Gartner: ‘Insider threat is alive and well on the dark Web’

Gartner says to spot low-level insiders who have gone bad security pros should look for keywords they search for and IP addresses and URLs they seek out on the Dark Web

National Harbor, Md. -- Corporate employees who help carry out cyberattacks are increasingly being sought and are seeking criminals to hire them, a Gartner analyst told a group at the consulting firm’s Security and Risk Management Summit.

A group of 60 CIOs and CISOs she worked with say this recruitment is more active and becoming a larger concern because of their use of the Dark Web to sell their services, says Gartner analyst Avivah Litan.

+More on Network World: National Intelligence office wants to perfect the art of security deception+

She showed a screenshot of a Dard Web chat room in which a bank employee was seeking help to acquire and distribute a banking Trojan. An established criminal was trying to recruit the employee into a larger scheme.

“There’s lots of disgruntled employees out there,” she says. “They log onto TOR and make their service available.”

She introduced Rich Malewicz, the CIO Livingston County, Mich., who uncovered a ring of county employees pirating movies and stealing county data that included his own IT manager. The manager, who was actually leading the investigation into the piracy, and three others were caught and fired.

+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+

He caught on to the criminal activity because an employee notified him that when she came in in the morning her computer was on and she had turned it off when she left. It had also been moved.

He discovered via logs that an IT tech, who had been coming in late, leaving early and playing video games on county time, had come in at 3:30 to use the machine.

He used a tool from Observeit to track and record activity of the criminals, leading to their firing and criminal charges.

But catching insiders requires a range of tools and methods starting with scrutinizing personal interactions. Litan says she knows of a nuclear power entity that does quarterly three-hour interviews with key employees to monitor their personal situations. Have they been arrested for drunk driving? Are they getting divorced? Has the quality of their work slipped? These can indicate someone ripe for insider abuse.

Beyond that, businesses have to use detection and analysis tools to track these threat actors, she says. It’s data driven by monitoring structured and unstructured data, email, and chats on the Dark Web.

Analysis falls into four categories: descriptive, diagnostic, predictive and prescriptive. The first two try to answer what is happening and why. The third tries to project what will be stolen or tampered with and how that will happen. The final analysis tells what to do about the problem to prevent actual attacks.

About 80% of these insiders can be caught using rules and monitoring employees’ behaviors and the pressures they face in their personal lives, she says. The other 20% can be uncovered using anomaly detection tools that reveal how they stray from their routine, authorized use of the network.

Litan says insiders who compromise security fall into three categories, pawns, collaborators and lone wolves. The first are often unaware they are involved, having fallen prey to spear phishing that compromised their machines. Collaborators work knowingly with outside parties to compromise networks and data and lone wolves act independently, sometimes with just low-level privileges but also with broad privileges, such as NSA leaker Edward Snowden.

To spot low-level insiders who have gone bad security pros should look for keywords they search for and IP addresses and URLs they seek out on the Dark Web. For more advanced rogue insiders, using HR resource sand outside information like bankruptcy filings and monitoring underground chats may be called for.

Catching the most serious threat actors may require machine learning applied to this data in order to make connections between individuals and recruitment attempts, for example, that might not be apparent to less sophisticated tools.

Even as these analysis technologies improve, though, there are some case in which human monitoring and investigation of individuals is the only way to catch them, she says. “Technology will never detect a trusted insider doing normal things,” Litan says. “You need people involved.”

Join the CSO newsletter!

Error: Please check your email address.

More about GartnerLivingstonNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place