Mitigating Risk from Insider Threats in 2022

By Isaac Kohen, Teramind

Back in August 2020, a story of an insider threat caught headlines when the employee turned down a $1M bribe to put ransomware on Tesla’s servers at the Gigafactory outside of Reno.

That story was exceptional both for the amount of the payoff and for the fact that it really is the exception to the rule.

The far more common case is that a malicious actor will find someone inside who can help them to carry out their attacks, thus getting around whatever protections that the organization has put in place to defend itself from external threats.

One area where we have seen this story repeat time and again is in the cellular service industry.

Mobile Mischief is Afoot

The mobile industry has found itself the target of malicious actors who have used insiders to worm their way in and effectively steal from the service providers. In September, a man named Muhammad Fahd was sentenced to 12 years for paying employees at AT&T a $1M to help him unlock phones and then later implant malware on the company’s system that allowed him to do the dirty work himself.

While you can buy an unlocked phone, AT&T and other companies offer lower prices for customers to sign on with their service as an incentive. They also have a revenue stream that is generated by unlocking phones for customers.

According to reports, Fahd and his co-conspirators succeeded in unlocking some 1.9 million phones. This fraud was shown to cost AT&T $201M out of their pocket. So good ROI for Fahd’s bribes and a bad time for AT&T.

The court documents note how the malware used by Fahd could be used for stealing credentials, helping him impersonate legitimate AT&T employees for use in his fraud. This allowed him to continue his operations even after the company made changes that would have blocked his illicit activities.

From the looks of it, AT&T had done a pretty good job of protecting itself, limiting who was authorized to unlock devices to specific users and only under certain conditions. However, despite the protections, the criminals were able to exploit the human element and had the insiders knowingly compromise their employer.

Defining the Insider Threat

Insider threats are where someone inside your organization is the one doing the harm.

The 2020 Verizon report indicates that insider threats are on the rise. Their statistics show that these types of threats are nearing 40%, pushing up nearly 20% in just five years. To be clear, external threats still outnumber the number of internal incidents by a wide margin. There is also an additional component that insiders are oftentimes not malicious but simply careless. However, despite the intention, the results are the same.

Insider threats are a double risk in that anything that an insider can access, an attacker who has compromised a privileged user’s account can access too. In a world where user credentials are constantly being compromised in data leaks, hacks, and other sorts of mischief, the chances are more than reasonable that a legitimate user will have their credentials used by attackers. If they have a highly privileged account or there are paths for escalation, then the organization may be in for a bad day ahead.

And it can always be worse as the details of the story unfold.

Why Insider Attacks Can Be More Damaging to Victim Organizations

All cases of a breach are bad news for an organization. The level of bad can vary depending on if they were negligent or the victim of elite state actor hackers.

What nobody wants to hear is that your customer’s data was knowingly compromised by an employee. Such incidents can kill user trust and be hard to bounce back from.

Partners, investors, and of course customers, all want to know that they are working with trustworthy folks. Winning over customers in the first place is hard enough, just ask your marketing and sales teams. Especially in markets where the customers are asked to share access to their data and the core of their products, they need to feel that your organization is trustworthy and their data protected. Having your system breached by a hacker can be a hard knock to customer trust.

Regaining their trust after the damage came from the inside is an even bigger uphill battle, so this really might be a case where an ounce of prevention can be worth a pound of cure.

3 Tips for Mitigating Insider Threat Risks

Risks from inside and out are always present, but there are steps that we can take to lower our potential for threats and mitigate damage when they do occur.

  1. Train Your Team to Identify Risky Situations

Whenever attackers approach a prospective insider to get them to expose their organization, they offer serious rewards while downplaying the severity of what they are doing. In some cases, an insider may know that they are doing something wrong but will not understand the repercussions of their actions. If the person approaching them is a friend or family member, then they may be even more likely to go through with it.

Talk to your employees to explain the risks that can emerge from them taking steps that can compromise the organization. Give them tools to spot red flags before they may unwittingly take part in something destructive.

Finally, clarify what your policy is and let them know that you have protections in place.

  1. Use Solutions to Monitor User Actions

Having the right tools in place to identify when a user is performing actions that may fall outside of their normal duties or another kind of anomaly, can help to stop them sooner.

User and Entity Behavior Analytics can help to detect these threats, understanding what the baseline of normal behavior is and alerting when a user strays from their expected routine.

  1. Use MFA Whenever Possible

As we have noted, credentials will be compromised. In those instances, multi-factor authentication can play a serious role keeping the attackers out because having your credentials are no longer enough.

Many organizations use SMS as their MFA solution, but this is against best practices that call for using an app to generate the one-time-codes. For extra points, get a Yubikey for your most privileged users, adding that extra layer of security.

Verify But Trust

Managing insider threats is a balancing act.

We hire our people because we believe that they will be good workers who will look out for the organization’s best interests. Putting protections in place to help keep folks honest or catch an external threat actor are common sense and can help avoid some uncomfortable situations.

But at the end of the day we have to trust that we have the right people working with us, and it is up to us to make them feel that they are part of our team. Work with your team to have transparent conversations about the protections that you have in place so that everyone will be on the same page. In this case, honesty really is the best policy.

Balancing the right mix of surveillance with trust is important for the long term success of the organization, if only because employees who feel that they are guilty until proven innocent simply will not stick around for long.

About the Author

Isaac Kohen AuthorIsaac Kohen is VP of R&D at Teramind, a leading global provider of employee monitoring, data loss prevention (“DLP”) and workplace productivity solutions. Follow on Twitter: @teramindco and LinkedIn.

February 12, 2022

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

11th Anniversary Exclusive Top Global CISO Conference & Innovators Showcase - October - 2023