Internal Cyber Threats – How to Protect Against the Enemy Within

In general, organizations devote most of their prevention-focused email security controls on inbound security threats, as opposed to internal-to-internal or outbound threats. In their minds, they are primarily focusing on threats that are initiated by external threat actors as opposed to those executed by employees.

Verizon, in their 2018 Data Breach Investigation Report, seems to provide support for this investment strategy by consistently reporting that more than 60% of breaches involve external actors, while internal actors are “only” the source of approximately 30% of breaches.  

Does it thus make sense to focus primarily on defending against the external threat actor? Yes. But what if these external actors get in, or are already on the inside? Meaning, the initial layer of prevention didn’t stop their entry?

In the recently published report from Mimecast, The State of Email Security, it was discovered that 61% of organizations were hit by an attack where malicious activity was spread from one infected user to other employees via email.

How can both the Verizon and Mimecast reports both be true? The reality, due to the nature of the internet and cloud-deployed applications, is that the concepts of “external” and “internal” users should be considered nearly meaningless.  

The Truth About Insider Threats

The reality is that one of the key goals of most external attackers is to turn themselves from outsiders to “insiders” as quickly as possible and to spread internally before you know they are in. And the dominant way to do this is via spear-phishing and the stealing of the login credentials of an unsuspecting user or to drop Remote Access Trojans (RATs), keyloggers, or similar malware onto their target’s computer. Once they have accomplished this, their next step most often is to spread internally.

They do this to get closer to their ultimate data, victim, or system target and to acquire many independent ways into your organization. This provides them with backups if any of the other access points are eventually found and removed.

The Mimecast report also found that nearly 50% of organizations had experienced the internal spread of malicious activity via infected email attachments, while more than a quarter of respondents reported that the spread was due to malicious URLs that were embedded in internal emails.

Thus, while putting heavy emphasis on protecting against inbound attacks from external actors does make sense, it is important to recognize that having more layers of defense against these types of targeted attacks is also critically important.

An effective security program will place preventive and detective security controls on both the doors and windows of the organization as well as on internal rooms and hallways. Don’t assume that every user that is on this inside is not malicious. Organizations need to recognize that threat actors will get in and thus they need to deploy layered security controls with the view that they are already breached.

To learn more about how to combat email-borne threats like this and others, connect with us at Black Hat USA 2018 in Las Vegas next week. Here’s how.