studies include wide participation from a variety of industries and companies.

According to the 2021 Ponemon Cost of a Data Breach report, well-meaning insiders accounted for the lowest frequency of insider threat-related data breaches and the lowest average cost. However, the cost was still an average of $4.11 million per breach and accounted for 6% of all data breaches (Ponemon Institute, 2021). Since there is no adversary in data breaches involving a well-meaning insider and the person who could potentially cause the breach often wants to be part of the solution, helping to support well-meaning insiders can be a low-cost, high-return cybersecurity investment opportunity. We will discuss how to help support well-meaning insiders in Chapter 5, Protecting against Common Attacks by Partnering with End Users.

Next, we will discuss the second category of insider threats, which is compromised accounts.

Compromised accounts

The actions taken by compromised accounts are not taken by insiders at all; they are controlled by someone else masquerading as a trusted insider. However, if you are not monitoring trusted insiders, you will not be able to identify and stop an attack using a compromised account. Systems use accounts to identify people. As a result, when an account is compromised through phishing or other means, the actions taken are often undetected. Often, when talking about insider threat programs, people will say, "We trust our team members and don't need to monitor them." However, only one of the three categories of insider threats involves a trusted person causing the organization harm.

Compromised accounts were the most common cause of a data breach in the 2021 Ponemon Cost of a Data Breach report, accounting for 1 in 5 of all data breaches in 2020. The average cost of a data breach involving stolen credentials was $4.37 million, and, when combined with phishing-originated data breaches, accounted for 37% of all data breaches (Ponemon Institute, 2021). Simply put, taking measures to protect against phishing and having an effective method to identify and remediate a compromised account are among the most important cybersecurity initiatives that could be undertaken.

Stealing credentials is only the first step in compromising an account. Once an attacker has stolen credentials, what do they do with those credentials? Understanding the pattern helps to identify compromised accounts before irreparable harm is done.

What attackers do with stolen credentials

When an attacker steals credentials, receives stolen credentials from a fellow attacker, or purchases them on the dark web, they often will try to use them across multiple services, not just the services they were stolen from. This is one of the reasons that email addresses and passwords in combination with each other are especially useful. Many services use a person's email address as their username, and many people reuse passwords across multiple accounts. Do not reuse credentials across multiple accounts. Also, do not use the same password for any personal service that you use for any corporate account. One of the many reasons you should never reuse credentials is the risk of a credential-stuffing attack. A credential-stuffing attack is where an attacker using a bot network loads email address and password combinations into software and tries those combinations across many popular services. Reused passwords will yield access to multiple services per credential for the attacker. Due to the number of username and password combinations available for sale, attackers can easily compromise many services using this technique, and they can do so very quickly.

Once an attacker is inside a system, the next step is often to try to escalate privileges or move throughout the environment to gain more access to systems and data.

Lateral movement and privilege escalation

Lateral movement refers to an attacker using access gained to one system to move to other systems on a network. Unsegmented or flat networks are most susceptible to lateral movement. When security teams talk about segmentation or micro-segmentation, they are often designing countermeasures for lateral movement, among other things. The goal of lateral movement is for the attacker to discover what is accessible on the network in terms of systems and information.

One of the purposes of lateral movement is to increase the opportunity for privilege escalation. In some cases, attackers have all the privileges they need based on the account they compromised. Often, they do not. However, if they can access enough systems, they may find one with a security flaw that allows them to gain elevated access. With that access, they can run commands to exfiltrate data or make changes to systems that they could not make without escalated privileges.

Example Case: Marriott and the Starwood Acquisition

Marriott acquired Starwood Hotels and Resorts Worldwide in 2016 for $13 billion to become the largest hotel chain in the world. This acquisition allowed Marriott to provide unparalleled options and benefits to their rewards program members and brought new members to them from Starwood's rewards program. From a business perspective, it allowed Marriott to consolidate a significant market share of the hotel space and put them in a better position to compete with newer alternatives, such as Vacation Rentals by Owner (VRBO) and Airbnb. However, Marriott also acquired a hidden problem that would cost them dearly.

