Insider Threat. PHOTO: Cybercrime Magazine.

The Insider Threat: Just Say ‘No’ To Employees

Equifax cyber analyst Daniel Stiegman shares best practices

David Braue

Melbourne, Australia – Aug. 6, 2021

Years providing intelligence services for Army officers taught Daniel Stiegman many things, but one of the most important was how to politely decline requests for far-reaching systems access.

While working in an S2 intelligence service during his tenure in the Army, he recently told Cybercrime Magazine, “I had a lot of commanders and other people coming to say that they needed top-secret clearance because they’re in a leadership position. [And I would say] ‘no you don’t. Let’s limit that, and your need to know.’”

Refusing to grant access requests can be difficult when senior employees are pressuring security staff for something they perceive they need — but often, when questioned, it is clear they only want access rather than needing it.

In today’s climate of rampant credential compromise, this kind of caution can be crucial to limiting a company’s exposure to malware attacks — which increasingly take advantage of vestigial access privileges that employees and security staff may well have forgotten about.

Sometimes it doesn’t even take that much effort. Credit management firm Equifax, where Stiegman has worked as a senior insider threat intelligence analyst for the past year, suffered a high-profile data breach involving 143 million customers’ records — after which, among other things, it was discovered that key systems were protected with the username and password set to “admin.”

Now working as a full-time threat-intelligence analyst, Stiegman said, the lessons of the past have shown just how important it is to be able to say “no.”

Cybercrime Radio: The Insider Threat

Daniel Stiegman, Senior Insider Threat Intelligence Analyst at Equifax

“Controlling those things is very important, and [people] trying to get around those controls is a real problem — especially for international companies, because you’ve got to understand the mentality and what’s the norm there on how they practice IT security.”

Yet aspirational employees aren’t the only source of insider threats. Many times, otherwise well-meaning employees are pushed into a situation where they can inadvertently compromise security.

Managed detection and response firm eSentire has encountered this situation first-hand, with principal evangelist and vice president of industry security strategies Mark Sangster recalling an engineering client where the owner refused to buy powerful enough laptops for employees to use while running computationally intensive applications at home. Naturally, they reverted to using their home computers — with predictable consequences.

“This was a self-inflicted risk,” Sangster said, “based on an economic refusal to support what was a core business.”

“These employees work hard, and they’re trying to do the right thing — and they think they’re not going to get hacked or get used in these schemes, and that they’re going to make sure they protect whatever customer shadow IT access they’ve created.”

Investigating the insider threat

Whatever the methods by which it happens, investigating an insider threat requires a different mindset than chasing down outside hackers across the Internet.

Companies have already done half the work for attackers, Stiegman said, by giving employees access to their systems and trusting them with the tools to use them.

Attackers “don’t need to do recon,” he said, “because we’re giving it to them as soon as they get hired.”

The key to identifying insider threats, then, lies in watching and waiting for anomalies — a process that Stiegman likened to a hunter tracking deer through the forest.

Rather than just running around looking for deer, he said, that hunter will consider how deer behave — following certain tracks to certain water holes at certain times of the day, for example.

Similarly, inside an organization employees have regular work routines, network access habits, and behaviors — and the key to detecting the threat is to spot the changes that often herald a bigger problem.

“It’s the difference between technically smart or granular thought processes, or street smarts,” he said. “You understand the patterns of life that are true — and now we’re just waiting on what changes in life that they have at their company, and their day-to-day business, or something that has happened to them personally that has made that change.”

Many times, added Sangster, those changes come at the behest of another person — an employee demanding access, for example, or asking for a favor that may not sound alarm bells at first.

“That’s when someone comes along and says ‘I don’t have access to this file but my boss is saying I have to do something by the end of the night, so would you mind making a copy or printing this off for me?’” Sangster explains.

“Even if it’s suspicious, a lot of people aren’t quite ready to be paranoid and pull the trigger, because they don’t want to get their fellow employee in trouble.”

That natural protectionism can be hard to unravel during incident response and investigation, because many companies and employees go out of their way to hide evidence of insider threat activity — concerned about exposing company secrets or damaging reputations by creating a public record documenting their shortcomings.

The key to avoiding a coverup, said Stiegman, is being proactive — for example, by monitoring the web activity of an employee who is about to leave the company.

And while many companies monitor access to the obvious offenders — Dropbox or OneDrive, for example — the wealth of options available these days means employees could just as easily be dumping confidential company files to normally unmonitored sites like LinkedIn.

Strange behavior needs to be flagged and acted upon immediately, to ensure that potentially malicious insiders aren’t testing defenses in preparation for a much bigger security breach.

“This is why we do cyber insider threat intelligence,” Stiegman explained. “We’re going to think of all the different scenarios, and play them out. Red-team that a little bit; test it out with little changes and you’ll be able to see if there is a big [security] opening. You’ve just got to look for these things.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.