Jonathan Care’s Halloween-themed article showed us a simple technical trick to hide data. It is very difficult to detect when you only focus on the data. Let’s look at common methods insider threats (negligent, compromised or malicious) hide information and cover their tracks. The central thread is the need to focus on the user as they work on data, systems and applications. Data doesn’t lose itself.
Jonathan mentioned three types of actors – the determined spy (who lure insiders to compromise those insiders’ identities and endpoints), the disgruntled associate (or malicious user), and the disaffected (aka “unaware and just don’t care”).
The disaffected actor – focus on the user and uncover the “Shadow IT”
Let’s start with the most common insider threat actor – the disaffected. They don’t try covering their tracks, but they definitely circumvent rules. Jonathan Care mentions they may not know about ADS but doesn’t mean they aren’t getting around rules. Unfortunately, this group includes all of us, who cut corners to get our job done just a bit quicker or with less effort.
For example, in this work from anywhere world, many of our customers have seen their development teams experiment with a wide variety of technologies to collaborate, design and build applications. Not all of them were sanctioned and tested by IT security beforehand. If our customers were only focused on monitoring data movement, they’d miss the sensitive data being stored or created in these apps. Luckily, with an endpoint-based Insider Threat Management, our customers can see the developer activity as they collaborate on these cloud-based applications.
Compromised actor – focus on the user and uncover the anomalous activity
Compromised actors are unfortunately the target of the “determined spy” or the external hacker. While the compromised user may not necessarily be an IT administrator or a privileged user, the external attacker is often technically proficient. Once they infiltrate an endpoint, they will look to hide the data they collect and cover their tracks to avoid being discovered. Apart from using the ADS feature in NTFS on Windows, our customers have seen steganography tools being used to hide docs behind innocuous extensions.
We’ve seen compromised endpoints of “Very Attacked Persons” be used to hide script kiddies hidden within commonly run code or files. When a hacker hits “jackpot” – in other words, compromises a privileged user’s endpoint or identity – they can use the elevated access to modify the privileged group accounts or add superuser accounts, and then run malicious PowerShell commands on Windows.
Similarly, we have seen fast-moving software organizations experience problems with risky commands run with elevated privileges (using sudo or the root user) on Linux/UNIX machines. Running as root provides instant cover. It is harder to attribute actions to the user. The ease of privilege escalation makes these developer accounts prime targets for external hackers. In many cases, it is not about the data but about user access and activity. The developer account is not the goal, it is simply a means to the end goal. Luckily, our customers monitor VAPs and privileged users to detect risky activity after successfully accessing a system or codebase.
Disgruntled or malicious users – focus on the user and identify early risky behavior
These types of users will know the blind spots to exfiltrate data but definitely don’t want to be caught red-handed for fear of legal repercussions. Often, they know how to get around their traditional DLP tool and which channels are not protected by the organization. The data exfiltration starts with exploiting channels left unprotected by the traditional DLP tools in the organization. Removable media is often derided as old-school.
However, the field sales and marketing groups within organizations often still need to use USB devices. Unfortunately, malicious and departing users could potentially use USB devices to stage and exfiltrate data. With an Insider Threat Management solution, you can provide those users freedom while security has the visibility into user activity with those devices on their endpoints.
We’ve seen malicious employees cover up their exfiltration tracks, using free to download steganography tools between 2014 and 2018. More commonly is the use of clearing cookies or browser cache or wiping the endpoint clean. When users cover their tracks, it’s useful to detect the download of such suspicious or malicious tools onto the endpoint in the first place. Luckily, our customers use their Insider Threat Management solution to detect the original data movement and suspicious endpoint activity and proactively protect their organization from data loss.
Easy to lose track of data, harder to lose track of users
In all three insider threat types, organizations find visibility into data movement and user activity is key to protecting from users, who cover their tracks and hide their data movement. A malicious or compromised user will show signs of risky behavior well before they touch the data. While the most important concern may be data exfiltration, Insider Threat Management solutions can help you detect risky behaviors in the initial stages of an attack or threat. Sometimes you lose track of the data with traditional tools, it’s much harder to lose track of your users and sensitive data with people-centric solutions including Enterprise DLP and ITM (Insider Threat Management).