Stopping malicious insiders with deception technology
It’s a blow to be attacked by an anonymous hacker; an insider attack adds insult to injury. The harsh reality is that insiders are involved in 62% of all security incidents, according to a recent Ponemon Institute report. These come with a high cost, too; insider threats cost financial services organisations an average industry annual of $14.5 million, higher than almost any other industry, the same report found.
During stressful events like the pandemic, insider attacks tend to increase. The explosion of remote work has weakened many cybersecurity frameworks, and insiders have become outsiders. Employees are working from the privacy of home and often on their own devices, separated physically and emotionally from company and colleagues. The strain of anticipated or actual layoffs, furloughs, pay cuts and branch closings raises stress levels and reduces loyalty. Those facing increased temptation due to financial hardship, greed, anger or disenfranchisement may be more emboldened to act.
It’s important to understand the different types of malicious insiders in order to defend against attacks of this kind. Let’s look at the types of malicious insiders and how organizations can find the balance between employee privacy and security using threat deception.
Anatomy of a malicious insider
Insiders become malicious for a variety of reasons. Some want to sell information for financial gain. Some want to cause damage for damage’s sake, and others want to export data that could help them at their next job.
You don’t want your employees feeling like they’re being scrutinised and continually tracked; you need to find ways to protect your organisation while also protecting your employees. Riding the line between privacy and security can be tricky, because as an employer, you have to instil trust within your employees. But employees of the financial services industry are more likely to understand the necessity for strict security and for trustworthiness on their part.
Because they already have some level of trusted access and insight into a financial institution’s valuable assets, insiders can operate more silently and inflict more damage than outsiders. But in many cases, malicious insiders must also snoop around file systems and acquire credentials and connections to systems and applications they don’t have authorised access to. In other words, they must conduct lateral movement just as an external attacker would.
The advantage of deception technology
One aspect of insider attacks that makes them so dangerous is that insiders are familiar with at least parts of the network and core applications. And advanced insiders often have privileged access to high-risk systems. Because they have an insider’s understanding of company culture and business processes, they can skilfully execute their activities without attracting attention. That’s why it’s critical to detect them early in the lateral movement phase of an attack.
There is a definite and particular advantage to adding deception to your network environment. Not only can deceptions detect lateral movement of an advanced insider, but they can also help root them out.
It’s harder to trick an insider, so you start by reverse-engineering the insider’s thought process. Where would he or she go to find information about new merger and acquisition activity? How could he manipulate (and cover up) account activity in clearing or settlement processes? Then, design deceptions based on the insider’s perspective.
As an example, you might create deceptive file shares in a wealth management environment that mimic real shares that house quarterly portfolio reports. These deceptive shares must match the organisation’s naming conventions, but to fool an insider, they must also be structured to include the same types of data, such as aggregate account overviews, portfolio holdings, time-weighted performance data, asset allocation percentages and account activity—authentic-looking, but fake.
Beacon files are a variation on this theme of deception. Both real and deceptive Word and Excel documents can be “beaconised” to immediately alert organisations to the presence of malicious insiders as soon as they interact with the document or try to use deceptive data in the document to attempt access. This enables early detection and identification of insider threats with high fidelity.
As a financial institution assesses its security posture, it’s vital to focus not just on keeping bad actors out but also reducing the potential risk that person could cause if they do get in. So, the first step to successful deployment of deception technology involves making sure the organisation is “clean” – that is, ensuring there are no leftover credentials or artifacts from previous users or systems. This will go a long way to getting your organisation at a level of risk you can coexist with.
Once that’s accomplished, you can start building the deceptions on top of it. However, before you get into the nitty-gritty of technical deployment, it’s essential to bring the various stakeholders together and inform them of the plan and what it entails. A lack of education is often the biggest source of friction when it comes to deception deployment. Chief information security officers (CISO) and other senior security leaders should challenge their staff to think critically about what business and IT assets a potential attacker would be looking for if they got in.
Turning the tables on insiders
Even in well-run financial institutions with the best intentions, malicious insiders will arise from time to time. Cybersecurity is usually thought of in terms of keeping the bad guys out, but provisions must be made for those who are already in the network. Distributed deception technology works against both types of attacks because both kinds of attackers must make similar lateral movements. Unlike many other cybersecurity tools that merely alert security teams to a suspicious event, deception technology is also able to track down the bad actor. In conjunction with other security solutions, a deception-based platform helps financial firms feel confident that they are prepared for attacks from within.