In 2018, Marriott announced that one of its reservation systems had been accessed by an unauthorized party. The reservation system in question was the guest reservation system for Starwood brands. It was discovered that the attackers had stolen hundreds of millions of customers' personal information along with credit card numbers and passport information. On September 8, 2018, a Marriott tool discovered anomalous activity that led to the discovery of the breach. Upon further investigation, it was discovered that the attackers had originally breached Starwood in 2014, 2 years before Marriott acquired the company (Fruhlinger, 2020). Two things are immediately apparent when reading this story. First, Marriott did not immediately integrate IT systems, which meant that any problems with the Starwood systems were unlikely to be resolved. Second, Marriott put monitoring tools in place that identified activity that Starwood did not have the capability to identify. Both are lessons learned. It could be argued that Marriott could have prevented some of the damage by integrating their acquisition more quickly. However, they did at least apply their security controls to both environments, which led to the discovery of a breach that had been undetected for 4 years.

As more information became available, it was apparent that multiple elements discussed in this chapter were used to create this breach. It should be noted that most successful data breaches involve multiple techniques used together. At some point, the attackers successfully installed a RAT, which gave them persistent access to the network. Since the systems remained post-acquisition, they had access to the network after Starwood was acquired, which gave them access to additional information belonging to Marriott members who were now booking Starwood properties. The attackers then installed a tool designed to harvest usernames and passwords from the memory of other systems (O'Flaherty, 2019). To do so, they had to escalate their privileges after they gained access. There is evidence that attackers moved laterally throughout the network during their 4-year dwell time. While no one knows the exact cause of the initial infection, RATs are often installed by a successful phishing attempt.

This case is a great example of how the lessons of this chapter are interrelated and will help you understand newsworthy attacks in greater detail. Beyond the common claim that breaches were the result of a sophisticated attack, few people understand how these incidents occur and what can be done to prevent them.

We will discuss the phases of an attack and how lateral movement and privilege escalation relate to the broader attack chain in Chapter 3, Anatomy of an Attack. For the purposes of this discussion, it is most important to understand that when an attacker gains access to a system or network with a compromised account, they will use that account to move laterally and escalate permissions. Overly permissive accounts greatly reduce the level of effort necessary for attackers to accomplish their objectives. We will talk about best practices that help limit the damage associated with compromised accounts in Chapter 4, Protecting People, Information, and Systems with Timeless Best Practices.

Now that we understand how attackers use credentials and how they move throughout an environment, we will discuss how you can identify those movements and reduce dwell time, or the amount of time an attacker is in your environment before they are detected and removed. The longer the dwell time, the more damage can be done.

Identifying compromised users

Of the three categories of insider threats, compromised accounts are the most difficult to detect and mitigate. Effective detection of compromised accounts requires behavior analysis. Behavior analysis is a technique, normally using machine learning or artificial intelligence, that observes patterns of behavior among employees to establish a baseline of normal behavior. Then, the system detects deviations from that standard pattern. Behavior models range from very simple to very complex.

A simple example is the popular impossible travel model. If the same account logs in from San Francisco, California, and Râmnicu Vâlcea, Romania, within 15 minutes of each other, it is obvious that at least one of the logins is illegitimate, because it is impossible for a person to travel between those locations in 15 minutes. Because it is likely that the legitimate user still needs access, the common mitigation technique is to send a two-factor authentication notification to the legitimate user's device and prompt them to change the password when they pass two-factor authentication. While this technique is simple and effective, it requires several security controls to be in place prior to the event. First, multifactor authentication must be deployed to all employees. Second, a system with basic behavior analytics capabilities must be deployed to broker traffic. Third, that solution must have the ability to force step-up authentication when certain conditions are met.

