Insider threat events are ubiquitous—and usually go undetected by in-place security measures.
That’s the word from the Imperva Defense Center’s March Hacker Intelligence Initiative Report: Insiders: The Threat is Already Within. The research was conducted using a combination of machine learning-based behavioral analysis and deception technology to live production data and networks. Machine learning was used to analyze detailed activity logs of the data accessed by insiders. Deception technology added context to the analysis by identifying anomalies indicative of compromised end-points and user credentials. This deeper level of insight proved critical for finding true insider threats within a sea of anomalies.
Based on the studied environments and follow-on analysis, the researchers found that insider threat events were present in 100% of the studied environments, confirming suspicions that insider abuse of data is routinely undetected, be they malicious, compromised or just careless insiders.
The research also found that, in most cases, insiders took advantage of granted, trusted access to data, rather than trying to directly hack into databases and file shares.
“Once inside a network, hackers can easily pretend to be something they are not,” Imperva said in the report. “Many applications are constantly seeking other assets on the network, and are susceptible to spoofing and Man in the Middle (MITM) attacks. Once an attacker spoofs a response, he controls the connection, where he can try to steal the victims’ credentials, or leverage existing credentials to access another server.
Further, internal applications used by companies are a hacker’s favorite target. Because of their proprietary nature, internal applications tend to be much less secure, and usually run on an outdated OS.
“One such application inside a customer’s network managed their entire confidential list of customers along with their personal information—an obvious target for hackers,” the company noted. “Within the customer’s network, we planted fake session information to this internal application in such a way that normal usage of the app remained unaffected. After a few months, we caught an alert because one of the endpoints tried to use our fake session data against the internal application. We were not surprised once the response team detected a Trojan performing reconnaissance, the starting phase of a possible devastating attack. The Trojan got through to the endpoint using simple phishing email and social engineering techniques, but was not caught by the customer’s other security measures.”
The report noted that data breaches usually take place over a relatively long period of time spanning weeks to months and even years. An insider may acquire small amounts of sensitive information over a long period of time. In some cases, breaches are noticed only after damaging events have taken place. In these cases, a company’s customers, partners, or other external groups may initially detect the breach. So, one of the goals of any security program should be to have early detection capabilities for breaches.
“Just finding anomalies in user behavior will not solve the insider threat problem,” said Amichai Shulman, co-founder and CTO of Imperva. “Enterprises need to have granular visibility into which users are accessing data, and more importantly, the actual queries and data accessed by each user. This deep level of insight proved critical to separating actual incidents from anomalies.”
Photo © dragon fang