Chinese-born Greg Chung seemed to Rockwell and Boeing like any other loyal, reliable, hardworking engineer. Little did his employers know, Chung was collecting secret information that would help his home country develop its own space program.
From 1979-2006, he stole hundreds of thousands of sensitive documents about the space shuttle, Delta IV rocket, and C-1 military cargo jet from his employers and handed them over to the Chinese government. For years, he traveled to China under the guise of giving lectures, while covertly meeting with Chinese agents. He claimed his motive was to “help the motherland.” In 2010, he was sentenced to more than 15 years in prison.
While the scenario of state-sponsored insider threats in your organization may seem as if it’s out of a movie, insider spies like Chung are more active than ever. Based on data from more than 1,700 customers, we discovered an increase in rogue activities perpetrated by foreign nations, businesses or competitors in which a spy or insider is recruited to gain access to critical or non-public information at a business or government institution.
These insiders are trusted third-party contractors or regular employees, but, for either malicious or nonmalicious reasons, they decide to collude with an outside nation to exfiltrate data.
What Motivates and Insider to Spy?
With insider spies on the rise, it is more important than ever to quickly detect them. There are many different motives for people to spy on behalf of a foreign government. A few to look out for include:
- Financial greed: Sometimes people are motivated by the simple belief that exfiltrating data is an easy or quick way to make more money—in this case, being paid by a nation state to spy. People under financial stress are more likely targets for recruitment.
- Anger or revenge: If disgruntled employees reach a stage in which they’re looking to retaliate against the business, they may look to cause harm by exposing IP, trade secrets, or sensitive information to a foreign nation.
- Ideology: An employee or contractor could have a fundamental disagreement with the purpose of the organization for which he or she is working.
- Patriotism: Like Chung, an insider could be motivated by strong ties to his or her home country.
- Personal or family problems: Much like financial distress, stress in someone’s personal life (such as a death or divorce) could be a powerful factor in deciding to take a risk like colluding with a nation state to steal data.
- Organizational conflicts: If someone is having conflicts in their day-to-day work environment, he or she could be more easily convinced to expose sensitive data.
Given the number of factors at play, it’s nearly impossible to plan for every “behavior indicator” and detect every suspicious activity before it becomes a real threat. Legacy security tools such as data loss prevention (DLPs) are often unable to prevent data exfiltration due to arduous classification requirements that may not be maintained by the organization. DLPs are also unable to suss out the context of an insider threat because they are solely focused on data, not on user behavior. Similarly, user and entity behavioral analytics (UEBA) players are unable to effectively detect risky behaviors. These tools have struggled to support the infrastructure needed to gather data, normalize data sets across many applications (IT and Security), and leverage machine learning technologies to piece together what happened before, during and after an insider threat incident.
Organizations need a user behavior-centric approach to detect state-sponsored insider threats, streamline the investigation process, and prevent data exfiltration.
How ObserveIT Protects Against State-Sponsored Insider Threats
The lack of visibility many security teams have into insiders’ actions poses the biggest security challenge to organizations. ObserveIT rises to this challenge by alerting IT and security practitioners, in real-time, to statesponsored insider threat indicators. By focusing on users’ actions, ObserveIT helps CISOs detect vulnerabilities and prevent the exfiltration of valuable data.
Below are just a few of the prepackaged state-sponsored insider threat indicators that help ObserveIT users detect issues before they become large-scale incidents.
Logins, Passwords, and File Activity
ObserveIT can detect logins to unauthorized servers or from unauthorized clients, as well as risk indicators around file, folder, and password activity. For example, suspicious users may be sending sensitive documents to a printer or copying files during irregular hours. Other risky behaviors that could indicate an insider threat include:
- Using unauthorized cloud storage or large file-sending sites
- Connecting a USB storage device or mobile phone to copy sensitive information
- Storing passwords in files easily detected by password harvesting tools
Suspicious Internet Activity
ObserveIT monitors for suspicious internet behavior, including browsing unauthorized content, contaminated websites with high security risks, or copyright-violating websites. ObserveIT detects policy violations such as running peer-to-peer file-sharing sites, webmail or Instant Messaging services on company servers; accessing the dark web; clicking links to phishing websites; and searching the web for information on malicious software.
Advanced Technical Intrusion
ObserveIT detects insider threat indicators from even the most technical users by providing visibility into the actions taken by employees and contractors on the company’s systems. It can send real-time alerts when users intentionally use malicious tools or software, tap into sensitive admin tools or configurations, delete users or information from sensitive directories, hide information by tampering with log files or passwords, or attempt to gain higher access privileges to systems.