A more complex behavior model is the effort to model what the average employee in a specific role or function does during their day. Then, the system will look for major deviations from that baseline. This technique requires advanced technology capabilities, but it is effective against both compromised accounts and malicious insiders. In either case, trying to anticipate how the bad actor will steal information is nearly impossible, but in every case, the behavior associated with that account will change. If an attacker gains access to a system for the first time, they are likely to explore the access that has been gained. A real user would behave differently because they know the location of the necessary resources. A malicious insider will likely manipulate and move larger quantities of information than a normal user. These deviations from patterns along with known exploitation techniques make human behavior analysis a critical information security function.

Now let's talk about the third category of insider threat, which is the least common but often the most damaging, the malicious insider.

Malicious insiders

Malicious insiders are the third group of insider threats, and the group most often associated with the insider threat category. Malicious insiders are easy to discuss theoretically, but an uncomfortable topic when discussing people who are your friends and co-workers. The reality is that malicious insiders do exist. Malicious insiders turn malicious for different reasons, mostly centering on themes of revenge or personal gain.

According to the 2021 Ponemon Cost of a Data Breach report, malicious insiders account for 8% of data breaches, with an average cost of $4.61 million. Also, if a company were to have a catastrophic data breach, it would likely originate with a malicious insider. The fact that malicious insiders exist is an inconvenient truth for most companies. Few people want to consider the fact their friends and co-workers may be actively plotting to damage their livelihood. However, if 8% of all data breaches are caused by malicious insiders, it is important to acknowledge their existence and put programs in place to identify them and mitigate the damage they can cause.

While the number of people in an organization who are malicious at any given time is statistically a very small minority, a single trusted insider with malicious intent can cause massive damage to an organization in a very short period. If you compare a malicious insider with a traditional attacker, the malicious insider has several key advantages. First, they do not have to breach perimeter defenses because they can simply log in and bypass the defenses most organizations focus most of their time and resources putting in place. Second, the malicious insider does not need to spend time or risk getting caught performing reconnaissance because they already know the exact location of the target systems and/or information. Third, malicious insiders are trusted and know they are trusted, and therefore know most of their activity will not be closely monitored.

Using these advantages, malicious insiders can bypass most of the cyber-attack kill chain detailed in Chapter 3, Anatomy of an Attack, that most attackers must work through, and the insider can take actions against their objectives more quickly. As a result, malicious insiders are more difficult to detect and stop than external attackers.

When trying to build a program to identify malicious insiders, it is important to understand the factors that lead a person to become malicious.

Becoming malicious

In most cases, trusted insiders do not join a company with the intent to steal information or compromise systems. The Becton Dickinson case, detailed in Chapter 3, Anatomy of an Attack, is a notable contrary example. In most cases, the insider becomes disenfranchised at some point, as was the case with the story of Lennon Ray Brown in Chapter 1, Protecting People, Information, and Systems – a Growing Problem, or they become motivated by potential financial gain as was the case in the Uber versus Waymo case also detailed in Chapter 1, Protecting People, Information, and Systems – a Growing Problem.

In either case, it is difficult to predict how or when an insider will become malicious. In every case, however, after the motivating event occurs, the insider's behavior will change. Therefore, the best way to detect an insider threat is to monitor the behavior of every employee with access to sensitive information and systems and detect changes in their behavior or known suspicious behavior patterns. You cannot predict who will become malicious and targeting specific individuals for additional monitoring without cause is a dangerous endeavor both legally and morally. It is better to monitor everyone the same way and follow where the evidence leads. In some cases, it may not be necessary to monitor everyone due to their level of access. For example, if an employee has limited access to systems or data repositories, there may be limited harm they could cause. However, those with significant privileges also present a risk to the organization if they become malicious.

Example Case: American Semiconductor

American Semiconductor is a company based in the United States that makes technology designed to power wind turbines. In 2007, they partnered with Sinnovel, a Chinese manufacturer of wind turbines, to supply the technology necessary for Sinnovel to implement their turbines in China. American Semiconductor became a very successful business. In 2011, things began to go wrong. A CNN business article was able to secure an interview with American Semiconductor CEO Daniel McGahn, who explained what happened next.

