Line blurs between insider, outsider attacks

The insiders strike again. But this time it's not the malicious insider, but insiders' access to corporate data, and it is for sale in the cybercrime underground.

Security experts have been saying for years that while technology is a key element in protecting enterprises from online attacks, human insider carelessness, vulnerability or hostility can always trump it.

One of the most destructive examples of that in recent months was the cyberattack in August on the state-owned oil company Saudi Aramco, which erased the data on about 30,000, or three quarters, of the company's corporate PCs using a virus named Shamoon, and replaced it with an image of a burning American flag.

U.S. Defense Secretary Leon Panetta, in a recent speech warning of a possible "cyber Pearl Harbor," called the attack "probably the most destructive attack that the private sector has seen to date."

Nicole Perlroth at The New York Times wrote this week that the attack was made possible through the privileged access of insiders.

"After analyzing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco's network. The virus could have been carried on a USB memory stick that was inserted into a PC," she wrote.

Insider access, involuntary or not, is now becoming commoditized -- a service offered in the marketplace of the cybercrime underground. CSO Online reported this week on security blogger Brian Krebs' findings that "for just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks."

[See also: Tough economy heightens insider threat]

Krebs wrote that he had analyzed one service that was "renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010."

Some studies, including one released this past June by Cyber-Ark Software, have said the malicious insider threat is large and growing, but others pointed out at the time that this ran counter to the results of Verizon's 2012 Data Breach Investigations Report, which found that only 4% of data breaches in 2011 involved insiders.

Krebs and others say that low number was based on the definition of insider. Some are on the inside to start, while those he was writing about hacked their way in. He told CSO Online that he was writing about services that "allow outsiders to become insiders by gaining instant access to behind-the-firewall and perimeter security defenses."

"If the victim organization has architected its network in such a way that lets that insecure system communicate with other portions of the targeted network, then I suppose you could say a service like this could increase the insider threat," he said.

Mark Baldwin, CISSP and principal researcher and consultant for InfosecStuff, agrees. "This is not a case of insider threat," he said. "These systems have been compromised by external actors."

Matt Johansen, manager of threat research at WhiteHat, said traditonal insider threats are not the issue here. "A computer is much more likely to be compromised via the Web, phishing attacks, and malware before an insider," he said. But he added: "Techniques needed to exploit a computer and become an insider to a network yourself are becoming more freely available, easier to master, and therefore lowering the bar to be a black hat hacker."

Adam Bosnian, an executive vice president at Cyber-Ark, said he believes the difference is becoming irrelevant. "We're starting to grapple with the fact that it is a blurry line. The traditional sense of insider attack is somebody who is already an employee who is disgruntled and goes rogue for some reason," he said.

"But it really doesn't matter whether an attack starts on the inside or the outside. It doesn't matter if an insider is malicious or inadvertently compromised [by an outside attack], because the result is the same," he said.

"I think the concept of inside vs. outside will dissolve on its own," Bosnian said, adding that the more relevant key for enterprises is not where the attack originates, but the protection of user credentials.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsShamooncyber Pearl Harborinsider threatSaudi Aramcosoftwaredata protectionData Protection | Data Privacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place