by John Worrall
Headlines about advanced threats, targeted attacks, cyber-espionage, and cyber-terrorism have dominated the news for the past year or two. But every so often, a big story breaks to remind us that malicious insiders can be as — or more — dangerous. Edward Snowden, currently on the run, and Chelsea Manning, currently on trial, are excellent recent examples of insider threats. Their exploits have grabbed our attention and shifted our focus back to the employees and contractors we need to trust. Case in point, this past weekend the New York Times had an article on the front page of the business section entitled, “N.S.A. Leak Puts Focus on Systems Administrators.”
Malicious insiders or advanced attackers from the outside. Which ones are more dangerous? For the Infosec community, the question may not matter. You will use the same strategies and tactics to defend against either one.
Why is that?
In order to achieve their objective, an outside attacker must steal the credentials of an insider. They must be able to impersonate an authorized user to gain the necessary access.
As we hear from multiple studies, including Mandiant’s M-Tech reports, Verizon Data Breach Investigation Report and CyberSheath’s research report, “APT Privileged Account Exploitation”, virtually every outside attack targets and exploits insider accounts. In fact, according to the CyberSheath report, privileged accounts, such as shared admin accounts or business users with access to high value information, have been exploited in 100 percent of all advanced attacks.
Put another way, if you are controlling and monitoring privileged accounts in real-time, you can proactively defend against both malicious insiders and advanced outside attackers. You can detect malicious activity, and you can quickly respond to mitigate the potential damage.
In this case, motivation doesn’t matter.