CEO Daniel McGahn stated that Sinnovel's strategy was to kill American Semiconductor as a business so they could use the technology without paying for it. Sinnovel owed American Semiconductor $70 million for a shipment it had already received and refused to pay for it. In addition, American Semiconductor had prepared their next shipment of goods, which Sinnovel refused to receive. These events were devastating to American Semiconductor's business, and they began to ask questions about why Sinnovel had suddenly stopped doing business with them and how they would be able to do so without harming their own operations.

Eventually, it was discovered that an employee at an American Semiconductor subsidiary in Austria, Dejan Karabsevic had stolen critical engineering information and provided it to Sinnovel representatives. Eventually, Karabsevic confessed that he had stolen the information from American Semiconductor on behalf of Sinnovel. In July 2011, representatives from Sinnovel met Mr. Karabsevic at a coffee shop and offered him $2 million among other benefits in exchange for stealing proprietary source code for American Semiconductor's wind turbine control software (Sebastian, 2018).

American Semiconductor did survive the attack, but it suffered irreparable harm from the events of 2011. Mr. Karabsevic was sentenced to prison and ordered to pay restitution, but hundreds of people lost their jobs because of his actions.

Aside from the case reading like a spy novel, it is an interesting thought experiment into human psychology. Most people wouldn't steal from their employer, but most people have also not been offered $2 million to download files to removable media and hand them over. If they were, how many would do it? Even if it isn't the majority, it only takes one person being tempted by such an offer to create a sudden insider threat. This case highlights the effects of insider threats and stolen trade secrets well, but it also highlights the need to implement timeless best practices such as the concept of least privilege. The operative question is not whether an employee can be bribed to steal information but whether any employee should have access to enough information to single-handedly compromise all the company's intellectual property. Whether the cause is a stolen account or an employee who was compromised by bribery, many breaches are more damaging than they should be because people are granted more access than they need. Stopping all insider threats may be an impossible task but limiting the damage a malicious insider can do is within the control of most organizations.

Now that we understand how insiders become malicious, we will discuss what can be done to stop them.

Stopping malicious insiders

Detecting malicious insiders is difficult, but stopping them is more difficult. Even when effective detection capabilities are in place, it is critical to act quickly when an insider becomes malicious. Often, the insider is discovered too late, and the information is gone or the damage has been done before the incident response team can act. Such delays cause companies to incur legal expenses to defend themselves or their property. In some cases, such as American Semiconductor, it is impossible to undo the harm that was done to the organization. Stopping malicious insiders means building an effective monitoring program that has the proper resources to identify malicious insiders quickly and has the necessary processes built to respond quickly to any incident.

It is important to remember that controls must be built before the insider threat event occurs. This means developing a monitoring program when no one believes there is an insider threat at all. This can be politically unpopular and proves difficult for many organizations. Reviewing example cases and the fallout from the events can be a powerful way to discuss this topic with business leaders. This can happen to you, and you may never know until after it is too late unless you deploy the proper controls now. The CEO in the example case talked about the fact they had deployed security measures that exceeded security best practices. It is clear they did not deploy an insider threat management solution. They are not alone. Companies with an effective insider threat management program are in the minority. Companies that ignore insider threats do so at their own peril and are gambling with their company's future.

Summary

In this chapter, we have defined several common social engineering types, several types of malicious software, and the three major categories of insider threats. You have learned how to identify different tactics and technologies so you can build better defenses. You have gained an understanding of different insider threat types so you can support well-meaning insiders, identify and eradicate compromised accounts, and stop malicious insiders before they cause irreparable harm to your organization. We have begun to establish a solid foundation for information security.

In our next chapter, we will detail the anatomy of an attack. We will introduce the stages of an attack and provide example cases where detail is available so we can see exactly how attackers performed reconnaissance, gained access, escalated privileges, and acted on their objectives.

Check your understanding

  1. Define well-meaning insiders and describe how security technology can support them.
  2. Describe some common social engineering techniques in your own words. Which is the most common?
  3. Describe some types of malicious software in your own words.
  4. What does lateral movement mean?
  5. What are some of the reasons a trusted insider may become malicious?

Further reading

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.125.139